Three professionals collaborating over laptops in a modern office

Last updated: June 3, 2026

If you practice law in Texas, this scam has probably already shown up in your inbox. A stranger emails asking for help with a contract dispute or debt collection matter. They sign your engagement letter fast, send a large check, then ask you to wire part of it to a third party before the original check bounces. By the time your bank claws it back, the wire is gone and you’re short tens of thousands of dollars out of your IOLTA account.

This isn’t a new scam. The FBI’s IC3 issued an advisory on it in October 2024 specifically naming law firms as targets. The Texas Bar Blog reported two more Texas victims in December 2025. It keeps working because the emails are good and the pressure is real.

How the scam runs

An unsolicited email arrives. Someone claims to be a business owner or executive with a legal matter they need help resolving — a breach of contract, a debt owed by another company, a family law settlement. The email is professional. There’s a company name, supporting documents, sometimes a license agreement or settlement paperwork. Nothing obviously wrong.

They agree to your retainer without negotiating. That’s worth pausing on. Real clients push back on fees. These don’t. An engagement letter gets signed. Then a cashier’s check or ACH payment arrives for a large amount. In the December 2025 Texas Bar cases, the checks came from Canada, drawn on accounts that turned out to be either nonexistent or counterfeited from real accounts without the owners’ knowledge.

The check posts to your account. Your balance reflects the funds. Then the “client” contacts you with urgency: they worked it out directly, there’s a settlement deadline, they need you to forward a portion to a third party right now. You wire it. Days or weeks later the original check bounces, the bank reverses the deposit, and the wire is already gone.

The trust account piece is what makes this hurt more than a standard fraud. Scammers know Texas attorneys are under IOLTA prompt-payment obligations. They use that to push for faster disbursement than you’d normally be comfortable with. If something goes wrong, you’re looking at a financial loss and a potential Rule 1.15 problem on top of it.

What to watch for

The FBI advisory and Texas Bar reports describe the same patterns across cases:

  • First contact is unsolicited email with no referral and no prior relationship
  • The client is out of state or overseas with no obvious reason to be hiring you specifically
  • The matter involves collecting or transferring money: debt recovery, real estate, commercial disputes, family law settlements
  • They accept your retainer terms without any pushback
  • Payment arrives before you have fully established the engagement
  • A wire request to a third party follows quickly after the check arrives
  • The wire destination is foreign or unexpected
  • All communication is by email; they avoid phone or video calls

In December 2025, one of the Texas attorneys targeted got an email from someone claiming to be the CEO of a Mexican company, asking for help with “a breach of license agreement.” Supporting documents came with the follow-up. One of the targeted attorneys found the Texas Bar’s prior reporting, recognized the pattern, and walked away. The other didn’t.

What to actually do about it

Verify the client before you engage. Search their name, company, and the specifics of their matter independently. Call the company on a number you find yourself, not a number they gave you. Ask for ID. If they push back on basic verification, stop there.

Posted is not cleared. Funds showing up in your account balance do not mean the check has cleared. Fraudulent cashier’s checks and ACH payments can take two to three weeks to get rejected. Your bank can tell you whether deposited funds are fully collected. Ask before you move anything. The FBI advisory on this is direct: never disburse from a trust account on a posted balance alone.

A wire request to a third party should stop you cold. Legitimate clients rarely need you to immediately forward funds somewhere else. International urgency around a wire is a reason to slow down, not speed up. The FBI recommends calling a number you sourced independently to verify before any disbursement.

Get your email configured properly. These emails don’t look like spam. They’re addressed to your firm specifically, they reference a plausible legal matter, and they come from a real-looking domain. Standard spam filters miss them. DMARC and DKIM on your own domain prevent your firm from being spoofed. A dedicated email security layer on top of Microsoft 365 flags first-contact senders and domain impersonation attempts that built-in filtering lets through. The Texas Bar cases showed the scam emails were routed through servers scattered across multiple countries while appearing to come from domestic businesses.

If you already wired the money, call your bank now. Ask them to attempt a recall. Not every bank can do it and not every recall succeeds, but time matters. Then file a complaint at ic3.gov, contact the Texas Bar ethics hotline, and reach your malpractice carrier. Bank fraud is also investigated by the U.S. Secret Service. Document the full timeline before you do anything else.

Why Microsoft 365 alone isn’t enough

Most small law firms run on Microsoft 365 or Google Workspace and assume the built-in filtering covers them. It catches a lot of spam. It does not catch a targeted, well-written impersonation email from a domain that was registered to look like a real business. Those don’t trip spam rules because they aren’t spam by technical definition.

What helps: DMARC and DKIM on your domain so your firm can’t be impersonated outbound, an email security layer that can detect domain spoofing and flag unusual first-contact senders, and staff who know what a wire fraud setup looks like before they get the wire request. That third piece is the one firms skip. The scammers create real pressure and real urgency. An associate who doesn’t know the pattern is going to feel it.

We set this up for Austin-area law firms regularly. It’s not a long engagement and it’s not expensive. It’s also what Comment 8 to Rule 1.01 now expects from attorneys on technological competence.

We can review your firm’s email security and tell you where you’re exposed. Free assessment, no obligation, no sales pressure.

Get a free IT assessment

The check posted to my account. Can I wire from my IOLTA now?

No. Posted means the check is in the system, not that it cleared. A fraudulent cashier’s check or ACH can take two to three weeks to be rejected. Call your bank and ask them to confirm the funds are fully collected before you move anything. The FBI advisory says the same thing: never disburse on a posted balance alone.

Which practice areas get targeted?

The FBI identifies any matter where an attorney handles the transfer or collection of money: debt collection, real estate, commercial transactions, and family law settlements. If a large check flowing through your trust account with a subsequent wire is a normal part of your practice, you’re a target.

I already wired the money and the check bounced. Now what?

Call your bank immediately and ask for a wire recall attempt. Recovery isn’t guaranteed but speed matters. File a complaint at ic3.gov. Call the Texas Bar ethics hotline. Contact your malpractice carrier. Bank fraud cases go to the U.S. Secret Service as well. Write down the full timeline before you talk to anyone.

Doesn’t Microsoft 365 filter these out?

Not reliably. These emails aren’t spam by technical definition. They’re targeted correspondence from a real-looking domain with a plausible legal story. Standard filters pass them. DMARC and DKIM on your domain, plus a dedicated email security layer, catch what built-in filtering misses.

Could falling for this create a State Bar problem?

Yes, potentially. A Rule 1.15 trust account issue is possible depending on how the disbursement happened. Being victimized doesn’t automatically mean a violation, but your intake verification process and how you handled the disbursement will both be relevant. Document your client verification steps on every new matter. If you’re unsure about exposure after an incident, call the State Bar ethics hotline before doing anything else.

Does safemode IT work with law firms on this?

Yes. We work with legal clients across Central Texas on email configuration, DMARC setup, Microsoft 365 hardening, and security awareness training. If you want to know where your firm stands, our cybersecurity page has the details, or call 512-761-7652.

Sources

FBI IC3 PSA241008 — Counterfeit Check Scam Targets Law Firms Via Debt Collection Scheme (October 2024)
Texas Bar Blog — Scams continue to target Texas attorneys (updated December 2025)
Texas Bar Blog — Fraud Alert: Con artists targeting lawyers with sophisticated scams
FBI Internet Crime Complaint Center (ic3.gov)

← Back to Blog
Share: