When Cyberscams Target Law Firms: The Intersection of Data Privacy and Attorney Professional Liability

By Kevin Hylton | LexisNexis Practical Guidance

Cybersecurity threats remain one of the top priorities for businesses around the world as criminals find new ways to access private data networks and exploit sensitive data. A December 2022 forecast by Statista predicted that worldwide cybercrime costs will triple in the next five years, from $8.44 trillion in 2022 to $23.84 trillion by 2027.

Moreover, the typical data breach is becoming more costly for companies who fall victim to cybercrime, with the average data breach cost rising from $3.86 million in 2020 to $4.35 million in 2022, according to a report from IBM. The same report notes that the stakes are highest for U.S. businesses, where the average data breach was twice the global average in 2022 ($9.44 million), the 12^th consecutive year when cybercrime has been costliest in the U.S.

Unfortunately, law firms — as custodians of highly valuable, confidential client data — are a prime target for cyberscams.

“A three-lawyer shop in suburban Philadelphia and the largest law firm in the world have both fallen victim to (cybercrime),” reported Yahoo! Finance. “Multimillion-dollar cybersecurity technology can do little to guard against it, and once the damage is done it’s all but irreversible.”

And while a number of Am Law 100 firms have been victimized by cyberscams in recent years, the threat may even be greater to solo practitioners or small law firms, whom many cybercriminals view as “the easiest pickings,” according to the Embroker blog.

“Cyberscam artists are really directing their attention on lawyers and accountants who handle their clients’ finances, and I’m seeing a lot of cases based on the loss of client funds from social engineering schemes,” said Rachel Aghassi, partner in the New York office of Furman, Kornfeld and Brennan, where she focuses on professional liability and legal malpractice defense. “In fact, there are quite a few types of scams targeting attorneys and most professional bar associations have sent out alerts to inform attorneys about these various threats.”

LegalTech News noted that the most common cybersecurity threat to law firms is “spear-phishing, a cyberscam in which a target is induced to reveal confidential information or transfer money by a hacker impersonating, via email, someone the target knows.”

A particularly nefarious spear-phishing cyberscam, according to Aghassi, involves a cybercriminal reviewing a law firm website to identify the names and email addresses of other lawyers throughout the firm. The scammer will then replicate a colleague’s email address and impersonate that individual by sending a simple email to another lawyer in the firm (e.g., “Are you in the office today?”), seeking to create a dialogue that will eventually lead to the revelation of confidential information or access to an internal network.

In more ominous cases, the impersonated email might contain an innocuous link for the recipient to hit in order to reply — as soon as the link is clicked, the data security perimeter is breached and the entire law firm is opened up to the scammer for any range of criminal purposes. These include the placement of malware or ransomware to essentially take the law firm and its clients hostage.

Aghassi’s Practice Video for Lexis Practical Guidance, Cyber Scams Targeting Attorneys, is a helpful primer that explains the types of scams that cyber criminals use to target attorneys and how law firms can best avoid them.

“The fastest-growing type of cyberscam that I’m seeing law firms confront is a new type of wire fraud scam,” Aghassi said. “These take place around transactions in which a large amount of money is being exchanged. The scammers will use various techniques to infiltrate someone involved in the transaction — often it is an attorney representing one of the parties — and just lie low while they gather all sorts of specific details related to the closing of the transaction. Then they wait for just the right moment prior to closing, imitate the attorney who is central to the transaction, and instruct the individuals handling the funds to wire the proceeds to an account they have set up to fraudulently receive the money.”

Once the funds have been wired to the cyberscammer, it is often too late to recover them, as most criminals typically set up a series of transfers that eventually land the money in an off-shore bank account that cannot be traced. The legal recriminations and accusations from the parties involved in the transaction often ensue the next day.

“Most states have adopted the model rules of professional conduct and there are important ethical requirements contained in those rules with respect to how attorneys safeguard clients’ money,” Aghassi said. “It’s important for lawyers to understand how these rules come into play with cyberscams in order to be aware of their professional liabilities.”

Aghassi has successfully defended lawyers and law firms in high-exposure malpractice lawsuits in all phases of litigation — including trials and appeals — in state and federal courts. She recently produced an insightful Practice Video for Lexis Practical Guidance, Model Rules’ Impact on Attorney Liability for Cyber Scam Losses, which reviews these issues in more detail.

I had the privilege of interviewing Aghassi on the latest episode of our “Practical Guidance: Data Privacy Series” podcast, where we invite experts to provide insights on timely data privacy and security issues facing legal practitioners. Listen now or download the episode regarding some of the major cyberscams being targeted at law firms and the safeguards that firms should put in place to avoid liability for themselves and their clients.