Last December, a paralegal at a mid-size firm in downtown Salt Lake City got a text from the "managing partner." The message was urgent: "Buy $2,000 in Visa gift cards for client gifts and email the codes ASAP. I’m in court and can’t talk."
Sound strange? She thought so too. But with multiple hearings scheduled, the holiday party looming, and the sender’s name matching the partner’s, she complied.
You already know how this ends. By the time she checked with the actual partner, the cards had been drained—and the firm was out thousands.
But gift card scams are just the beginning. That same month, a Luxembourg-based manufacturer lost $60 million in a sophisticated wire fraud scam. The emails looked legit. The transactions seemed routine. The attacker knew just how to blend in.
If you think your Salt Lake City law firm is too small, too niche, or too smart to fall for these tricks, think again.
In 2024, 73% of all cyber incidents involved business email compromise (BEC). And law firms—guardians of confidential client data—are prime targets.
5 Holiday Scams That Could Derail Your Law Firm’s End-Of-Year Momentum
- "The Partner Needs Gift Cards" (a.k.a. The $2,000 Text Trap)
The Scam: A partner is impersonated via text or email. Staff are asked to urgently buy gift cards for "clients," "holiday giveaways," or "employee appreciation."
The Law Firm Angle: This hits right at your paralegals, admins, or assistants—people trained to jump when a partner says jump.
The Fix: Create a written policy that no gift cards are ever requested by text or email. Require two-person verification for all non-standard purchases.
- Wire Transfer Fraud via Fake Invoice Threads
The Scam: Criminals spoof email threads with opposing counsel, real estate agents, or vendors. Then they send "updated wire instructions."
Real-World Case: Arlington, MA lost nearly $500,000 to this tactic. For a law firm handling escrow or trust accounts? That’s a malpractice nightmare.
The Fix: Always confirm payment info over the phone using a number you already have on file—not the one in the email.
- Fake Shipping Notices During Document Rush Season
The Scam: Your firm receives a link to "reschedule a failed FedEx/UPS delivery."
Why It Works: Law firms often send and receive physical documents during the holidays—wills, settlements, end-of-year contracts.
The Fix: Train staff to never click links in delivery texts or emails. Bookmark official tracking pages and go there directly.
- Malware Disguised as "Holiday Schedule" Attachments
The Scam: Emails arrive with files like "Holiday_Party_List.xls" or "Court_Schedule_Dec.pdf" that install ransomware or keyloggers.
The Fix: Disable macros, scan all attachments, and teach staff to verify the sender before opening any year-end files.
- Fake Charity Campaigns or "Firm Match" Fundraisers
The Scam: An email promotes a holiday charity drive, promising the firm will match donations. It looks legit—but it’s a front for data theft or financial fraud.
The Fix: Publish an internal list of pre-approved charities, and never submit donations through unfamiliar links or third-party forms.
Why These Attacks Work So Well On Law Firms
Cybercriminals don’t use brute force—they use timing, psychology, and your own firm’s structure against you.
- December is chaotic: Deadlines, bonuses, travel, and court closings make people rush.
- Law firms are hierarchical: If "the partner" sends an email, people act.
- IT is often decentralized: Many firms still lack firm-wide cybersecurity policies.
But here’s the deal: These aren’t just IT issues—they’re risk management liabilities. In a profession governed by trust, one breach can undo years of credibility.
Your Holiday Cybersecurity Checklist for Salt Lake City Law Firms
- The Two-Person Rule
All financial transactions over $2,500 require a second person to verbally confirm via a different communication channel. - Gift Card Policy
Written firm policy: Gift card purchases must be approved in writing through your official communication platform (not text). - Vendor & Wire Confirmation Protocol
All banking changes must be confirmed via a phone call using a pre-verified number. - Mandatory MFA
Enable Multi-Factor Authentication (MFA) across all cloud-based systems—email, Clio, NetDocuments, TimeSolv, etc. - Pre-Holiday Training
Hold a 20-minute team meeting. Show real examples of these scams. Ensure everyone knows how to spot them.
The Real Cost to Your Law Firm
Sure, Orion lost $60 million—but let’s talk about what you lose:
- Case deadlines missed during system recovery
- Billable hours lost chasing down fraudulent activity
- Clients questioning your competence if their data is exposed
- Skyrocketing cyber insurance premiums after a breach
The average BEC attack costs $129,000. For a Salt Lake City law firm like yours, that could mean the difference between a record-breaking Q4—or closing the year in crisis mode.
Don’t Let Cybercriminals Write Your Year-End Story
The holidays should be about wrapping up cases, celebrating wins, and setting up for next year—not issuing breach notifications.
A few smart policies, five minutes of staff training, and a solid IT partner can make the difference between "we caught it in time" and "we’re in damage control."
Want to be sure your Salt Lake City law firm is protected before the holiday rush hits?
Click here to book your free network assessment with Qual IT.
Because the best gift you can give your law firm this year is peace of mind.
