Digital communication has become a fundamental part of today’s legal profession. However, a recent email scam perpetrated under the guise of an Interest on Lawyer Trust Account (IOLTA) inquiry offered a sobering reminder of the importance of attorneys exercising caution when utilizing email.
An October 15 news release issued by the Maryland Legal Services Corporation (MLSC), the entity charged with overseeing (and predominantly funded by) IOLTA accounts in Maryland, reported that the District of Columbia Bar took note that on October 7 its email servers had flagged and blocked several messages alleging that the would-be recipients’ IOLTA accounts contained insufficient funds. A suspicious .zip file was also attached to each message, which bore the “signature” of a Dallas-based accounts payable representative.
Though such email scams are not uncommon in the greater cybersphere, MLSC Executive Director Susan M. Erlichman said this was the first she had seen that specifically targeted IOLTA. The matter first came to her attention by way of a national IOLTA email discussion group.
“As soon as we learned of this, we posted a notice on our website, and informed both the MSBA and Bar Counsel,” says Erlichman. (MSBA subsequently posted the notice on its own homepage, www.msba.org.)
Attorneys engaged in private practice in the state of Maryland are required to deposit all client trust funds into IOLTA accounts, the interest on which goes toward funding legal services for the state’s poor and indigent populations. Erlichman stresses that payees of checks drawn on IOLTA accounts would never request financial or other vital information from account holders or bar members via email.
Most regular email users are accustomed to seeing bogus messages requesting financial or other personal information – a practice known as “phishing” – in their inbox or junk folders. Indeed, online fraud – but one component of what the U.S. Department of Justice terms “mass-marketing fraud,” which includes mail and telemarketing fraud – accounts for “tens of billions of dollars” in loss worldwide each year, according to the agency’s website (www.justice.gov).
While spam-filtering software prevents most of these messages from ever reaching their intended targets, the handful that do get through provide a growing challenge to end-users, says Lawrence Hicks, MSBA Director of Information Technology.
“The problem with [these messages] is that they’re getting more and more convincing,” says Hicks, who notes that his department blocks dozens of scam emails daily. “There was a time when they were so poorly spelled you could easily tell they weren’t real. Now, however, they use actual bank logos and links that make them look like they are coming from these institutions,” thus lending an air of legitimacy. Either way, the motives remain constant. “They’re either trying to get you to click on a link to get your account information or they’re trying to install some malware on your device or computer.”
A much more common legal-centric email scam involves an urgent plea for legal representation – a unique dilemma, Hicks notes, especially for attorneys that are always seeking new clients. “You see them where they ask you to take their case – you know, ‘I’m in trouble, I need legal representation.’”
Nevertheless, he says, fraudulent emails, which can originate from literally anyplace on Earth and target thousands if not millions of people, bear common telltale signs.
“Normally, the subject lines are not very descriptive,” says Hicks. “It might read ‘Copy of Check,’ or ‘There’s an Email for You,’ or ‘There’s a Fax for You’ – something like that.” Also, he cautions users to be suspicious of any attachments, particularly those bearing .zip or .exe extensions in the file name. And of course, beware of any messages originating from unknown sources.
Moreover, no established, reputable financial institution would ask customers to confirm vital account or personal information via email, adds Hicks. “First off, if it’s not from your bank, delete it,” he says. Alternately, “if it’s something claiming to be from your bank, don’t click on the link in the email. Instead, go to your bank’s website, as you would normally do in the course of business, and log into your bank account to see if there’s an issue for real.”
Also, on certain email platforms, right-clicking on an image or link will reveal its true destination; if the address appears suspicious or inconsistent with the institution purportedly represented, he warns, don’t click on it.
As for preventive measures, Hicks stresses the importance of a spam-filtering service (MSBA’s administrative offices utilize McAfee). Users of free email services such as those provided by Google or Microsoft, he says, may choose to utilize subscription-based filtering programs offered by the respective service. Hicks also advocates frequently changing your password, especially when using a free email service, to reduce one’s risk of being hacked.
“Those accounts do not get locked out after a certain number of attempts at the password,” he notes; rather, hackers and bots are given unlimited opportunities in their attempts to access an unsuspecting user’s email account. Regularly changing your password (Hicks recommends every three months) effectively forces the potential hacker to “start over” at guessing your password.
Of course, there is one long-proven method for dealing with spam, he notes. “If you don’t know where it’s from, or it simply doesn’t look right to you,” says Hicks, “just delete it.”