QUESTION: I’ve been hearing more about AI technologies like voice cloning and deepfakes being used for nefarious purposes. How can lawyers safeguard privileged client information from being compromised by these AI exploits? Is there a specific training you can recommend for my office? I’m concerned this could be a major threat.

ANSWER: You raise an excellent point about the risks AI technologies like voice cloning and deepfakes pose. Rapid advances in these areas have been met with equally advanced techniques used by bad actors to impersonate family members, neighbors, celebrities and politicians to influence others, gain access to privileged information, or fraudulently misdirect funds, among other things. These scams also threaten the attorney-client relationship.
Table of contents
Voice cloning uses machine learning to reproduce someone’s voice patterns with disturbing realism. Deepfakes utilize similar AI to manipulate video by swapping faces or creating highly convincing impersonations. For example, OpenAI can imitate a voice using only a 15-second sample.
Imagine receiving a call that sounds exactly like a client urgently requesting you wire a large sum to a particular account. Or a deepfake video surfaces of you strategizing, exposing privileged information. The implications range from financial theft to violations of attorney-client privilege.
While still an emerging threat, these AI impersonations are becoming more accessible. In early 2024, criminals created a deepfake video likeness of a Hong Kong company’s CFO and other employees. The video appeared during a conference call asking an employee to transfer over $25 million to the scammers.
As I’ve written, law firms are the least guarded path to the most sensitive data. They all too often lack the cybersecurity protocols or training to support them. As such, lawyers will likely be targeted in similar schemes as the technology proliferates.
The Battle Against Voice Cloning and Deepfake Scams
Establish Code Words
How can legal professionals safeguard against such deceptions? One low-tech but highly effective solution is establishing unique code words attorneys and clients can use to verify their identity in communication. When an attorney asks a client for a code word during unsecure audio or video communication, they can better safeguard against sharing sensitive financial or confidential information with someone who is not the client. Likewise, clients can rest assured they are speaking to their attorney or staff once they’ve confirmed the code word.
For example, set the code “Purple Elephant” with client X. Any time you call them or they call your office, ask them for the code word before going any further. If they fail to provide it, terminate the interaction. If they insist it is them or claim they forgot the code word, require them to reset it in person.
Of course, proper protocols are key. For example, frequently update code words if your representation is lengthy, use different code words across clients and matter types, never say a code word out loud that could be overheard, and consider making code verification a mandatory firm policy for financial or strategic communication.
While I haven’t seen code word verification inputs built directly into legal practice management platforms (such as Clio, MyCase or Smokeball), I’m optimistic that the legal profession will soon have tools that allow for this two-way authentication. This includes those built into client portals for either party — client-side or law firm-side — to confirm the genuineness of the party corresponding with them.
Build Client Trust
While establishing code words may be a minor inconvenience, it is well worth your time. It can also help build clients’ trust in an era when voice cloning and deepfakes are only growing.
Introduce the process to your clients upfront and explain why it is important. Be sure your clients and your staff are trained. Most clients will appreciate your proactive commitment to protecting the confidentiality of their sensitive information.
By embracing this old-fashioned security technique, you safeguard your clients and your firm against becoming an unsuspecting victim of AI’s dark side. In an era of deepfakes and digital deception, something as simple as a shared code may be your strongest shield.
Tips for Detecting Fraudulent Communication
Here are some things lawyers should be aware of when vetting communication for fraudulent activity or scams. It’s beneficial to train your clients and team on what to look out for too.
Telltale Signs of Fraudulent Communication
- Unsolicited contact from an unknown party.
- When onboarding a new client, specify who they can expect to hear from at your firm during their representation and the methods of communication they should expect to use (preferably through a client portal). Also, confirm which methods of communication they should not expect you to use (e.g., social media direct messaging).
 
- Urgent demands for immediate action, leaving insufficient time for contemplation.
- Requests for monetary transfers via difficult-to-trace methods such as wire transfers, gift cards, payment applications or cryptocurrencies.
- Solicitation of personal or confidential information.
- Instructions to maintain secrecy regarding the communication.
Detecting Deepfake Videos
Concerning deepfake videos specifically, lawyers should watch for abnormalities in the video, including whether:
- There are unnaturally jerky body movements, inconsistent lighting or skin tones, an absence of blinking, and irregular shadowing around the eyes.
- Behavior is atypical of the depicted individual, such as soliciting funds or personal data.
- Speech uses unusual phrasing, stilted patterns and disjointed sentences.
How to Respond
When confronted with potentially fraudulent voice or video communications, proper responses include:
- Ask questions only the purported party could answer.
- Express skepticism and terminate the communication. Then, contact the purported party through known and trusted channels to verify the request.
Suspected scams may be reported online to the Federal Trade Commission. While the FTC will not resolve your individual report, it will use it to investigate and bring cases against other frauds, scams and bad business practices.
About the Illinois Supreme Court Commission on Professionalism
The Illinois Supreme Court established the Commission on Professionalism under Supreme Court Rule 799 to promote integrity, professionalism, and civility among the lawyers and judges of Illinois, to foster a commitment to the elimination of bias and divisiveness within the legal and judicial systems, and to ensure those systems provide equitable, effective, and efficient resolution of problems for the people of Illinois. The Commission achieves this mission through professional responsibility CLE, lawyer-to-lawyer mentoring, legal professionalism programming, educational resources, and more. To learn more, visit 2Civility.org and follow us on social media.
Illustration ©iStockPhoto.com

 
						 
                 
                          
 
                




 
                     
                     
                     
                    
