Tag Archives: pdfs

The Hidden, but Fixable Danger with PDFs

Imagine this hypo: You’re working on a transaction for a client, and the lending institution needs to send money to your trust account on your client’s behalf.  

— Stay with me — this is not going where you think —  

The lender sends you a fillable PDF form where you’re supposed to provide your wiring information (routing number, account number, etc). You open the document, type all of the information in the fields as required, and email it to the lender.  Obviously there’s the danger of someone intercepting these types of messages so a host of precautionary measures have been put into place and you comply with each.  Let’s say that such precautions even include that the lending representatives call you after receiving the document and read back the wiring instructions to ensure that everything’s kosher.  Despite all of these efforts, you were still scammed — the money never made it to your trust account and no one knows why.  Here’s how it happened: 

Remember that I said the document was a “fillable” PDF? You opened the PDF on your computer, typed in the required information in the fields, then sent the file as a “document” to the lender.  Well, when you sent the document that way, you left all of those “fillable” sections as, well…”fillable.”  Those fields could still be changed by someone because you didn’t lock the document.  

So here’s what happened in the hypo above: after making the call to you and confirming the account information, someone in the bank opened the file, changed that account number/routing number and diverted the money into some other account.  They were able to do that because the document you filled out was a “fillable” PDF and you simply emailed it as a document to the other party.  By emailing it as a “document” the information in the fields could still be changed.  So even after all of the protocols at the lending institution were adhered to, there was still an opportunity for someone with access to the document to change the numbers on the PDF.

The good news? There is a way to avoid this.   

Instead of sending the form as a “document” you should have “flattened” the document. Flattening a document basically locks all of those fillable sections. There are a few ways you could do that.  First, if you get a drop down menu when you try to send the file you might have the option to mail the attachment as a “flattened” document. Another alternative is to save the document as flattened before you email it (you may have to “Print” the document to a PDF then save a “flattened” version of the form). Disclaimer: I’m no tech expert— my job is to point out the dangers, but I don’t claim to be an expert on how to fix them.  I think the procedures I outlined above are correct, but talk to your IT people to ensure that I’m right in that regard.  

Obviously this goes beyond just bank account information.  People can modify any fields in a fillable PDF if the document isn’t locked before transmitting.  That’s why every time you send a fillable PDF you need to flatten it or otherwise lock it to ensure that no one else can change it’s contents after emailing.  

This sort of knowledge is the type of thing that our ethics rules demand. Specifically, it’s about competence.  Rule 1.1 requires that lawyers have the, “legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” The commentary to that rule explains that, “Competent handling of a particular matter includes…[the] use of methods and procedures meeting the standards of competent practitioners. Rule 1.1, Comment [5]. In addition, the new California Rule on Competence requires that lawyers apply the learning and skill that is reasonably necessary for the performance of the legal service. CA RPC 1.1(b) 

Is understanding the dangers of fillable PDFs considered to be part of the “methods and procedures,” or part of the skill that is “reasonably necessary for performance” of the legal services?  It is now. Maybe it wasn’t last year, but it is today. That’s because our duty of competence evolves. We are required to understand the ethical implications of technology as these new technologies become integrated with the practice. See, State Bar of California, Standing Committee on Professional Responsibility and Conduct, Formal Opinion 2015-193. I don’t think there’s any question that PDFs are integrated with the practice of law. Of course, if my opinion doesn’t convince you, also consider that the issue of fillable PDFs was recently part of a best practices update that was sent to attorneys who work for the federal government.  And you know what I always say about the government…if they’re thinking about it, you need to be thinking about it.  

Share