Phishing is one of the most persistent and dangerous cyber threats facing law firms today. Phishing is a form of computer and internet fraud in which criminals use fake emails, websites, or messages to trick recipients into revealing sensitive information such as passwords, bank details, or client data. For lawyers and legal professionals, the stakes are especially high: law firms hold vast amounts of confidential client information, making them prime targets for cybercriminals. The American Bar Association (ABA) Model Rules for Professional Conduct, particularly Rule 1.6 (Confidentiality of Information) and Rule 1.1 (Competence), require lawyers to protect client data and maintain competence in technology relevant to their practice.

How Phishing Targets Law Firms

Phishing attacks against law firms have become more sophisticated in 2025. Criminals now use generative AI to craft emails that closely mimic real communications from clients, colleagues, or even senior partners. These messages often create a sense of urgency, pressuring recipients to act quickly—such as transferring funds, sharing login credentials, or downloading malicious attachments. Business Email Compromise (BEC) scams are particularly damaging, as attackers impersonate managing partners or clients to divert wire transfers or request sensitive documents.

Impersonation: The Hidden Dangers in Your Inbox

Attackers often use email spoofing to manipulate the display name and email address, making a message appear to come from someone you trust. The display name (the name that appears in your inbox) can be set to any familiar contact, but the actual email address may be subtly altered or completely fake. For example, a scammer might use “john.smith@lawfirm.com”or “John Smith of ….” as the display name, but the underlying address could be “jjohn.smith@lawf1rm.com” or “john..john.smith@lawfirm.co@lawfirm.co.” These changes are often just a single character off, designed to trick you into replying or clicking a malicious link.

Lawyers should always examine the full email address, not just the display name, before responding or acting on any request. On many smartphones and email clients, only the display name is shown by default, so you may need to click or tap to reveal the actual sender’s email address. If the message requests sensitive information, money transfers, or urgent action, verify the request through a separate communication channel, such as a phone call using a known number—not one provided in the suspicious email. This vigilance aligns with ABA Model Rule 1.1, which requires lawyers to maintain competence, including understanding risks associated with technology.

Recent Phishing Incidents Involving Lawyers

• In a widely reported scam, secretaries and junior lawyers at several law firms received emails that appeared to come from senior partners. The emails requested the purchase of iTunes gift cards for an “urgent presentation.” Victims, unfamiliar with the scam, were tricked into sending the codes to the attackers, who then sold or used them at the victims’ expense.

• In another case, scammers stole the identity of Western Australia’s Attorney-General, John Quigley, sending emails that claimed he was representing a deceased person with a large inheritance. The emails phished for personal information and requested payments for fake legal fees.

• Large law firms have also suffered massive data breaches following phishing attacks. In 2024, Orrick, Herrington & Sutcliffe agreed to pay $8 million after cybercriminals accessed personal and health data of over 600,000 people. Similarly, Gunster Yoakley & Stewart settled for $8.5 million after a breach exposed sensitive information of nearly 10,000 individuals.

What Lawyers Should Watch For

• Impersonation: Always check the sender’s full email address, not just the display name. Watch for addresses that are off by one or more characters.

• Urgency and Pressure: Be cautious of emails that demand immediate action, especially those involving money or confidential data.

• Suspicious Links or Attachments: Hover over links to check their true destination, and never open unexpected attachments.

• Unusual Requests: Be wary of requests outside normal procedures, such as buying gift cards or changing payment instructions.

Prevention and Best Practices

• Employee Training: Regular cybersecurity awareness training is crucial. Staff should be able to recognize phishing attempts and know how to report them. This supports ABA Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistance).

• Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it harder for attackers to access accounts even if credentials are compromised.

• Incident Response Plan: Every law firm should have a clear plan for responding to phishing incidents, including communication protocols and legal obligations for breach notification.

• Client Education: Educate clients about phishing risks and encourage them to verify any unusual requests that appear to come from your firm.

Professional Responsibility and Phishing

The ABA Model Rules make clear that lawyers must take reasonable steps to prevent unauthorized access to client information (Rule 1.6(c)). Lawyers must also keep abreast of changes in technology and its associated risks (Rule 1.1, Comment 8). Failing to implement basic cybersecurity measures, such as phishing awareness and email verification, may expose lawyers to disciplinary action and civil liability.

Final Thoughts

Phishing is not just an IT problem—it’s a business risk that can compromise client trust, cause financial loss, and result in legal liability. By staying vigilant, investing in training, and adopting robust security measures, lawyers can protect themselves, their clients, and their reputations in an increasingly digital world. Compliance with the ABA Model Rules is not optional—it's essential for ethical and effective law practice.