Spear Phishing for Legal Professionals: A Guide to Avoiding Costly Email Scams

By Todd C. Scott is the VP of Risk Management at Minnesota Lawyers Mutual Insurance Company (MLM). For more information on malpractice claims trends or any other legal risk management topic, contact Todd at [email protected], or www.mlmins.com

The legal industry is once again being warned of numerous email phishing scams targeting law firms. Most often, scams are designed to lure legal professionals to malicious websites with computer viruses. Law firms are also reporting more sophisticated email scams designed to convince attorneys and staff that the correspondence comes from a legitimate source seeking to retain the firm for legal services.  No matter the type of scam, they’re all designed to disrupt operations and extract payments through theft or ransom.

Reports from around the web include:

• The Administrative Office of the U.S. Courts issued warnings in November 2024 urging lawyers to beware of emails mimicking notifications of electronic court filings in cases they were handling that sought to entice recipients to visit a malicious website with computer viruses.
• The Administrative Office of Pennsylvania Courts advised the public in May 2025 to stay vigilant against a recently reported text message scam involving the Pennsylvania court system, which involves text messages that “spoof” or mimic the Pennsylvania Courts and/or Unified Judicial System website.
• The Florida Bar alerted its members in June 2025 to a new wave of phishing emails targeting law firms — particularly smaller practices — in an apparent effort to gather sensitive information and fee structures, retainer agreements, and engagement terms, to convincingly impersonate legal professionals.

E-mail scams are not new or unique, but they seem to be on the rise and more successful at attracting unwary legal professionals. There has been a 49% increase in phishing attacks capable of evading email/texting filters since 2022, according to a February 2025 Forbes article addressing the phishing trend.

The success of the attacks may be partially attributed to the sophisticated use of AI, used by scammers to make their attempts more convincing.  In February 2025 the ABA Law Practice Division reported the experience of a lawyer who thought she received a phone call from her daughter asking her to send money immediately. The call was part of a sophisticated scam attempt in which the scammer was not merely able to capture and mimic the daughter’s voice but understood the relationship between the mother and daughter. It was clearly her daughter’s voice. When the conversation ended, the lawyer immediately telephoned her daughter and learned that the daughter had not called.

To understand the rise in email scams, it helps to know what scammers are after, and why their tactics so often work. The goal of an email scammer is to steal money, data, or access to netware. Email or text is most often used to trick the victim into sending payments, revealing sensitive information, or clicking malicious links or attachments that install malware.

Legal professionals need to also consider the work habits that can lead to a scammer’s success. For an email scam to succeed, it often creates a false sense of urgency to pressure the recipient into acting quickly. Working in a law firm often means working under pressure with constant demands on time, and this can lead to distractions and missed red flags. On top of that, the pressure to quickly respond to current clients and potential new clients can make those working in firms more likely to engage with messages that seem legitimate but are fraudulent.

Don’t be a victim. Slow down and verify.

To avoid becoming a victim of a costly email scam, consider adopting email habits that disrupt the scam in its tracks. Scammers craft messages that look familiar, often mimicking a client, colleague, or trusted institution. Combined with convincing language, professional tone, and realistic-looking links or attachments, these scams can be hard to spot. But don’t fall for the graphics and convincing language – slow down and verify.

Here is a list of attorney email habits that will likely help you spot a scam email:

1. Slow Down and Verify – Don’t act immediately, even if an email feels urgent. Pause to check sender details, links, and attachments, especially if the message involves money, credentials, or client data.
2. Always Confirm Unusual Requests – Verify payment changes, wire instructions, or requests for sensitive info by phone or another known, trusted channel. Never trust contact details provided in a suspicious email.
3. Watch for Red Flags – Look for misspellings, odd phrasing, or generic greetings. Be cautious of emails that don’t quite match a client’s usual tone or contain unexpected attachments.
4. Use Strong Email Security – Improve your network security by enabling multi-factor authentication (MFA) for all accounts.  Keep your operating system, antivirus, spam filters, and security software up to date.
5. Train the Team – Make sure everyone knows how to spot phishing and understands firm policies for handling suspicious emails. Regularly run phishing simulations or trainings to stay sharp.
6. Limit Public Exposure – Avoid listing individual email addresses on the firm’s website and use contact forms or central inboxes to reduce direct targeting.
7. Be Cautious with New Client Inquiries – Treat unexpected emails from “new clients” with care, especially if they ask for urgent legal help or include documents upfront. Google the name, reverse search the email address, and check for scam reports.
8. Verify Links Before Clicking – By hovering your cursor over link you can see the actual URL address the link will lead to. The scammers work hard to make the URL addresses look legitimate so, if in doubt, just don’t click.

One way to stay sharp about sophisticated phishing scams is to subscribe to phishing training and testing services. Many cybersecurity providers now offer these services to help employees recognize and avoid scam emails. Phishing training services send realistic, fake phishing emails to staff to test whether they click, respond, or report the message. If someone falls for the bait, the system provides instant feedback and targeted training to improve awareness. Over time, this helps build better instincts and reduces the risk of a real breach.

Law firms especially benefit from this kind of proactive training because legal professionals handle sensitive client data and financial information, making them frequent targets for scammers. Regular phishing tests not only strengthen the human firewall but also foster a culture of caution and security within a firm.

MLM specializes in lawyers’ professional liability insurance and risk management services for the legal community. MLM’s 35-year history as a lawyers' professional liability carrier is marked by solid financial performance, outstanding customer service, steadfast dedication to risk management, and consistent dividend payments to our policyholders.