Unfortunately, law firms are increasingly becoming victims of a variety of frauds and scams, ranging from old-fashioned embezzlement by insiders and fraudulent check schemes to newer spear-phishing emails and cyber frauds. These kinds of attacks are too often successful, leading to the compromise of confidential information and loss of money and property.
This is the sixth in a series of cybersecurity articles for the annual ethics editions of Law Practice Today, following “Cybersecurity for Attorneys: Employing Competent and Reasonable Safeguards” (December 2023), “Cybersecurity for Attorneys: Addressing the People Part of Security” (November 2022), “Cybersecurity for Attorneys: The Ethics of Securing Your Virtual Practice” (October 2021), “Cybersecurity for Attorneys: The Ethics of Incident Response” (November 2020), and “Cybersecurity for Attorneys: Addressing the Legal and Ethical Duties” (November 2019).
This article is adapted from materials prepared for an ABA Law Practice Division webinar, “On Guard! Preventing Fraud Against Law Firms” (March 2024) (available on demand, free for ABA members).
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and property of clients and third parties, and they often have contractual and regulatory duties. It is critical for attorneys and law firms to recognize these kinds of frauds and schemes, understand their duty to safeguard and address the duty through comprehensive cybersecurity programs. They should include policies, procedures, technology, and training to protect against these threats.
Fraud Against Law Firms
As noted above, law firms are increasingly becoming victims of a variety of frauds and scams, ranging from old-fashioned fraudulent check schemes and embezzlement by insiders (now using current technology) to newer spearphishing emails (including fraudulent wire transfer instructions) and cyber frauds. They take a variety of forms, limited only by the creativity of cybercriminals and available technology. The first step to protecting against these kinds of scams is to understand that they occur and how they work. The attacks are now enhanced with artificial intelligence, resulting in more convincing fraudulent emails, texts, phone calls, and videos. The following are examples of frauds and scams against law firms.
Embezzlement by Insiders
Embezzlement is an old-fashioned crime in which insiders, sometimes collaborating with outsiders, use their trusted positions to steal money and cover up their thefts. It is facilitated by the use of electronic billing and payments and the manipulation of electronic records.
- The office manager of a San Francisco law firm signed approximately 806 unauthorized checks with the senior partner’s signature and deposited them in the manager’s account, stealing approximately $1.1 million.
- The chief financial officer of a New Jersey law firm was charged with misappropriating funds by paying himself unauthorized compensation between 2017 and 2022 totaling $1.1 million and having the law firm pay credit card expenses totaling $355,256, claiming they were business expenses when, in fact, they were personal expenses.
- A paralegal in a North Carolina law firm, from 2015 to September 2021, executed at least 190 fraudulent and unauthorized bank wires totaling more than $2 million from the law firm’s client trust bank accounts to bank accounts controlled by the paralegal and used the embezzled funds to pay for personal items; make mortgage, car, and credit card payments; and fund an extravagant lifestyle.
Phishing Emails
Fraudulent phishing emails are a common attack vector today. It has been reported that over 90% of successful cyberattacks start with a phishing email.
Phishing is a form of social engineering that uses fraudulent (spoofed) emails for criminal purposes, like installing malware, stealing money, and obtaining information such as login credentials, bank account information, Social Security numbers, other personal information, and confidential business information. Phishing that is targeted at a particular individual or target is called spearphishing. Attackers are now also using phone calls (voice phishing or vishing) and text messages (SMS phishing or smishing). They are also using deepfake voices, photos, videos, and videoconferencing. Attacks are becoming more sophisticated through the use of artificial intelligence.
The SANS Institute, a highly regarded cybersecurity education and certification organization, has published an informative three-part blog post that provides a good overview of the variants of phishing and how to defend against them: “A Tale of the Three *ishings: Part 1 — What Is Phishing?,” “A Tale of the Three *ishings: Part 02 — What Is Smishing?,” and “A Tale of the Three *ishings: Part 3 — What Is Vishing?”
Business email compromise (BEC) is a growing cybercrime epidemic, with staggering losses to businesses and organizations of all sizes. BEC is a scheme in which an attacker uses phishing email to impersonate an executive, business contact, or other person to get a transfer of funds, money, or sensitive information. It sometimes involves spearphishing (fraudulent, targeted email) that appears to be from a business executive, business contact, or party to a transaction. It can also involve a fraudulent email from a legitimate email account to which a criminal has obtained access by social engineering or a computer intrusion. When BEC involves the takeover of a legitimate email account, it is called email account compromise (EAC). The FBI’s Internet Crime Complaint Center (IC3) regularly publishes statistics on BEC and prevention tips.
