Social Engineering Aimed at Law Firms

“Amateurs hack systems, professionals hack people.” – Bruce Schneier

What is social engineering? 

Social engineering occurs when somebody acts like something that they’re not to get information from you so they can better themselves. We’ve heard a lot of stories that involve law firms and wire transfer fraud.

Common Social Engineering Schemes Aimed At Attorneys

There was a firm in North Carolina and they received a phone call, supposedly, from the bank saying, “We noticed some interesting activity on your account. I just want to verify we’re talking to the right person, what’s your username and password?” That firm gave the person on the phone their bank username and password. The bank said, “We’re gonna send you a code. We just want to make sure that you are who you are – let us know what the code is and then we’re going to talk about the issues with your account.” So instead, unbeknownst to the law firm, the people on the phone actually signed into their bank, initiated a wire transfer, and sent them the code needed for the wire transfer. So the law firm received the code and provided it to the people on the phone, they put it in, and then they went on to just have a fake conversation about what was wrong with their account. At the end, they said it just turned out to be an internal error and everything was fine. And 30 minutes later, the firm finds out that there was a wire transfer that they didn’t know about that they didn’t authorize. And in fact, it ended up being the person on the phone that allowed it all to happen.

This is a very common thing that we’ve been hearing more and more lately and it is a very common social engineering scheme aimed at attorneys.

Another one is, they’ll call you and appear like they are from a nonprofit, and they’ll try to, again, get some sort of wire transfer normally.

And then the final one that’s really, really common is they’ll send emails to you as your client. So it’s actually quite easy to appear to send an email as somebody else. It’s called email spoofing. An eight year old could do it, it’s so easy. They’ll send emails to you as your client, and they’ll say, “Hey, are you at the office? Can we send a wire out today? I’m busy, just go ahead and do it and email me when it’s done.” Anytime you get anything like that from your clients, you will need to put something in place where there’s some sort of two factor authentication. Something as simple as if they email you, you have to talk to them on the phone before proceeding. Having processes in place to combat social engineering is, again, part of that knowledge that needs to happen.

Social engineering is definitely an issue, and attorneys are one of the main people that they’ll go after because you have access to such important information.

Is This Really Happening?

I can tell you that, obviously, there have been claims, and whether they’re funds, transfer funds, transfers, or just hacks into the system to try to get information such as social security numbers, ein numbers, birth date health records of clients, it’s happening all the time, and it happens everywhere. The smaller law firms that don’t have a ton of money to spend on high priced security systems out there, they’re considered low hanging fruit or as I said, the easy targets for cyber criminals so be careful.

In the past five years, banks have spent about $90 billion on guarding against social engineering. They’re making it a lot harder to get into their information.

Is Anyone Phishing for Your Firm?

In 2022, cyber criminals have sent about 3.3 billion phishing messages and caused over 4000 data breaches. This exposed about 22 billion personal records. 

What is Phishing?

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legit institution to lure individuals into providing sensitive info. And such as PII banking and credit card details and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

How do we fight phishing? 


Humans are the number one cause of phishing schemes to succeed. So knowledge is definitely going to be one of your big tools. Make your employees knowledgeable about phishing attacks, the common phishing attacks that are happening now and answer any questions that they might have about these different security issues.


Over 50% of the attacks were caused by humans, but that other 40 something percent was caused by issues in the system. So having safeguards in place, such as a really good spam filter, can help fight against phishing.

And what’s interesting is, Google actually has better safeguards in place than Microsoft Office. So organizations that use Office 365, are more than three times as likely to experience a business email compromise when compared to Google Gmail for business. 

One reason that’s probably true is because Microsoft only has access to their small amount of data that is Microsoft specific, whereas Google has access to 90% of the world’s data on the internet. So it would make sense that the Google spam filter and their email filters are much, much stronger, because they have access to so much more data.

Ways to spot phishing schemes

It contains an offer, that’s, that’s too good to be true

If you’ve ever received an email that said “click here to claim your $500 reward”, they want you to go to a website and put in your name and your bank account so they can deposit that $500 reward. 

Language that’s urgent, alarming or threatening

In one week, we had three different clients send an email that says the subject line is urgent, your site has been hacked. And the email goes on to say, deliver $3,000 in Bitcoin, or we will take your website offline, and put something else up in its place. So anytime you receive anything like that, that’s definitely a big key to spotting phishing. 

Poorly crafted writing with misspellings and bad grammar

Now, this next one, it’s not as prevalent anymore with AI becoming a lot more in tune. More of, you know, chat, GBT, stuff like that. You and I know that no financial institution and no attorney is going to send out anything that has bad grammar. So that’s definitely a way to spot a phishing email. 

Greetings that are ambiguous or very generic

You may receive an email that says hello gentleman, or welcome lady. Ignore these.

Requests to send personal information. 

This happens a lot with people pretending to be banks, or pretending to be PayPal. They’ll say, oh, there’s an issue with your account, click here to sign in and put in your financial information so we can verify it. Don’t do that. PayPal and banks have come out and said, we will never send you an email that’s like that, so that’s definitely an email to ignore. 

Urgency to click on unfamiliar hyperlinks or an attachment

A real website for a bank, credit card company, or other business won’t look or feel like it’s trying too hard. You won’t find important messages spread all over these sites. If you go to a site and it seems to have a lot of urgent messages that don’t seem to fit, you should check the URL to make sure you’re in the right place. Phishers use this kind of urgency to make it more likely that people will share sensitive information quickly and willingly.

Strange or erupt business requests

In this type of phishing attack, the victim is sent an email from an address they know, like the CEO, the Human Resources Manager, or the IT support department. The email tells the victim that they need to act quickly and transfer money, update information about their employees, or install a new app on their computer.

Fuzzy or low resolution images

A company will never send you an email where their logo looks bad. If their logo looks bad or fuzzy, whoever sent it didn’t have access to the high resolution version of it. So it’s not from them. 

The sending email address doesn’t match the company where it’s coming from

So if they say, Hi, this is PayPal, but the address says, those two don’t mesh. And so, you know it’s not from PayPal.

What does a phishing email look like?

As an example, we have this email where you can see this isn’t the actual PayPal logo, it’s a little bit different. It’s missing a few features. And then it says response required. Then you can see here it says The purpose of this email is they want you to click this login and put in your username and password, so they have your paypal username and password.

Common phishing schemes

Account deactivation

Compromised credit card

Funds Transfer

Social media requests

Google Docs fake login 

IT support request 

Social engineering

Questions about anything in this article?  Contact Stacey Ivol at 412-563-2106 or email her at