Scams Targeting Lawyers, How to Avoid Them and Related Ethical Considerations

?By Sam Rabin*

Lawyers have become targets of a multitude of fraud schemes designed to separate lawyers and law firms from their money and confidential information.?The best defense to avoid becoming a victim is to familiarize yourself with the typical schemes and institute precautions and protections.

Below are descriptions of some of the more prevalent schemes targeting lawyers and their staff:

Cloned or Counterfeit Trust Account Checks: Trust account checks can be cloned or counterfeited. In these schemes, the perpetrators obtain information from a law firm’s trust account checks and thereafter duplicate the check.?The duplicate checks are indistinguishable from the “real” checks.?In one scenario, a check is made payable to the fraudster or an account he controls to steal money from the account on which it is drawn.?In another, the check is used as payment to another firm after which the perpetrator seeks a refund of all or part of the check before the counterfeit check is discovered.?The best protection against this scheme is to routinely and scrupulously monitor the activity on the firm’s trust account.

Phishing: Among the most common scams is one where the perpetrator tries to hack into the law firm’s computer system to steal confidential information.?The entry into the firm’s computer system is accomplished by sending the lawyer or law firm employee a malicious link that, once clicked on, provides the perpetrator with access to all or part of the firm’s computer records.?The increasing use of emails to perpetuate fraud has garnered attention by the Federal Bureau of Investigations that characterizes this type of fraud as “Business Email Compromise” (BEC).?The best protection against this scheme is to avoid clicking on links in emails that are not sent by a reliable source.?

False Wire Information: This scheme is dependent upon the fraudster gaining access to information about a pending transaction that involves the transmittal of funds via wire.?Access can be obtained through the law firm’s email account, the wire sender’s or recipient’s account or the least likely, the bank’s account.?In this scam, one party is sending a wire to the other and the scammer intercepts the email with the wire information and changes the wire information.?If successful, the wired funds are sent to an account controlled by the scammer.?This scheme can be thwarted by personally confirming all wire information for both outgoing and incoming wires with the sender or recipient.

Spoofing an Email Address: Another variation on the wire fraud scam is spoofing.?In this scenario, the fraudster spoofs the email addresses of the lawyer to make it look like the lawyer is sending an email to a client with wire details. ?The spoofed email often contains a false invoice to be paid.?Typically, the fake email address is only off by a letter or two, but the other information within the email (the letterhead and signature block) are copied from the original. ?Clients quickly glancing at the email think that it originated from their lawyer, and inadvertently send payment to the scammer.?Lawyers have also been targeted in spoofing schemes, which send lawyers or their staff emails from “familiar” vendors with altered wire information or post office boxes.

Ransomware: This involves the installation of malicious software or malware on a law firm’s computer server, which “locks” the files.?Thereafter demand is made for a ransom payment or fee to unlock the files.?Once the malicious software or malware is successfully installed on the lawyer’s computer, the affected files cannot be accessed.?This can wreak havoc on the firm’s operations.?There are two solutions to this situation.?The first is to pay the ransom, after which a code is provided to unlock the files.?This solution requires trusting that the perpetrator will send the unlock code to retrieve the files. Since the ongoing nature of this scheme depends upon the files being unlocked after payment, perpetrators of this type of scheme typically provide an unlock code upon payment of the ransom. ?The second way to deal with ransomware attacks is to prevent it from occurring in the first place by avoiding opening phishing emails and keeping antivirus software up to date on all electronic devices that are connected to the law firm’s server.

A ransomware attack can trigger Florida’s Section 501.171, the Florida Information Protection Act (FIPA) and or ABA Ethics Opinion 483, which require, among other things, client disclosure of the data breach.

The Fake Client:?In this scheme a person pretending to be a prospective client contacts the lawyer and “hires” him or her to handle a matter, typically a breach of contract matter.?After the lawyer is retained, the client advises the lawyer that the matter was resolved and instructs the lawyer to receive the settlement proceeds, deduct his legal fee and send the balance to the client as quickly as possible as the client needs the funds.?This scheme depends upon the lawyer sending the client’s share of the proceeds before the bank clears the check.?Once the check is determined to be counterfeit by the bank upon which it is drawn and returned to the lawyer’s bank, the lawyer is responsible for the funds he remitted to the client.

