chevron-down Created with Sketch Beta.

Law Practice Today

December 2024

Cybersecurity for Attorneys: Ethically Avoiding Fraud and Scams

David G Ries

Summary

  • Attorneys have ethical, common law, contractual, and regulatory duties to take competent and reasonable measures to protect client and third-party information and property.
  • Law firms and attorneys must recognize frauds and schemes and understand their duty to safeguard and address them through comprehensive cybersecurity programs.
  • Lawyers should use technology carefully, avoid distractions and multitasking, and remember to “Think Before You Connect, Click, or Act!”
Cybersecurity for Attorneys: Ethically Avoiding Fraud and Scams
iStock.com/Yuliya Taba

Jump to:

Unfortunately, law firms are increasingly becoming victims of a variety of frauds and scams, ranging from old-fashioned embezzlement by insiders and fraudulent check schemes to newer spear-phishing emails and cyber frauds. These kinds of attacks are too often successful, leading to the compromise of confidential information and loss of money and property.

This is the sixth in a series of cybersecurity articles for the annual ethics editions of Law Practice Today, following “Cybersecurity for Attorneys: Employing Competent and Reasonable Safeguards” (December 2023), “Cybersecurity for Attorneys: Addressing the People Part of Security” (November 2022), “Cybersecurity for Attorneys: The Ethics of Securing Your Virtual Practice” (October 2021), “Cybersecurity for Attorneys: The Ethics of Incident Response” (November 2020), and “Cybersecurity for Attorneys: Addressing the Legal and Ethical Duties” (November 2019).

This article is adapted from materials prepared for an ABA Law Practice Division webinar, “On Guard! Preventing Fraud Against Law Firms” (March 2024) (available on demand, free for ABA members).

Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and property of clients and third parties, and they often have contractual and regulatory duties. It is critical for attorneys and law firms to recognize these kinds of frauds and schemes, understand their duty to safeguard and address the duty through comprehensive cybersecurity programs. They should include policies, procedures, technology, and training to protect against these threats.

Fraud Against Law Firms

As noted above, law firms are increasingly becoming victims of a variety of frauds and scams, ranging from old-fashioned fraudulent check schemes and embezzlement by insiders (now using current technology) to newer spearphishing emails (including fraudulent wire transfer instructions) and cyber frauds. They take a variety of forms, limited only by the creativity of cybercriminals and available technology. The first step to protecting against these kinds of scams is to understand that they occur and how they work. The attacks are now enhanced with artificial intelligence, resulting in more convincing fraudulent emails, texts, phone calls, and videos. The following are examples of frauds and scams against law firms.

Embezzlement by Insiders

Embezzlement is an old-fashioned crime in which insiders, sometimes collaborating with outsiders, use their trusted positions to steal money and cover up their thefts. It is facilitated by the use of electronic billing and payments and the manipulation of electronic records.

  • The office manager of a San Francisco law firm signed approximately 806 unauthorized checks with the senior partner’s signature and deposited them in the manager’s account, stealing approximately $1.1 million.
  • The chief financial officer of a New Jersey law firm was charged with misappropriating funds by paying himself unauthorized compensation between 2017 and 2022 totaling $1.1 million and having the law firm pay credit card expenses totaling $355,256, claiming they were business expenses when, in fact, they were personal expenses.
  • A paralegal in a North Carolina law firm, from 2015 to September 2021, executed at least 190 fraudulent and unauthorized bank wires totaling more than $2 million from the law firm’s client trust bank accounts to bank accounts controlled by the paralegal and used the embezzled funds to pay for personal items; make mortgage, car, and credit card payments; and fund an extravagant lifestyle.

Phishing Emails

Fraudulent phishing emails are a common attack vector today. It has been reported that over 90% of successful cyberattacks start with a phishing email.

Phishing is a form of social engineering that uses fraudulent (spoofed) emails for criminal purposes, like installing malware, stealing money, and obtaining information such as login credentials, bank account information, Social Security numbers, other personal information, and confidential business information. Phishing that is targeted at a particular individual or target is called spearphishing. Attackers are now also using phone calls (voice phishing or vishing) and text messages (SMS phishing or smishing). They are also using deepfake voices, photos, videos, and videoconferencing. Attacks are becoming more sophisticated through the use of artificial intelligence.

The SANS Institute, a highly regarded cybersecurity education and certification organization, has published an informative three-part blog post that provides a good overview of the variants of phishing and how to defend against them: “A Tale of the Three *ishings: Part 1 — What Is Phishing?,” “A Tale of the Three *ishings: Part 02 — What Is Smishing?,” and “A Tale of the Three *ishings: Part 3 — What Is Vishing?

Business email compromise (BEC) is a growing cybercrime epidemic, with staggering losses to businesses and organizations of all sizes. BEC is a scheme in which an attacker uses phishing email to impersonate an executive, business contact, or other person to get a transfer of funds, money, or sensitive information. It sometimes involves spearphishing (fraudulent, targeted email) that appears to be from a business executive, business contact, or party to a transaction. It can also involve a fraudulent email from a legitimate email account to which a criminal has obtained access by social engineering or a computer intrusion. When BEC involves the takeover of a legitimate email account, it is called email account compromise (EAC). The FBI’s Internet Crime Complaint Center (IC3) regularly publishes statistics on BEC and prevention tips.

