Important: Warning about TOAD Attacks against Trust Accounts

The State Bar has received reports of TOAD attacks against lawyers’ trust accounts. TOAD is an acronym for telephone-oriented attack delivery. Perpetrators engage in phishing attacks against lawyers or law firm staff to trick them into disclosing confidential information, allowing the perpetrators to gain online access to trust accounts.

In a typical TOAD attack, the perpetrator identifies a target in the law firm and gathers information about the target and the firm through social media, the dark web, and hacking. The perpetrator then contacts the target, typically by telephone call. The perpetrator frequently poses as an existing employee of the firm’s bank with whom the target is familiar. The perpetrator uses spoofing to make it appear that he is calling from a known telephone number at the firm’s bank. They create a sense of urgency by telling the target that a breach of the trust account is underway and that the perpetrator needs the username and password to get into the account to stop the attack. Armed with that information, the perpetrator transfers the contents of the account. TOAD attacks can also be initiated by links in emails, text messages, or instant messages. Even when the crime is discovered very quickly, banks have had limited success retrieving stolen funds. 

Every lawyer and every staff member should be trained to recognize TOAD attacks and instructed that they must never click on suspicious links and must never provide information to anyone that could be used to access the firm’s trust account. Using multifactor identification can make it more difficult for a perpetrator to obtain access to the trust account. 

When a firm receives a suspect contact, it should immediately initiate communication directly with its bank, using the bank’s known telephone number, not using a number or link provided in the suspect contact. Any suspected TOAD attack should also be reported immediately to your bank’s fraud department, to the FBI at ic3.gov, and to the State Bar Trust Account Compliance Department.