Real Estate Transaction Fraud: Here, the fraudster pretends to engage in a real estate transaction.?After hiring the targeted lawyer, the client sends a counterfeit certified check or bank draft as a deposit or full payment to be deposited in the lawyer’s trust account. Soon after, the client backs out of the transaction for any number of invented reasons.?Thereafter, the client requests his funds be returned to him.?If the lawyer refunds the client before the bank is notified that the certified check or bank draft is counterfeit, the lawyer could be held responsible for the refunded funds.

Employee Fraud: Sadly, some lawyers become victims from within their own firms.?Lawyers, frequently in small firms, have a trusted employee handling all the bookkeeping and accounting functions with little or no oversight.?If the employee embezzles funds from the trust account, the lawyer can face disciplinary action for having lax oversight over trust funds.?A law firm should have an outside accountant or bookkeeper review all financial transactions on a monthly or quarterly basis.?Bookkeepers should also be bonded or insured.

Lawyers can institute policies and procedures that minimize the risks associated with the aforementioned schemes.?These measures include:

1,????????Periodically change email passwords and do not use simple passwords.?Passwords should not be connected to the user.?In other words, do not use addresses, dates of birth or names of family members as passwords. You should use passwords that contain a combination of letters, symbols, and numbers.?

2.????????Never open links in emails from unknown senders without first confirming the link is safe.?This can be easily accomplished by speaking with the sender of the email.?If you cannot get in touch with the sender that is a warning sign.?You can also check the link by hovering the cursor over the link (without clicking on the link) and reviewing information about the link.

3.????????Do not include complete wire information in emails.?Establish a protocol that requires telephone confirmation of the account number the wire is being sent to or received from.

4.????????If your bank does not require telephonic confirmation of outgoing wires, instruct them that you want that type of confirmation instituted for all outgoing wires.

5.????????When receiving checks, do not disburse funds related to the check until the check is “cleared” by your bank.?This is different than your bank making the funds “available” which does not necessarily mean that the funds have been cleared by the bank on which the funds are drawn.

6.????????Have financial transactions, both disbursements and receipts reviewed by an outside accountant or bookkeeper on a periodic basis.

7.????????Back-up files daily or weekly to a location that is not connected to your computer or server.?This way, you can have a clean copy of your files in the event of a computer crash or ransomware attack.

In addition to financial and legal considerations there are also ethical considerations and potential consequences for lawyers to consider when client files containing confidential information are compromised or trust funds stolen. Florida Bar Ethics Opinion 06-1 – Encouraging the use of technology as it relates to file storage but reminding that “lawyers must take reasonable precautions to ensure confidentiality of client information.”

Other ethical opinions to consider are:

Florida Bar Ethics Opinion 10-2 – Imposing a duty upon lawyers that utilize devices with storage media to remain updated on changes in technology to identify “potential threats to maintaining confidentiality.” A lawyer must inquire whether the device can be accessed by unauthorized parties and familiarize himself or herself with the potential environments that the device can expose confidential information, such as public copy centers and hotel business centers.

Florida Bar Ethics Opinion 12-3 – Citing to New York State Bar Ethics Opinion 842, which recommends lawyers to conduct due diligence into outside service providers who provide data storage. Appropriate due diligence includes “employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.”

Florida Bar v. Rousso. 117 So.3d 756 (Fla. 2013) – The Florida Supreme Court disbarred two attorneys for failing to monitor and manage their trust account.?As a result of their inattention, the firm’s bookkeeper embezzled $4.38 million from their trust account. The Court noted “the ultimate responsibility for the trust account monies rests with Respondents. They are the lawyers.”

In the final analysis, while it may be impossible to fully protect trust funds and confidential information, measures can be taken to greatly minimize the possibility that the lawyer or his or her firm will be victimized by a determined fraudster.

*Sam Rabin is a founding member of Rabin & Lopez, P.A., a Miami-based criminal defense firm concentrating on the defense of criminal matters in federal and state court.