A February 10, 2025, article on the Forbes website reports that the FBI says bad actors are using “the most sophisticated ever AI-powered phishing attacks” and striking repeatedly. (Most Sophisticated Gmail Attacks Ever—FBI Says: Do Not Click Anything) Although all platforms are at risk, Gmail users are particularly targeted because of Gmail’s reach to both paid and free email addresses. In addition to the attraction of the high volume of Gmail users, compromising Gmail also compromises their Google account. That provides access to even more information, especially if you allow Google to save online passwords for you.
The Forbes article says that there has been a 49% increase in phishing attacks capable of evading email/texting filters since 2022. Don’t click on links in texts or emails unless you already know that the sender is a trusted person who is sending you something you expected. Be wary even if it appears to be predictable communication from what appears to be an otherwise trusted sender. Phishers often use brand names to lure you to click on a link and go to a fake website. AI capabilities make it all the easier for scammers to produce illegitimate websites that strongly resemble the website they purport to be. Go to that website in your usual way instead of using the link in a text or email.
Phishing emails often create a sense of urgency, tempting you to act without thoroughly investigating. Look carefully at the sender’s email address and the domain name of the email address. Are there any misspellings or awkwardly worded phrases? That’s a tipoff, but today the email you receive may have perfect spelling and grammar because scammers can use AI to help them with drafting.
Is the Top-Level Domain (“TLD”) a familiar one? (For example .com, .net, .law, or .gov.) Although “legacy” TLDs like .com and .net also appear in scams, there are some TLDs that have been associated with a high frequency of phishing efforts. According to PhishLabs, historically some of the TLDs frequently used by scammers have been .ml, .tk, .ga, .cf and .gq. (Top 10 TLDs Abused | PhishLabs).
Train your lawyers and staff to be suspicious and cautious about a text, email or phone call asking them to buy gift cards, make payments, send money or wire transfers somewhere or to disclose any confidential client information. Remember that you have an ethical duty to train and supervise subordinate lawyers and staff under Rules 5.1 and 5.3 of the ABA Model Rules of Professional Conduct (and Rules 5.01 and 5.03 of the Texas Disciplinary Rules of Professional Conduct) and to have systems to protect client confidentiality. Clarify to your co-workers and staff that you will never ask them by email or text to make payments, release funds, share confidential client information or take other such action.
If you yourself get a message requesting such action that you think could be legitimate, call the purported sender or another person of authority in your organization at the number you normally use to reach them and TALK to them before acting. In a case
If you receive the request by text or from a curt or unusually brief voicemail, you might even call them on another number that you have for them independent of the recently received message, if possible. That could help uncover a situation where someone has hacked their phone and used AI to spoof their voice. Many lawyers do public speaking at events for bar associations, community organizations, and podcasts or post videos on YouTube, Instagram, Facebook, or the firm website. If their voice is on the internet, sophisticated scammers can harvest it and spoof it saying what they want, using AI.
If you think your law firm is too small or obscure to be targeted, think again. Scammers find small businesses attractive because they tend to have fewer and less effective security measures in place, and law firms often have a lot of information useful for identity theft. Check out the Texas Bar Blog for numerous examples of scams attempted or actually perpetrated on law firms. (Here is a link Scams continue to target Texas attorneys | Texas Bar Blog, but you can also just do a search on that headline to access the posts.) Other state bar associations also track and publish reports of scams targeting lawyers. In addition, consider the two following stories that I heard from the respective lawyers’ mouths and a third reported by the Texas Bar Blog.
A lawyer recounted that she received a phone call from her daughter asking her to send money right away. It was clearly her daughter’s voice. Fortunately, when the conversation ended, the lawyer immediately telephoned her daughter and learned that the daughter had not called. It was a sophisticated scam attempt in which the scammer was not merely able to capture and mimic the daughter’s voice. Evidently, they also knew the relationship between those two people.