A common form of BEC is fraudulent wire transfer instructions. Many attorneys and law firms have become victims. Here are examples:

  • A law firm employee received an email purportedly from a client, falsely instructing the employee to wire transfer funds owed by the firm to the client. The spoofed email appeared to be from the client and listed the account to which the funds were to be transferred. A law firm employee wired the funds to the fraudulent account.
  • A scammer provided fraudulent wire transfer instructions to an attorney and a paralegal, leading to the transfer of $240,000 for a client’s refinanced mortgage to the scammer’s account.
  • A fraudster intercepted emails regarding a stock sale, posed as the seller, and instructed the law firm to wire $3.1 million from the buyer to a fraudulent account. The law firm transferred the $3 million to the fraudulent account.

New “Client” Fake Check Scheme

New “client” fake check schemes are increasingly targeting law firms. A fake new “client” uses a fraudulent check to lure a law firm into transferring the proceeds before discovery of the fraud. In September 2024, IC3 issued a public service announcement warning law firms about this scheme. The following are examples:

  • A “client” sent an email to an attorney stating that he had retained the firm in an employment dispute. The “chief financial officer” of the “client’s employer” sent an email to the attorney that acknowledged the debt. The law firm received a check for $126,000, deposited the check, and sent $83,985 to the client’s account, retaining its fee. The check was fraudulent, and the law firm lost the proceeds.
  • A law firm was retained remotely by a “client” to recover a debt for a “Florida tool company,” made a demand and received a check for $199,550, deposited the check, kept its fee, and made a wire transfer of the balance to the “client” through a bank that turned out to be in Nigeria.
  • A law firm was retained remotely by a “client” to collect proceeds from the sale of equipment, drafted an agreement of sale and received a check for $337,044 for equipment and $3,000 for the law firm’s fee, deposited the checks, and made a wire transfer of the proceeds to the “client” through accounts in Cambodia and Hong Kong.

Duty to Safeguard

Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and to protect the property of clients and others, and they also often have contractual and regulatory duties in this area.

Ethics Rules

Several ethics rules in the ABA Model Rules have particular application to protection of client data and property, including competence (Model Rule 1.1), communication (Model Rule 1.4), confidentiality of information (Model Rule 1.6), supervision (Model Rules 5.1, 5.2, and 5.3), and safeguarding property (Model Rule 1.15).

Model Rule 1.1: Competence requires attorneys to provide competent representation to a client. Comment 8 requires attorneys to keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.

Model Rule 1.6: Confidentiality of Information generally covers confidentiality, including “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Model Rule 1.4: Communications applies to attorneys’ use of technology. It requires appropriate communications with clients “about the means by which the client’s objectives are to be accomplished,” including the use of technology. It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent” about the use of technology. It requires notice to a client of a material loss or compromise of information relating to the client.

Model Rule 5.1: Responsibilities of Partners, Managers, and Supervisory Lawyers and Model Rule 5.2: Responsibilities of a Subordinate Lawyer include the duties of competence and confidentiality. Model Rule 5.3: Responsibilities Regarding Nonlawyer Assistants was amended in 2012 to expand its scope. “Assistants” was expanded to “Assistance,” extending its coverage to all levels of law firm staff and outsourced services, ranging from copying services to outsourced legal services. This requires attorneys to employ reasonable safeguards, like due diligence, contractual requirements, supervision, and monitoring, to ensure that nonlawyers, both inside and outside a law firm, provide services in compliance with an attorney’s ethical duties, including confidentiality and safeguarding property.

Model Rule 1.15: Safekeeping Property requires attorneys to segregate and protect money and property of clients and third parties that is held by attorneys. Some ethics opinions and articles have applied this rule to electronic data held by attorneys.

Ethics Opinions

A number of ABA and state ethics opinions, for over a decade, have addressed professional responsibility issues related to security in attorneys’ use of various technologies. They generally require competent and reasonable safeguards.

There are three current ABA formal ethics opinions that address attorneys’ duty to safeguard information relating to clients when using technology: (1) ABA Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 2017), ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 2018), and ABA Formal Opinion 498, “Virtual Practice” (March 2021).

Common Law and Contractual Duties

Along with the ethical duties, there are parallel common law duties defined by case law in the various states. These duties are defined in court opinions and in the Restatement (Third) of the Law Governing Lawyers. They include competence, communication, confidentiality, and safeguarding property. Breach of these duties can result in a malpractice action.

Increasingly, lawyers also have contractual duties to protect client data, particularly for clients in industries such as health care and financial services, which have regulatory requirements to protect privacy and security. They frequently include requirements for incident response and notice of security incidents and data breaches. In addition, cybersecurity insurance policies may include required safeguards.

Regulatory Duties

Attorneys and law firms that have covered personal information about their employees, clients, clients’ employees, or customers; opposing parties and their employees; or even witnesses may also be covered by federal and state laws that variously require reasonable safeguards for covered information and notice to affected individuals and sometimes to regulators in the event of a data breach. IOLTA (Interest on Lawyers’ Trust Accounts) and other trust account requirements apply to property of clients and third parties.