A common form of BEC is fraudulent wire transfer instructions. Many attorneys and law firms have become victims. Here are examples:
- A law firm employee received an email purportedly from a client, falsely instructing the employee to wire transfer funds owed by the firm to the client. The spoofed email appeared to be from the client and listed the account to which the funds were to be transferred. A law firm employee wired the funds to the fraudulent account.
- A scammer provided fraudulent wire transfer instructions to an attorney and a paralegal, leading to the transfer of $240,000 for a client’s refinanced mortgage to the scammer’s account.
- A fraudster intercepted emails regarding a stock sale, posed as the seller, and instructed the law firm to wire $3.1 million from the buyer to a fraudulent account. The law firm transferred the $3 million to the fraudulent account.
New “Client” Fake Check Scheme
New “client” fake check schemes are increasingly targeting law firms. A fake new “client” uses a fraudulent check to lure a law firm into transferring the proceeds before discovery of the fraud. In September 2024, IC3 issued a public service announcement warning law firms about this scheme. The following are examples:
- A “client” sent an email to an attorney stating that he had retained the firm in an employment dispute. The “chief financial officer” of the “client’s employer” sent an email to the attorney that acknowledged the debt. The law firm received a check for $126,000, deposited the check, and sent $83,985 to the client’s account, retaining its fee. The check was fraudulent, and the law firm lost the proceeds.
- A law firm was retained remotely by a “client” to recover a debt for a “Florida tool company,” made a demand and received a check for $199,550, deposited the check, kept its fee, and made a wire transfer of the balance to the “client” through a bank that turned out to be in Nigeria.
- A law firm was retained remotely by a “client” to collect proceeds from the sale of equipment, drafted an agreement of sale and received a check for $337,044 for equipment and $3,000 for the law firm’s fee, deposited the checks, and made a wire transfer of the proceeds to the “client” through accounts in Cambodia and Hong Kong.
Duty to Safeguard
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and to protect the property of clients and others, and they also often have contractual and regulatory duties in this area.
Ethics Rules
Several ethics rules in the ABA Model Rules have particular application to protection of client data and property, including competence (Model Rule 1.1), communication (Model Rule 1.4), confidentiality of information (Model Rule 1.6), supervision (Model Rules 5.1, 5.2, and 5.3), and safeguarding property (Model Rule 1.15).
Model Rule 1.1: Competence requires attorneys to provide competent representation to a client. Comment 8 requires attorneys to keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.
Model Rule 1.6: Confidentiality of Information generally covers confidentiality, including “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Model Rule 1.4: Communications applies to attorneys’ use of technology. It requires appropriate communications with clients “about the means by which the client’s objectives are to be accomplished,” including the use of technology. It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent” about the use of technology. It requires notice to a client of a material loss or compromise of information relating to the client.
Model Rule 5.1: Responsibilities of Partners, Managers, and Supervisory Lawyers and Model Rule 5.2: Responsibilities of a Subordinate Lawyer include the duties of competence and confidentiality. Model Rule 5.3: Responsibilities Regarding Nonlawyer Assistants was amended in 2012 to expand its scope. “Assistants” was expanded to “Assistance,” extending its coverage to all levels of law firm staff and outsourced services, ranging from copying services to outsourced legal services. This requires attorneys to employ reasonable safeguards, like due diligence, contractual requirements, supervision, and monitoring, to ensure that nonlawyers, both inside and outside a law firm, provide services in compliance with an attorney’s ethical duties, including confidentiality and safeguarding property.
Model Rule 1.15: Safekeeping Property requires attorneys to segregate and protect money and property of clients and third parties that is held by attorneys. Some ethics opinions and articles have applied this rule to electronic data held by attorneys.
Ethics Opinions
A number of ABA and state ethics opinions, for over a decade, have addressed professional responsibility issues related to security in attorneys’ use of various technologies. They generally require competent and reasonable safeguards.
There are three current ABA formal ethics opinions that address attorneys’ duty to safeguard information relating to clients when using technology: (1) ABA Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 2017), ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 2018), and ABA Formal Opinion 498, “Virtual Practice” (March 2021).
Common Law and Contractual Duties
Along with the ethical duties, there are parallel common law duties defined by case law in the various states. These duties are defined in court opinions and in the Restatement (Third) of the Law Governing Lawyers. They include competence, communication, confidentiality, and safeguarding property. Breach of these duties can result in a malpractice action.
Increasingly, lawyers also have contractual duties to protect client data, particularly for clients in industries such as health care and financial services, which have regulatory requirements to protect privacy and security. They frequently include requirements for incident response and notice of security incidents and data breaches. In addition, cybersecurity insurance policies may include required safeguards.