At the State Bar of Texas annual meeting in Houston, Justice Lawrence Doss of the Seventh Court of Appeals of Texas and Carrie Phaneuf, vice president of loss prevention at Texas Lawyers Insurance Exchange (TLIE), delivered a timely session on “Scams & Phishing Emails Targeting Lawyers & How to Avoid Them.”
It was a strong reminder that better IT security for lawyers is not optional — it is part of professional responsibility.
Read the original coverage:
Cyberattacks Against Lawyers Are Growing More Sophisticated, Officials Warn — Texas Lawyer / Law.com
What the speakers emphasized
Texas attorneys face attacks that exploit how law firms actually work: hierarchy, deadline pressure, and routine familiarity with files and messages. Criminals no longer rely on obvious “Nigerian Prince” templates. As Justice Doss put it, AI-trained phishing can make communications “resemble exactly what you would expect.”
Phaneuf stressed that everyone is a target — and that smaller firms may be especially attractive because they often lack dedicated security staff. Outgoing State Bar president Santos Vargas noted that Texas attorneys have already lost millions of dollars to fraudulent wire transfers.
The ethical frame is clear. Texas lawyers have been required to maintain technological competence since 2019 under the Texas Disciplinary Rules of Professional Conduct (TDRPC). Doss described the standard as practical, not expert-level: attorneys must make “reasonable efforts” and do “what a reasonable attorney would do under similar circumstances.” That includes understanding how tools like generative AI handle client data — not becoming IT specialists.
Four scam scenarios every firm should know
The session walked through four threat patterns drawn from FBI alerts and real insurance claims:
1. Silent Ransom Group (fake invoices)

Criminals send fake invoices or account alerts to trigger a callback. When staff respond, attackers deliver malicious links or software and gain remote access.
2. Two-factor authentication bypass

Callers impersonate banks or vendors and pressure staff to click links or share credentials — intercepting authentication codes to reset passwords and access financial accounts.
3. Fake client / bad check refund

A “prospective client” agrees to any retainer, sends a check, then demands a quick refund before it clears — leaving the firm out of funds and exposing bank routing details.
4. Thomas v. Corbyn — spoofed firm email ($475K wire)

In a 2025 California case cited in the session, criminals altered two letters in a law firm’s email address, redirected a $475,000 settlement wire, and the defense firm was held liable under the imposter rule. Phaneuf summarized the principle: the party best positioned to spot the fraud bears the risk.
Process controls the speakers recommended
Training and verification matter as much as software:
- Verify payment instruction changes out of band — call a number from the State Bar listing, the firm’s own website, or prior court filings, never from the suspicious message.
- Never send or accept wire instructions by email alone.
- Run staff training monthly or quarterly, not once a year — supervising attorneys remain responsible under disciplinary rules.
- Maintain separate backups, require MFA, patch quickly, and audit email for unauthorized forwarding rules.
- Review professional liability and cyber endorsements — many policies exclude wire fraud without specific coverage and may require portal-based verification.
Justice Doss offered a simple pause rule: “Their crisis is not your crisis.” If something feels off, stop and call before you act.
Why antivirus is not enough — and what you can document today
Phaneuf’s line landed hardest for IT-minded listeners: “Antivirus software cannot detect social engineering. It doesn’t know the difference between a fraudulent email and a legitimate one.”
That is why email authentication still matters. When your domain lacks DMARC enforcement, SPF, and DKIM, criminals can send messages that look like they came from your firm — the exact pattern behind the Thomas v. Corbyn scenario. Lookalike domains (two-letter swaps, hyphen tricks, TLD variations) are a separate but related risk.
You cannot train your way out of a domain that is trivial to spoof. You can document the technical controls you have in place — which supports the reasonable efforts standard Doss described and aligns with Texas SB 2610 program documentation for firms that maintain written cybersecurity programs.
Free law-firm audit — Texas preset
Run a 60-second domain security scan built for Texas law firms:
audit.emailmenow.com/?industry=law-firms&state=texas
The free scan checks DMARC, SPF, DKIM, MTA-STS, TLS, and related web transport controls. Unlocked reports add law-firm-specific threat narratives, remediation steps, and Texas SB 2610 context — plus deep links to check compromised credentials (Have I Been Pwned) and lookalike domains (Have I Been Squatted) when you audit by email or domain.
This is technical readiness mapping, not legal advice. It does not replace TLIE’s guidance on wire verification, insurance endorsements, or staff training — it complements them with evidence you can hand to IT counsel or your malpractice carrier.
Related resources
- Law firm breach tracker (Texas OAG data)
- Texas OAG YTD breach dashboard
- California State Bar fraud alert — national parallels
- Law firm cybersecurity audit checklist
- How to document your program for SB 2610
- SB 2610 Safe Harbor guide (PDF)
Need hands-on help? Contact EmailMeNow IT Consulting for wire-fraud prevention reviews, phishing training, and SB 2610 documentation support.
Original source:
Cyberattacks Against Lawyers Are Growing More Sophisticated, Officials Warn — Laura Lorek, Texas Lawyer (Jun 16, 2026)