In addition, court confidentiality orders sometimes include requirements for safeguarding covered information.

These general obligations are now well-established in the Model Rules, comments, and ABA and state court and ethics opinions.

Attorneys have three options for addressing these duties: (1) know the requirements, threats, and relevant safeguards; (2) learn them; or (3) get qualified assistance. For most attorneys, it will be a combination of the three. In the areas of technology and cybersecurity, it is particularly important that consultants have the requisite knowledge and experience.

It is important to note that the requirement for lawyers is reasonable security, not absolute security. For example, New Jersey Ethics Opinion 701, “Electronic Storage and Access of Client Files” (April 2006), states that “‘[r]easonable care,’ however, does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible ....” Recognizing this concept, the Ethics 20/20 amendments to the comment to Model Rule 1.6 provide that “[t]he unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”

In the event of a data breach or loss of money or property, whether safeguards were reasonable may be judged, with 20/20 hindsight, by clients, disciplinary authorities, regulators, or courts.

Disciplinary Actions

Attorneys have faced disciplinary actions for loss of client funds due to fraudulent payment instructions by email. There have been at least four cases.

Pennsylvania

  • Office of Disciplinary Counsel v. Anne Marie Howells, No. 114 DB 2021 (2021) (the attorney sent a check for $68,803.54 for settlement funds by overnight mail to an unauthorized recipient in response to fraudulent email instructions, without adequate inquiry; violations of Rules 1.3: Diligence, 1.4: Communication, and 1.15: Safekeeping Property).

North Carolina

  • In re Jeremy C. King, No. 22G0098 (2023) (under the attorney’s supervision, staff initiated a wire transfer of a client’s payoff pursuant to fraudulent wiring instructions without verifying the wire instructions with the lender and failed to note numerous “red flags”; violations of Rules 1.15: Safekeeping Property and 5.3: Supervision).
  • In re Richard M. Morgan, No. 22G0281 (2023) (the attorney initiated multiple wires of a seller’s proceeds pursuant to fraudulent wiring instructions without verifying the wiring instructions with the sellers; violation of Rule 1.15: Safekeeping Property).
  • In re William H. Morgan, Jr., No. 22G0710 (2023) (the attorney and staff, under the attorney’s supervision, initiated a wire transfer of a client’s proceeds pursuant to fraudulent wiring instructions without verifying the wire instructions with the seller and failed to note numerous “red flags”; violations of Rules 1.15: Safekeeping Property and 5.3: Supervision).

A loss of client or third-party funds is not necessarily an ethics violation; the requirement is competent and reasonable efforts. In these cases, the disciplinary authority found failures to employ reasonable efforts.

Protecting Against Frauds and Scams

The first step to protecting against these kinds of frauds and scams is to understand that they occur and how they work. Then, implement policies, procedures, and technology to protect against them, including training. Finally, make sure that everyone pays careful attention, avoiding distractions and multitasking, and remembers to Think Before You Connect, Click, or Act!

To guard against embezzlement, set up accounts and controls, including separation of duties, with monitoring, reviews, and audits. Unfortunately, as the examples show, long-term, trusted employees can be a risk.

The Cybersecurity and Infrastructure Security Agency (CISA) suggests the following basic steps to protect against phishing:

  1. Recognize and report the common signs of phishing.
  2. Resist and report phishing.
  3. Delete the message.

To protect against fraudulent emails and BEC, the FBI’s IC3 recommends:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or personally identifying information (PII) of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  • Monitor your financial accounts on a regular basis for irregularities, such as missing deposits.

The FBI’s IC3 recommends these steps to protect against “client” fraudulent check schemes:

  • Be suspicious of requests or pressure to take action quickly. A number of potential victims were able to successfully identify the fraudulent check by adhering to policies that required a delay or hold on the funds until confirmation that the debtor’s check had indeed cleared into their client trust accounts.
  • Consider additional financial security procedures, such as two-step verification or telephone calls (subjects tend to prefer written correspondence), to verify transaction details and identity information prior to wiring funds.
  • Contact your financial institution immediately and request that they contact the financial institution where any wire transfer was sent to determine if it is able to be recalled or the funds frozen in the deposit account.

In all cases involving fraudulent electronic payments, in addition to immediately notifying the financial institution, immediately notify IC3’s Recovery Asset Team, which has had a 71% success rate in recovering fraudulent transfers to domestic banks when it has received prompt notice.

Due diligence on prospective new clients can also help to protect against these kinds of schemes.

For more information on protection against phishing, see the SANS blog posts discussed above and the federal multiagency guide, “Phishing Guidance: Stopping the Attack Cycle at Phase One.”

Constant Cybersecurity Awareness Is Critical

Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and property of clients and third parties, and they often have contractual and regulatory duties. It is critical for attorneys and law firms to recognize these kinds of frauds and schemes, understand their duty to safeguard, and address the duty through comprehensive cybersecurity programs.

Additional Information

The views and opinions expressed in this article represent the view of the author and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is intended to be a substitute for professional legal advice.

    Author