Skip to main content
Web Content Viewer (JSR 286)
CNA Blog — From the Experts
From insurance trends to risk control to corporate social responsibility, CNA’s leaders know their business and are proud to use their expertise to help organizations succeed.

CNA Blog — From the Experts

Share this content via email or social networks
Published Wednesday, May 24, 2017

Attorneys: How to Protect Your Small Law Firm Against These New Phishing Scams

A growing number of email scams are targeting small law firms, due to attorneys' access to sensitive information and data. This type of phishing mimics an email from a reliable third party, such as a legal organization or disciplinary board — a far cry from yesterday's scams promising a once-in-a-lifetime opportunity with a Nigerian prince.

In the recent edition of PROfessional Counsel, CNA Risk Control Representative Matt Fitterer details two examples that illustrate the targeted nature of these new phishing attacks, and how firms can implement phishing awareness training for their employees to help them avoid becoming victims of these email security scams.

Bar Complaint Scam

In this example, an email appears from a presumed trusted source, such as the state bar or attorney general's office. It includes a call to action that must be completed quickly to avoid legal ramifications, such as to download an attachment regarding a disciplinary complaint. 

However, when these instructions are followed, malware is introduced into the firm's network. The malware may extract the firm's data or infect devices with ransomware, which encrypts the recipient's hard drive. Failure to comply results in vulnerable and compromised data. 

This type of scam is becoming more and more common. Attorneys in Alabama, California, Florida, Georgia and Nevada have reported this activity. The scam capitalizes on attorneys' fears of receiving a bar complaint. Nevertheless, this fraudulent email offers some telltale clues that can warn the recipient, such as:

  • Lacking letterhead or formatting that typically accompany an "official" email
  • Misspellings
  • Vague descriptions of the rebuttal process
  • A sender's address that isn't quite right: For example, the name of the sender is the "Office of the State Attorney," but the sender's email address is

If attorneys or staff members at your firm receive a bar complaint email, they should avoid answering any call to action before confirming the email's authenticity. When confirming authenticity, be sure to use an independent phone number listed on the organizations website, rather than the number or the link provided in the suspect email.

HIPAA Audit Scam

Another phishing scam exploits attorneys are unfamiliar with the most recent regulations and procedures surrounding the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA,  attorneys may be subject to HIPAA compliance in their roles as potential "business associates." An unknown number of emails styled as official letters from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) are being sent under the guise of OCR's HIPAA Privacy, Security and Breach Notification Audit Program.

This cyberattack asks the recipient to follow a link that appears to lead to a government website, but in actuality leads to a non-government website marketing cybersecurity services. This scam has seemingly little effect, but if attorneys fall for it today, they may fall for similar phishing tactics with far more serious consequences tomorrow.

While this HIPAA scam appears legit, it offers one fraudulent sign: The fake URL ends in ".us" instead of ".gov." If your firm receives an email from the OCR, contact the OCR directly for verification.

Best Practices

In order to raise awareness before a cyberattack occurs, firms should consider developing these five strategies in order to educate their employees about phishing attacks:

  1. Keep antivirus, web browsers and email software updated
  2. Routinely back up your hard drives on a separate independent server or hard drive
  3. Exercise caution with email links and attachments by hovering over the link or attachment to display the actual file name and type
  4. When in doubt, contact the sender directly through an independent number not listed in the suspect email
  5. Create an open culture within your firm that rewards employees' disclosure of potentially falling victim to a scam in a timely manner
  6. Educate and test your support staff.

As an attorney, you have the duty to your business and your clients to be familiar with the warning signs posed by phishing attacks. To learn more about protecting your firm against scammers, download Matthew Fitterer's article in CNA PROfessional Counsel: "Phishing Attacks Use Bar Complaints and HIPAA Audits as Bait."

Additional Resources

One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.
One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

By visiting our web site,you accept the terms and conditions as described in our Terms of Use.

Privacy Center | Conflict of Interest | Licensing Disclosure | General Disclaimer | Sitemap

"CNA" is a service mark registered by CNA Financial Corporation with the United States Patent and Trademark Office. Certain CNA Financial Corporation subsidiaries use the "CNA" service mark in connection with insurance underwriting and claims activities. Copyright © 2022 CNA. All rights reserved.

/web/guest/cna/from-the-experts/authorbio/blogdetails Attorneys: How to Protect Your Small Law Firm Against These New Phishing Scams Z6_40KKTL4U2REB90AH8FND8R00T6 /CNA /ListofAuthors /AuthorDetails /IndividualBlogDetails