McDade Insurance Brokerage Blog

The Fake IT Call Hitting America's Law Firms | McDade

Written by Charles D. McDade, LUTCF | Jul 7, 2026 2:28:17 PM
From the Founder

The call comes from your own IT department. Except it does not.

  • By Charles McDade, LUTCF
    Published July 2, 2026
  • Business Insurance

In June 2026, employees at one of the country's largest law firms started getting urgent calls from their own IT department. The calls were fake, the caller ID was falsified, and the scheme is now the documented playbook against law firms of every size. Here is what happened, and the one page procedure that beats it.

The answer

Criminals are calling law firm employees while posing as the firm's own IT department, with falsified caller ID, and talking their way into accounts and systems. No software is broken. The defense is a written verification procedure that takes one page, one meeting, and about two minutes per call.

What happened in June

Bloomberg Law reported in June 2026 that employees at Lewis Brisbois, a firm with roughly 1,600 lawyers nationwide, received urgent phone calls from criminals posing as the firm's internal IT department. The calls reached employees on their cellphones, the caller ID was falsified, and the callers pressed for urgent action to secure accounts. The firm's own information security director warned staff in writing to hang up on such calls and report them, and within days the firm shut off access to its internal network from employees' personal devices.

The same reporting tied the tactic to a wave of attacks on large firms, including earlier incidents at Fox Rothschild and Orrick described in public filings and statements. And it matched, almost line for line, the scheme the FBI had warned law firms about two weeks earlier in a formal advisory.

I want to be careful with the framing here, because these are respected firms with real security budgets and capable people. Nothing in the public record says anyone at those firms was careless. What the record says is more useful than blame. It says the attack works on prepared organizations, which means preparation has to be specific, not general.

Nobody hacked anything. Somebody dialed a phone.

Why the phone beats the firewall

The firms being targeted spend more on security software than most Houston firms gross in a year. The criminals know that. So they stopped attacking the software and started borrowing the one thing no firewall inspects, which is trust between coworkers.

A call from IT is the perfect disguise because it comes with built in authority and built in urgency. The caller already knows names, titles, and phone numbers, most of which sit on the firm's own website and directory listings. Caller ID offers no protection, because caller ID can be falsified, a fact the FBI advisory states plainly. And remote and hybrid work, which is normal and here to stay, means the person answering is often alone with the decision.

Here is the point I keep coming back to. The attacker's product is not code. It is a conversation, rehearsed hundreds of times against people having it for the first time. You do not beat a rehearsed conversation with alertness. You beat it with a procedure that does not care how convincing the caller is.

The one page procedure for a Houston firm

If the scheme works on a firm of 1,600, the size of your firm is not the defense. But a smaller firm has one real advantage, which is that a single page of procedure can reach every employee by Friday. Built from the FBI's own recommendations, that page says four things.

The verification page

  1. Real IT identifies itself a specific, written way. Decide what that way is, a named ticket number, a known extension, a message in your own systems, and put it in writing. Any call that cannot meet the standard is not IT.
  2. Nobody grants remote access from an inbound call. Ever. If IT genuinely needs a session, the employee hangs up and calls back on the internal number in the directory, not a number the caller provides.
  3. Urgency is the tell, not the exception. Any caller pressing for immediate action to secure an account gets the same answer. Hang up, call back through the known channel, report the call.
  4. Report fast, blame never. The FBI asks firms to preserve the phone numbers, messages, and timeline. An employee who reports a suspicious call in five minutes is the defense working, not failing.

If a call like this may have already reached your team, the signs are recognizable and worth checking today. We wrote the checklist at six signs your team has already been phished, and the full anatomy of how these intrusions run once access is granted lives at from first call to stolen files in one business day.

The insurance seat at the table

When one of these calls succeeds, the event it creates is a data theft followed by extortion. The costs that follow, the forensic investigation, breach counsel, client notification, extortion response, and regulatory defense, are cyber policy costs, and they land outside your malpractice coverage entirely. The boundary between those two contracts is mapped at law firm cyber insurance, and the wire transfer cousin of this scam, where the target is your trust account instead of your files, lives at social engineering fraud for law firms.

One more practical note. Carriers increasingly ask about verification procedures at underwriting, and a documented one can move pricing and terms in your favor. The one page above is not just a defense. It is an underwriting asset, and it is free.

The call did not beat the firewall. It went around it, straight to a person being helpful.

Charles McDade, LUTCF, Founder, McDade Insurance Brokerage Group

Sources worth opening before you decide.

This article uses public source material from Bloomberg Law and the FBI's advisory to law firms.

The purpose is to help you build the procedure before the call arrives. The reporting describes what happened at firms far larger than most. Whether your firm is prepared is answered by one written page and the policy behind it, which is exactly what a review reads.

Questions firm owners ask.

What is the fake IT support call scam?

A criminal calls an employee while posing as the company's own IT department, often with falsified caller ID and real names and titles gathered from public directories. The caller presses for urgent action, usually access to the employee's computer through a remote session or account credentials. Once inside, the attacker steals data and extorts the firm. The FBI issued a formal advisory to law firms about this exact scheme in May 2026.

How do we verify whether an IT call is real?

Hang up and call back on a number you already have, an internal extension or the directory line, never a number the caller provides. Real IT will survive that two minute detour every single time. A written policy stating how your actual IT identifies itself, and a standing rule that remote access is never granted from an inbound call, closes the door the scheme depends on.

Does caller ID prove who is calling?

No. Caller ID can be falsified, and the FBI advisory notes that attackers in these campaigns did exactly that, including on calls to employees' personal cellphones. Treat caller ID as a label anyone can print, not as identification. Verification comes from calling back through a channel you control.

What insurance responds if an employee lets an attacker in?

A standalone cyber policy is the contract built for it, funding the forensic investigation, breach counsel, client notification, extortion response, and regulatory defense that follow. Your malpractice policy is not designed for those costs. The review reads exactly where each contract starts and stops, and about 40 percent of the time we tell clients to stay with their current carrier because that is the right answer.

What Houston clients say.

 
The Next Step

Build the page before the phone rings.

Send us the cyber and malpractice policies you carry today. We will read where each one starts and stops against this exact scheme, and help you put the verification procedure on paper, in plain English, before someone rehearsed tests it for you.

Commercial reviews route to our commercial desk and follow your calendar, not ours. Local broker. National infrastructure.