Client portal / e-signature account takeover
Stolen client credentials on the firm portal or DocuSign. The attacker may now be the client, for purposes of redirecting a disbursement.
Stolen client credentials on the firm portal or an e-signature platform (DocuSign-class). The attacker views or alters documents, or impersonates the client to redirect a disbursement.
The first hour
What to do, in order.
- 01
Lock the affected portal accounts; force MFA re-enrollment.
- 02
Audit recent document views, downloads, and signature events on the affected accounts.
- 03
Call the client on a known number to verify recent requests — especially any payment or wire change.
- 04
Hold any disbursement, refund, or instruction received through the portal in the last 30 days pending verification.
Key decisions
The questions you'll be asked.
- Was a disbursement made on the attacker's instruction?
- Go to the trust-account wire-fraud playbook immediately. Recall windows close fast.
Regulatory & ethical hooks
What the rules say.
- ABA Model Rule 1.6(c)
- State data-breach notification laws
Cited for orientation, not as legal advice. Your firm's ethics counsel and LPL carrier should be consulted on every specific incident.