With increasingly sophisticated analytical and generative digital technologies coming online, human intelligence and intuition remains as important as ever. Even with ChatGPT generating convincing prose and algorithms assisting with job candidate screening, human ability for critical thinking, empathy and discernment remains just that – human.
The concept of a “human firewall” dates back nearly 20 years but remains as relevant as ever in cybersecurity. Considering the number of readers (like the authors) with liberal arts degrees, let’s start with some Computer 101 lingo. Originating from the building construction term for a fire-resistant barrier to prevent the spread of fire in a building, a computing firewall is essentially the barrier that sits between a private internal network and the public internet. While hardware and software firewalls are critically important when setting up your office network, a third type of barrier to protect law firm systems and assets is crucial. That’s where the “human firewall” comes in. In this article, we share information about social engineering scams that target attorneys to help build the knowledge you need to defend against such strategic attacks on your assets.
One of the most common cybercrimes targeting lawyers is not at all related to hacking or interfering with hardware or software. Rather, it comes in the form of social manipulation, or “social engineering.” The use of technology as a medium (emails, texts, social media messages, etc.) to trick, manipulate or defraud a victim is increasingly common in the legal sector, particularly in business and real estate transactional practice, but seen across practice areas. By being alert, aware and educated, attorneys and their staff can be “human firewalls” against these types of schemes. In the scenarios described below, our heroes saved their firms from falling victim to recent social engineering scams.
Scenario 1
Ohio attorney John received an email from California attorney Janis, who he hasn’t met. Janis says she has a referral for John. As soon as John responds to Janis, he gets an email from prospective client George. George says, “Janis can’t respond, she’s out of the country but she gave me your contact information” and continues to tell attorney John about a business deal he wants John to reduce to a contract. George’s email references real companies and even includes a signature block that looks legit.
This scenario is sophisticated, but let’s break down some red flags:
California attorney Janis is a real lawyer and her actual, physical address was included in the signature of her email. But Janis’ email address is different than what is shared on her public profiles.
Prospective client George discourages attorney John from contacting Janis, indicating she’s out of the country.
John independently searches the company and finds that George is not named anywhere on the company’s website, does not have a social media presence and the contact information is just slightly misaligned.
Here, hero John recognizes a scam is afoot and disengages with scammer George. (Bonus points to John for letting his malpractice carrier know, too!)
Scenario 2
This second scenario was an even closer call.
Attorney Tina received an email from prospective client Ringo asking her to draft a commercial equipment lease for a deal that had already been negotiated. Tina responded and sent Ringo a representation agreement, which he signed and returned. Tina also requested a retainer deposit of $7,500. Ringo then sent a very authentic-looking check made out to Tina’s firm’s IOLTA for the $7,500 plus an added $74,193, which Ringo explained is the deposit expected for the lease contract. Tina had the check deposited into the firm’s trust account and then had a teleconference with Ringo who verbally affirmed the terms of the commercial lease. Ringo then emailed Tina daily asking to know when the check cleared and when Tina would send payment of $74,193 to the purported lessor. Tina soon learned from her bank that the check was flagged as fraudulent, thankfully before Tina sent payment from the firm’s IOLTA to the purported lessor.
Whew! Great job, Tina, and the bank, for detecting the fraud before it cost this firm!
Some tips to take away from these two situations:
1. Never issue payment to an intended recipient before the funds to be used for that payment have been fully negotiated by both financial institutions. “Fund availability” is NOT the same as a cleared deposit and should not be confused by attorneys as meaning that the financial instrument has been fully negotiated. Don’t rely on a bank teller to know the difference.
2. Be alert to trends in social engineering scams! In many of these scams, the “deal” is already struck and it’s up to the attorney to simply facilitate the payment. By having a done deal, counsel would never need to talk to opposing counsel and the scam can be executed more quickly. Be aware of requests to collect on judgments, especially judgments that are outside of the practice’s licensed jurisdiction, or to facilitate money transfers without being involved in the rest of the matter.
3. If it’s too good to be true, it probably is. Most clients come from word of mouth, known referral sources or referrals by prior clients. Make sure to vet a prospective client independently.
While our two scenarios above averted damages, Ohio ranks fifth nationally in cybercrime complaints according to the FBI’s 2023 Internet Crime Report, with over $197 million in cybercrime loss in 2023. By using critical thinking skills, staying aware of risks and remaining knowledgeable about best practices, attorneys can be a strong line of defense for their firm against social engineering scams.
For more on social engineering and cybercrime prevention, check out the Cybersecurity and Infrastructure Security Administration’s resources for small businesses and the National Institute on Standards and Technology’s Small Business Cybersecurity Corner.
