When the average person thinks of a victim of a scam, they usually envision an elderly person who fears the use of technology or a minor child still learning about the world around them. The average person does not picture themselves ever becoming the victim of a scam.
However, scams targeting attorneys, law firms, and client trust accounts are on the rise. The sophistication of these scams is continually growing and evolving. The best way for attorneys to protect themselves from falling victim to scams is by becoming familiar with the typical schemes and taking appropriate precautions and protections.
Attorneys must understand that scammers do not discriminate by age and that they understand their potential targets. There are a variety of schemes that can plague attorneys, but the most common is one where a proposed client contacts an attorney with a fabricated legal issue and offers to transfer an agreed-upon amount of money to secure representation. These fake clients most often reach out by email and identify themselves as a client who lives out of state or in a foreign country. Fake clients create elaborate schemes using false professional business websites, spoofed email addresses, and corroborating documents that turn out to be forged, and are prepared to sign a retainer agreement quickly.
One common scam is when a fake client informs the newly retained attorney that their matter has unexpectedly settled and they need the attorney’s bank routing information for their IOLTA. The check is deposited into the IOLTA, but once the check is deposited, the fake client claims an urgent situation has arisen and they are in dire need of the funds. The fake client provides the information to wire the funds to them. The scam is complete if the funds are wired before the attorney realizes that the check deposited into the IOLTA is counterfeit.
Within these schemes, there are several steps where attorneys should question that the client may not really be a client at all. What follows are some of the more common scenarios used by scammers to target attorneys, their firms, and their staff, all of which should raise red flags.
Phishing is defined as “a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.”1
One example of phishing is when an attorney receives unsolicited email correspondence seeking legal representation, typically from a business or an individual located overseas. The fake prospective client claims to be owed a significant sum of money from a business located in the same city or state as the attorney.
The fake client then attempts to hack into the firm’s computer system to steal confidential information. This is usually accomplished by the fake client sending the attorney or firm a link within correspondence; once clicked, the fake client can access to some, if not all, of the firm’s computer records.
Spoofing is defined as “faking the sending address of a transmission to gain illegal entry into a secure system.”2
A common spoofing technique is when a perpetrator imitates an attorney’s email address with only a letter or two difference to make it seem like the attorney is contacting the client with details on how to wire money. The email may also contain a false invoice — complete with a copied letterhead and signature block from an original email — asking the client to make a payment. A quick glance at the email would not make a client think twice, and the client may inadvertently send payment to the scammer.
COUNTERFEIT TRUST ACCOUNT CHECKS
This scam involves a perpetrator getting information from a law firm’s trust account or obtaining a voided check from the law firm and then duplicating that check, making it indistinguishable from a real check. The perpetrator may make the counterfeit check payable to themselves or to an account the perpetrator controls in order to cash it. The perpetrator also may use the counterfeit check as payment to another firm, but the perpetrator then seeks a refund before the fake is discovered.
These are just some of the scams that attorneys have come across. Further scenarios may be found on a State Bar of Michigan web page called Scams Targeting Attorneys Reported in Michigan at www.michbar.org/generalinfo/scamalerts.
PROTECTING YOURSELF AND YOUR FIRM
While attorneys must be aware of these scams, they must also be familiar with methods of protecting their firms and their clients. Here are some common steps:
- Perform due diligence on potential clients, particularly those who correspond solely through email and are located out of state or overseas. This is also a good practice for potential clients the attorney has not met in person.
- Require documentation that adequately identifies the parties involved and the reason for the potential representation. Verify the documentation if possible.
- Get independent verification of the telephone number, address, and any other identifying details of the potential client and/or business.
- If the opposing party is a local business, contact the company to confirm the relationship with the potential client (i.e., debt).
- Take extreme caution regarding demands to deposit a check and quickly wiring funds out of the same account. Perpetrators rely on an attorney’s or firm’s good standing with their banks to provide immediate availability to funds.
- Be wary of large retainer fees or quickly received settlement checks and clients requiring immediate deposit and withdrawal of such funds.
- Do not click on links in emails that are not sent by a reliable source.
- Closely review email addresses and advise clients to do the same.
- Routinely and meticulously monitor activity on the firm’s trust account.
Attorneys who have been targeted in a scam are advised to file a report with their local law enforcement agency. If the scam involves checks and/or banking, it is further recommended that attorneys report the scam to their local U.S. Secret Service field office. Attorneys are also encouraged to share information regarding scams with the Michigan Cyber Command Center (MC3) for informational purposes; however, if the scam involves network intrusions, account compromises, and/or ransomware, it is recommended that attorneys file a formal complaint with MC3 via email at MC3@michigan.gov or by calling (877) MI-CYBER. Finally, attorneys who have been targets of a scam and are willing to share their stories with other attorneys for informative purposes can contact the State Bar of Michigan via email at email@example.com.