So, earlier today, I warned of a phishing scam that I believed to be targeting lawyers.
Here’s how the afternoon went.
- An attorney contacted the Professional Responsibility Program. The attorney informed my assistant of receiving an email from the “ethics board” that informed the attorney that a complaint had been filed. The attorney indicated that the e-mail invited the attorney to click on a link to review the complaint and another to file a response.
- My assistant asked the attorney to forward the e-mail. Then, my assistant informed me that there might be a phishing scam targeting lawyers and that she’d forward the e-mail as soon as she received it from the attorney who contacted her. Minutes later, she received the e-mail and forwarded it to me.
- It was obvious that the e-mail was not from Bar Counsel, Disciplinary Counsel, or anyone associated with the Professional Responsibility Program. So, I immediately posted to my blog, warning about the scam. I also posted the warning on Twitter and Instagram.
- Next, I sent out a warning via e-mail to a very large distribution list. In it, I warned about the scam. Finally, I notifed lawyers in the Secretary of State’s Office of Professional Regulation, for their own benefit and in case the scammers were also targeting other licensed professionals. As I was typing the e-mail, Disciplinary Counsel Sarah Katz left me a voice mail. In her message, she said that an attorney had contacted her to ask about an e-mail that purported to notify the attorney that a complaint had been filed with the “ethics board.” Sarah and the attorney were concerned that the e-mail was fake and a phishing scam. The attorney who contacted Sarah was not the same attorney who contacted my assistant.
- In short, within minutes of each other, two different attorneys contacted the Professional Responsibility Program to register concern about what appeared to be a phishing scam targeting lawyers.
- Turns out, the two lawyers work at the same place. I’ve since heard from another lawyer who works there, as well as someone from their IT. Here’s what the IT person wrote: “Mike, please call me on my cell (xxx-xxxx) or at work at (xxx-xxxx) so that we can talk about the email scam which was a phishing test originated by me.”
That’s right. False alarm.
Especially since today’s “phishing test” was almost identical to an actual scam that targeted lawyers last summer, prompted warnings from the state bars of Nevada, California, and Florida, and resulted in this blog post from me.
I apologize for any inconvenience that I caused.
To be clear, I did not have prior notice. The office where it happened isn’t exactly small. I wonder if schools let the fire department know before they conduct fire drills.
In any event, it’s a learning opportunity. As I mentioned last year and again today, the scam is not uncommon. The Professional Responsibility Program will never ask a lawyer to click on a link to open or respond to a disciplinary complaint.