Late Wednesday afternoon I received an email from a lawyer at the firm of Barley Snyder who I have never met or spoken to before. The subject line was "Secure Encrypted Message." I'm not sure how much any of you know about reporters, but we like secure encrypted messages. It's sort of the sexier version of "please find the enclosed 42-page legal analytics survey." So I clicked.

No more than 33 minutes later I received a blanket message from an IT help desk technician at Barley Snyder alerting both myself and presumably several others that my new lawyer friend's email account had been "compromised." As those of you playing along at home have probably guessed by now, there was no "secure encrypted message."

"If you clicked on the link and entered any credentials, we advise that you change your password as your account is probably compromised now, too. If you replied to the email to ask if it was legitimate, you likely received a response from the hacker, so please disregard that as well," read the email from Barley Snyder's IT technician.

When one writes about legal technology for living, the list of occupational hazards occupies a small corner between "small" and "virtually non-existent." I always thought I'd go down leading the last of the human resistance against sentient contract AI, but no: I was going to die of embarrassment.

It's not as if I'd be alone. Stories like mine are becoming more common as more hackers realize that impersonating a lawyer has its perks. Last May, Legal Week reported on a scam involving two phony DLA Piper email addresses used in an attempt to persuade an entity to transfer funds into a fraudulent bank account.

Law firms also appear to be struggling to keep unauthorized intruders out of their systems in general. In fall 2019, Law.com leveraged public records requests to identify "more than 100 law firms that have reported data breaches to authorities across 14 states since 2014."

In the case of what happened at Barley Snyder, no client data appears to have been compromised.

"On Wednesday, we identified a recent data breach attempt on one of our internal email accounts, and a phishing email scheme was inadvertently sent to several company contacts," said George C. Werner, partner and firm counsel at Barley Snyder. "First and foremost, we can assure everyone that after our thorough investigation, we are confident that no firm or client information has been compromised in this attack."

Early Wednesday night I sent both the initial phishing email and Barley Snyder's alert to Gulam Zade, CEO of the legal IT consulting firm Logicforce. He's seen this type of thing before—in fact, it's become more common among law firms and other corporate businesses ever since hackers realized that's where the real money lives.

"You don't have to be a moron to fall for one of these things, right? Educated, smart people are falling for it," Zade said.

The proof is in the pudding. While neither Zade nor myself have any inside knowledge about the incident beyond Werner's statement, he suspects that the lawyer whose account was hijacked may have previously fallen victim to a phishing scheme.

Here's how it typically works: A target receives a phishing email that asks them to enter their email address and password under the guise of legitimate purposes—maybe retrieving a "secure encrypted message"—which then allows a hacker to surreptitiously gain access to their account plus any valuable information stored inside.

From there, the scheme repeats itself. Hackers raid an account's contact list and start chumming the waters for new usernames and passwords to add to their collection. But surely —surely—you would notice if an outside party was sending or receiving emails from your own mailbox, right? Not necessarily.

"[Hackers] have gotten smarter, so they will send the emails and then make them auto-delete out of the sent folder, and so you can't even see what they've sent," Zade said.

The resourcefulness of the modern hacker apparently knows no bounds. When I clicked on the link proffered by the stolen Barley Snyder account, for example, it took me to a page made to resemble a file-sharing site. From there, a prompt to enter my credentials brought up a page with a Microsoft logo and a box for my email address and password. Fortunately this is where a healthy fear of the unknown intervened and I promptly exited stage left.

According to Zade, hackers aren't above doing a little window dressing, so it's generally a good idea to double check the web address at the top of the page to make sure any familiar insignias aren't just smoke and mirrors. However, if law firms or other businesses really want to nip this kind of thing in the bud, two-factor authentication protocols are generally the way to go.

Once the damage is done, it's done and Zade he isn't sure what else Barley Snyder could have done outside of the warning email the firm sent. But if it's any comfort, this particular class of email scheme may be approaching its expiration date.

"This stuff is going to go away so enough, at some point, because it's just going to become like a Nigerian prince thing where everyone is going to know about it," Zade said.

For the record, I have never once given money to a Nigerian prince.