A lawyer in a firm of three attorneys told me recently that a staff member received an email appearing to be from him. It old her to go buy a bunch of gift cards to give out to clients. She actually went out and bought them with her own credit card. Then she got an email “from the boss” telling her what to do with the gift cards. Fortunately, when that second email came in, she realized he was in the office right down the hall. She became suspicious that he didn’t just tell her what to do. She went to ask him about it, which revealed the scam.
On December 9, 2022, the Texas Bar Blog reported on a scam effected after a perpetrator was able to get into the law firm’s email system while an attorney was traveling. (The method was not disclosed, but perhaps it was due to using internet access in a hotel or airport.) The perpetrator emailed a paralegal from the attorney’s actual email address, masquerading as the attorney. The paralegal followed instructions in the email and sent a check to a P. O. Box. The attorney didn’t know about the emails because they were removed from his sent and deleted email folders after the paralegal received them.
Scams have been reported where there future transactions are reported publicly, such as a real estate sale. Scammers hack into a legitimate email they were able to obtain or surmise in order to email the purchaser’s law firm with instructions on how to wire the funds to a title company or the seller. The firms get held responsible for the misdirected funds and receive disciplinary action because they did not call the title company or seller directly to verify the wire transfer instructions. For examples, see the article in Law Practice today by Dave Ries on December 16, 2014 Cybersecurity for Attorneys: Ethically Avoiding Fraud and Scams and an Above The Law article by Staci Zaretsky on January 23, 2019 Biglaw Firm Duped Into Wiring Money To Scam Account Loses $2.5 Million In Cyber Breach - Above the Law.
Perhaps your attorneys and staff are smart enough to use a virtual private network (VPN) when accessing the internet away from the office. Perhaps they would not buy gift cards or otherwise disperse funds based on an email message. There are still risks for you and your law firm. Clicking on a link in an email can result in downloading malware to your phone or computer. The email could look just like emails from your bank, a title company or some other company you do business with, or it might contain a funny video genuinely circulated by a friend.
Clicking on the link can allow access to a lot of information valuable to scammers, as well as expose your computer data to potential ransomware attacks. The aforementioned Forbes article further explains the risk. To read the article yourself, the title is “Most Sophisticated Gmail Attacks Ever—FBI Says: Do Not Click Anything.” The Forbes article is dated February 8, 2025 and updated February 10, 2025. (If you nevertheless want the shortcut of a link, the article is located here: Most Sophisticated Gmail Attacks Ever—FBI Says: Do Not Click Anything.)
One strategy to help avoid falling victim to such scams (particularly those with voice spoofing), is to have a “safe word” established with your coworkers or family members. Insist that the caller (whose voice is otherwise familiar) must provide the safe word before you go any further in discussing a matter involving any financial, monetary or privacy issues or transactions.
Another protection method involves using law practice management software with a secure client portal. You can set up cases or matters in the program for “Firm Administration” and require that messages among coworkers involving financial or confidential information be sent via that program. Communication with clients via the client case portal will also provide more security from email hacking or other disclosure risks. The portal can only be accessed by persons with a login and password.
For websites that you log in to, especially those involving financial transactions or personal identity information, use two-factor authentication. Once your login and password have been entered, an authentication code will be transmitted to you via your chosen method. Ideally, that method will not be an email to you. It might be a text, an automated phone call, or a code from an authenticator app on your phone. You will be required to enter that code to proceed further on the website.
Before transferring funds, always contact the relevant parties and financial institutions independently and directly in person or by phone or video to verify the authorization to transfer, and the relevant account or wire transfer instructions received.
The Forbes article recommends using a password manager to autofill passwords online for you. A quality password manager should avoid inputting your credentials on a suspicious website. The Forbes article cautions that you should ensure your password manager is “configured to require URL matching before filling in sensitive details.” That protection can help in the event that you fail to notice that a URL provided contains a misspelling of the company name indicated or in the event the website has already been flagged as suspicious.
As the sergeant used to say in the old 1980’s TV police show Hill Street Blues, “Let’s be careful out there.”
