A real estate closing is scheduled for Friday. On Wednesday morning, your office manager receives an email that looks like it’s from the managing partner - asking her to wire $340,000 from the IOLTA account to a new escrow account. She’s done this kind of thing before. She processes it. The money is gone by Thursday.
This isn’t a hypothetical. It’s a pattern.
The Problem: Trust Accounts Are Sitting Targets
Most law firms have done the work on basic cybersecurity. You have email filtering. You have antivirus software. You may even have multi-factor authentication (MFA) on your email accounts. That’s real progress.
But when it comes to the financial controls around client trust accounts, many firms are still operating on the honor system.
Think about how a typical wire transfer actually gets authorized at your firm. Someone requests it. Maybe someone else approves it verbally, or over email. The banking portal has a single set of login credentials. There’s no call-back procedure to verify the request. The reconciliation happens monthly - if you’re lucky.
That process is exactly what attackers are counting on.
Trust account fraud almost never exploits a single vulnerability. It’s a combination: a compromised email account, a banking portal with weak access controls, and an internal process that assumes requests from familiar names are legitimate. Remove any one of those three elements, and most attacks fail. Leave all three in place, and your IOLTA account is one convincing email away from a serious problem.
The irony is that trust accounts hold client funds - not firm funds. That means a successful attack doesn’t just cost your firm money. It creates an ethical crisis.
Why This Matters for Law Firms
Bar associations don’t treat trust account mismanagement as a purely financial matter. They treat it as an ethical one.
Rule 1.15 of the American Bar Association (ABA) Model Rules of Professional Conduct requires attorneys to safeguard client property and keep it separate from firm funds. Most state bar rules mirror this. If your trust account is compromised because your internal controls were inadequate, the bar isn’t primarily interested in whether you were a victim. They want to know whether you took reasonable steps to protect client funds.
A security breach can trigger two simultaneous crises: recovering the money and defending a disciplinary complaint.
The financial exposure makes this worse. Unlike business operating accounts, trust account losses aren’t your money to absorb quietly. You may have a legal obligation to restore client funds out of pocket while the investigation plays out. For a small or mid-size firm, that’s potentially firm-ending.
And the threat is growing. Business email compromise (BEC) tactics - the same techniques that hit CPA firms hard during tax season with fraudulent tax refund redirects - are now being applied to law firm disbursements year-round. Attackers have figured out that real estate closings, settlement disbursements, and escrow transfers are predictable, high-value, and time-pressured. Time pressure is the attacker’s best friend. It’s how they get people to skip the verification step.
How to Address This: The Trust Account Security Checklist
Work through this framework with your office administrator, your bookkeeper, and your banking contact. None of these steps require expensive technology. Most require procedure changes.
Access Controls
- Audit who has login credentials to your trust account banking portal right now. Remove anyone who doesn’t need active access.
- Require MFA on all banking portal logins - not just email. If your bank doesn’t support MFA, have a conversation with them or consider switching.
- Use a dedicated device for banking transactions where possible. A computer used only for banking is dramatically harder to compromise than a general-use workstation.
Authorization Rules
- Establish a written policy requiring dual authorization for any wire or ACH transfer above a defined threshold (commonly $5,000 or $10,000 - set yours based on your typical transaction sizes).
- Require out-of-band verification for all wire instructions. This means calling the requesting party at a known, pre-existing phone number - not a number provided in the email requesting the transfer. Every time. Without exception.
- Never process a wire request received only by email, even if it appears to come from a partner. The call-back step is the control.
Reconciliation Practices
- Reconcile your trust account monthly, at minimum. Three-way reconciliation - comparing your internal ledger, your client ledger, and the bank statement - is the standard your bar association expects.
- Assign reconciliation to someone other than the person who processes disbursements. Separation of duties isn’t bureaucracy. It’s how you catch errors and fraud early.
- Review the reconciliation report yourself, even if you don’t prepare it. A managing partner who personally reviews the numbers is a meaningful deterrent.
Incident Readiness
- Know your bank’s fraud reporting number before you need it. Post it visibly.
- Document your wire authorization procedures in writing. If there’s ever a disciplinary inquiry, written procedures are evidence that you took this seriously.
- Run a phishing simulation that includes a fake wire transfer request. See how your team responds before an attacker does.
What to Look for in an IT Partner
Not every managed IT services provider understands the specific context of law firm trust accounts. When you’re evaluating a provider, ask these questions directly:
- Experience with law firms under state bar ethics rules? Your IT partner should understand that a security incident here isn’t just an IT problem.
- MFA and access controls on banking portals, not just your Microsoft 365 environment? These are different systems with different requirements.
- Security awareness training that includes financial fraud scenarios? Generic phishing simulations won’t prepare your team for the specific tactics used against law firms.
- Help documenting your security procedures? If the bar ever asks, written policies matter.
- Incident response that actually works after hours? You want a provider who will pick up the phone at 8 p.m. on a Friday when the wire has already gone out.
A good IT partner won’t just secure your endpoints. They’ll help you build the human processes that technology alone can’t protect.
The Bottom Line
Securing your client trust accounts isn’t a technology problem with a technology solution. It takes the right access controls, written authorization procedures, separation of duties, and a team that knows how to slow down when something feels off. Get those pieces in place, and you’ve closed the gap that attackers are actively exploiting at law firms right now.
Frequently Asked Questions
What is the most common way law firm trust accounts get compromised?
Business email compromise is the leading cause. An attacker gains access to - or convincingly spoofs - an email account at the firm or a client organization, then sends fraudulent wire instructions during a time-sensitive transaction like a real estate closing or settlement. The attack works because it exploits trust in familiar email addresses, not technical vulnerabilities.
How often should a law firm reconcile its IOLTA trust account?
Monthly reconciliation is the minimum standard under most state bar rules, and it should be a three-way reconciliation: your firm’s internal trust ledger, individual client ledgers, and the actual bank statement all need to match. Some bars require reconciliation within a specific number of days after each statement period. Check your state’s specific rules - the California State Bar, for example, has detailed guidance under its Rules of Professional Conduct, Rule 1.15.
Can a law firm be disciplined by the bar even if a trust account theft was caused by a cyberattack?
Yes. Bar disciplinary authorities evaluate whether the firm maintained reasonable safeguards over client funds - not just whether the firm intended to cause harm. If a firm lacked basic controls like dual authorization for wire transfers or failed to perform regular reconciliation, a successful attack can still result in a disciplinary inquiry or finding. The ABA’s Formal Opinion 483 (2018) also addresses attorneys’ obligations related to data breaches, which intersects with these financial security practices.
Does technology insurance cover trust account fraud losses at law firms?
It depends heavily on the policy. Standard technology liability insurance may cover forensic investigation costs and notification expenses, but trust account fraud is often classified as a financial crime that falls under a crime or fidelity bond policy rather than a technology policy. Many firms don’t carry both. Review your coverage with your broker and ask specifically about social engineering fraud and funds transfer fraud - these are separate coverage endorsements that many firms don’t realize they’re missing.
If you’re working through trust account security challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area - we know your world.