Clio | Xero | QBO Accounting for Law Firms
Home About Services FAQs Contact Blog Login

Cybersecurity and Your Law Firm: What Your Legal Accountant Wants You to Know

client & firm growth law firm finances workflow May 12, 2026

If you have ever received an email that looked like it came from QuickBooks, your bank, or a government agency asking you to verify your account or pay a fee, you are not alone. Cybersecurity threats are becoming more sophisticated by the day, and law firms are an especially attractive target. You handle sensitive client funds, confidential case information, and significant financial transactions, which makes you exactly the kind of target that bad actors are looking for.

At The Proper Trust, cybersecurity is not just an IT conversation. It is a compliance conversation, a trust accounting conversation, and frankly a client protection conversation. Here is what we want every attorney and law firm owner to understand.

The Threats Are Getting Harder to Spot

The days of obvious scam emails with strange URLs and broken English are largely behind us. Today's phishing attempts are sophisticated enough to fool even tech-savvy professionals. Emails arrive that look exactly like they came from QuickBooks, complete with the right logo and formatting, telling you a payment bounced and asking you to log in. The URL looks close enough to the real thing that most people would not catch it.

We see versions of this regularly. One common scam targets QuickBooks users with a notification about a bounced check for a small, believable dollar amount. The goal is not the small amount. The goal is your QuickBooks login credentials. Once they have those, the damage can be significant.

Beyond email, we are also seeing voice cloning and identity impersonation become more realistic. With enough publicly available video and audio, bad actors can generate convincing versions of someone's voice. If you ever receive an unexpected call from someone claiming to be a colleague or family member asking you to move money or share information, verify their identity through a separate channel before acting.

Your Clients Are Also at Risk

One of the most important things to understand is that cybersecurity threats do not stop at your door. They extend to your clients. We have seen situations where law firm clients received payment links or invoices that appeared to come from the firm but were actually fraudulent. Clients paid, the money went somewhere it should not have, and there was no way to undo it.

This is one of the reasons we are firm about using secure communication platforms for all document exchange and sensitive communication. When clients push back and want to send financial documents over regular email or text because it is more convenient, we hold the line. The inconvenience of using a secure portal is nothing compared to the consequence of a client's identity being stolen or their funds being misdirected.

The simple truth is that if a driver's license, a bank statement, or any sensitive document is sent over regular email, it is not secure. Full stop.

Two-Factor Authentication Is Not Optional

If you are not using two-factor authentication on every platform that handles financial data, that needs to change today. This includes QuickBooks, your banking portals, Clio, and any other software your firm uses.

And when you set it up, use an authenticator app rather than text message verification when possible. Text-based verification is better than nothing, but authenticator app codes are significantly more secure because they are not tied to your phone number, which can be compromised.

Yes, two-factor authentication adds a step. Yes, it can feel like friction. But that friction is exactly what stands between your accounts and someone who wants access to them.

Backups Are Only Useful If You Have Tested Them

Many law firms and accounting professionals assume their data is backed up, but have never actually tested whether the backup works or what it contains. We have heard the horror story more than once: a firm loses historical data and discovers too late that the backup they thought was running had never actually captured what they needed.

If you are using QuickBooks Online, understand that a cloud backup is not the same as a full system backup. Know what is being captured and verify it periodically. If your firm uses any desktop software, make sure you have a tested, redundant backup system in place and that more than one person knows how to access it.

If a computer is lost or stolen, can you wipe it remotely? Do you have that capability set up in advance, before something goes wrong? These are the kinds of questions worth asking now rather than after an incident.

The Five Areas to Think About

A useful framework for thinking about cybersecurity for your firm covers five areas: change, continuity, cost, compliance, and coverage.

Change means staying current. Threats evolve quickly and the tools and practices that protected you two years ago may not be sufficient today.

Continuity means having a plan for what happens if something goes wrong. Can your firm continue to operate? Can you access what you need?

Cost is a real consideration, but the cost of a breach, both financially and reputationally, almost always exceeds the cost of prevention.

Compliance means understanding and meeting your obligations under applicable regulations, including any state bar rules that touch on client data security and how you handle client funds.

Coverage means cybersecurity insurance. It exists, it is worth looking into, and it is something many firms have not considered. Some policies will even cover ransomware payments, which is worth knowing about even if you hope you never need it.

What We Ask of Our Clients

We invest significantly in the security of our own systems so that your financial data is protected on our end. We use secure client portals for document exchange, we have protocols in place for access management, and we take seriously the responsibility of handling your financial information.

What we ask in return is that you meet us where it is safe. Use the secure portal we set up for you. Do not send sensitive documents over regular email. Do not share login credentials over text. When we ask you to communicate or share documents through a specific channel, there is a reason for it.

The attorneys and firms that take these requests seriously are the ones who are best protected. And in a profession where your reputation and your license are your most valuable assets, that protection is worth taking seriously.

A Final Note

Cybersecurity is not a problem you solve once and move on from. It is an ongoing practice that requires regular attention, updated tools, and consistent habits. If you are unsure where your firm stands, consider bringing in a cybersecurity consultant to assess your setup and train your staff. Many firms are surprised by what an outside assessment reveals.

And if you are ever unsure whether an email, a payment request, or a phone call is legitimate, the answer is always to verify through a separate channel before taking any action. A moment of caution is a small price to pay for the peace of mind that comes with knowing your firm, your clients, and your finances are protected.

If you have questions about how we handle data security at The Proper Trust or how we can help your firm put better financial controls in place, we would love to talk. Visit us at thepropertrust.com to learn more or schedule a consultation.

Close

50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.