An E-mail PSA (or Nine Nifty Tips to Avoid Ruin)

The following is a public service announcement aimed toward my fellow attorneys (especially small firms and solo practitioners), but the advice described below is worthwhile for anyone to bear in mind when receiving unsolicited e-mails.

Every once in a while, I am chagrined to read about some poor (i.e. ignorant) attorney who lost a fortune (sometimes of his own and sometimes of his client’s money) and who faces significant possible penalties, because he or she succumbed to the latest e-mail “phishing” scam.  As attorneys, I think we’re bred to be skeptical people, but often greed (or really need) for new clients can cloud our better judgment.  On top of this fact, it is increasingly difficult to automatically weed out “spam” e-mails from our inbox because phishing hackers are getting better at circumventing the normal spam filters, and we often don’t want to set our filters too conservatively, for fear of missing a good potential client with an otherwise zany e-mail address.

But after receiving more than a few of these “phishing” e-mails in the past 8 years, I’ve come recognize patterns in the ones that should be deleted right away.  Here are some tell-tale signs that an e-mail from a potential “client” is, more likely than not, just a scam:

1. The e-mail address is wacky, like [unrecognizable word]@[domain you’ve never heard of].com.[foreign country code].  Especially if you have a relatively focused geographic practice, it’s unlikely that you will attract very many clients from overseas.
2. The sender includes a “link” to another (equally odd-looking) e-mail address in the body of the e-mail, which differs from the sender’s e-mail address appearing in the "From" header.  NEVER CLICK ON SUCH A LINK.  More likely than not, it’s a hidden virus or other problematic part of the scheme.
3. The e-mail is generically addressed to “Dear Counsel” or “Dear Attorney”.  If you have a small or solo practice (and your e-mail address is some variation of your actual name), it’s unlikely a potential client would be (a) so lazy as to neglect to use your name in greeting; or (b) so uninterested in his or her case as to use an e-mail “blast” to hundreds of different attorneys.
4. There are one or more other apparent attorneys in the "CC" or "To" headers of the e-mail.  Even if this might be a legitimate potential client, do you really want someone who is just “blasting” a generic request to everyone on some attorney e-mail list?
5. The language of the e-mail uses horrible grammar and is completely devoid of facts, other than the generic request “… Do you handle X cases?”.
6. Conversely, if the grammatically-poor e-mail contains relatively succinct facts that seem too good to be true … it is.  For example, if a “potential client” e-mails you from overseas stating that he or she received a settlement in a divorce proceeding, but needs a U.S. attorney to cash the $250,000 check and return the proceeds to the sender (of course, keeping 10% for your fee), this is nothing more than a clever variation of the old “Nigerian Prince” scam.
7. The request/legal matter is something that you’ve never handled and/or never advertised as part of your firm’s services.  I believe that I am a good estates and family law attorney, and that my website has all the right SEO for my areas of practice, but I am not so blindly conceited to believe that, out of the blue, a Dutch shipping company decides that they want to hire me to craft the documents for a major merger with another international shipping company.  That would no doubt be fun, but I would be very worried about the judgment of the Board of Directors of such a company.
8. The nationality of the sender’s name does not match the apparent derivation of the e-mail address.  For example, a distinctly Japanese name at the end of an e-mail from a sender with an “.au” (Australia) country code in their e-mail address.
9. The sender does not bother to provide any contact information other than the original e-mail address (or the afore-mentioned dangerous “e-mail” link embedded in the text).  Most legitimate people – even overseas – will provide you with multiple avenues through which to contact them if they are truly interested in assistance.  One caveat on this point: even if there is a signature block on the e-mail that contains an official-sounding business name and mailing address, check to make sure that the purported e-mail matches said business domain.  It is possible (because I’ve seen it happen) that a clever phisher will spoof the name/mailing address of a real business, but direct victims to his or her fake e-mail address.

A scam or phishing e-mail may not contain all of these elements, but if any of these red flags are present, you should be very cautious before responding (if you don’t delete the e-mail outright).  A couple of minutes of due diligence on your part can save you not only thousands of dollars of potential loss, but your reputation, and possibly your very livelihood, as well.