Email Scams and Your Law Office: 5 Tips to Protect Your Practice

Everyone gets them: poorly worded emails that purport to be from trusted brand names like PayPal or the Home Depot and then implore you to fix an account problem, claim a prize, or answer a survey. You may spot them right away…or maybe you’ve been fooled into giving up sensitive account information or downloading a virus via an attachment. It’s happened to the best of us.

Like medical offices and hospitals, law offices house sensitive data, and a security breach can affect your entire client roster and expose your practice to liability. In 2020, 29 percent of respondents to the ABA’s annual Legal Technology survey said they had suffered some type of data breach, and fully 33 percent of solo practitioners said they purchased cyber liability policies—up from just 19 percent in 2017.

What is a phishing email?

You may know how to spot those obvious scam emails, but how can you identify (and make sure your staff can identify) more sophisticated attempts to steal data and dollars? Emails and texts that attempt to trick you into divulging information are known as phishing attempts. These take many, many forms and range from the ridiculous—poorly designed emails using broken English—to the extremely sophisticated.

What if you received an email from a service provider or a trusted government agency, perhaps one your firm represents or regularly communicates with? These types of emails can be very convincing. The key is to stop before divulging sensitive information or downloading an attachment and confirm the authenticity of any request or attachment. (Never hit reply to confirm a sender’s identity; the sender’s email address could be spoofed).

Email scams to send money: real stories of legal firms fooled

Other types of scams are of the Nigerian prince variety in which someone convinces you to send them money. You may think such blatant cons could never fool you or your smart, capable staff, but, again, these scams can be surprisingly sophisticated and sometimes even target lawyers.

Take a scam that specifically targeted law firms in 2020. A potential client contacts a lawyer to file a suit. The client provides documentation, signs a retainer, and the suit settles quickly. The claimant asks the attorney to wire the settlement amount upon receipt of the settlement check, which the lawyer promptly deposits into the firm’s client trust account before wiring the funds. Of course, the deposited check never clears, and the firm has been swindled out of the money it wired to its “client.”

One such case involved a firm that waited to wire the settlement funds until confirming its bank had credited the check to the trust account; but, in fact, the bank’s system had reported the funds as available for withdrawal—not that the check had cleared. Of course, once the bank began to process the deposit, it discovered that the check was counterfeit and voided the deposit, leaving the firm responsible.

How to spot phishing and other email scams

You can (and should) protect your firm with cybersecurity software, but no software can protect you from social engineering. Avoid even the most clever ploys by  educating your firm’s lawyers and support staff to protect their privacy, your client’s privacy and your firm’s finances with just a few best practices.

1. Keep your software up to date: You know that update notification that you’ve been ignoring? Keep antivirus and firewall programs current and update your operating system, browsers and apps on your phone and computer as soon as you see a notification.
2. Educate yourself and your staff: You can find plenty of examples of phishing scams online, and the FTC maintains a useful primer on how to spot phishing. Stay informed and up to date or appoint a staff member to take on the responsibility of tracking the latest scams and informing the rest of the firm.
3. Use multi-factor authentication to protect your accounts: This extra security requires two or more credentials to log in to an account and makes it harder for scammers to log in —even if they do get their hands on your password.
4. Backup your data: Make sure your firm’s data is backed up to the cloud or a hard drive—not the office network.
5. Protect your accounts: Wait for checks to clear and be fully deposited before wiring funds, especially to new clients. Call your bank if there’s any question that funds have settled into your account as opposed to (theoretically) being available for withdrawal.

Over the years, cyber scams have become more sophisticated and varied. They have also gotten more specific, hitting medical, government and law offices with attacks customized to the disciplines of their targets. Protect your clients and your practice by improving your cybersecurity measures and educating your staff to double check email addresses and avoid phishing scams. And if you haven’t already, it may be time to consider investing in cyber liability insurance—just in case.