I just received a letter from a solo attorney in a rural part of Virginia thanking me for basically scaring the bejesus out of him. Seems he had been attending a number of my cyber security CLE programs over the years. He went on to say that while he had been frightened by what he had heard during these programs, he also thought that as a rural solo attorney none of it really applied to him. He just couldn’t imagine that anyone would target a guy like him and that was where things stood until about two weeks ago when he was nearly scammed out of serious money.
If you aren’t already aware, attorneys are increasingly being targeted by scammers hoping to get away with wire fraud. Here’s just one example of how it can play. An attorney represents a seller in a real estate transaction. Unbeknownst to anyone involved, someone has hacked into and been monitoring the seller’s email for a period of time. Once aware that a transaction is about to take place, the hacker uses a spoofed email address of the seller to send new wiring instructions to the attorney in order to have the funds sent to an account the hacker has access to. Attorney fails to catch the altered email address and ends up wiring the proceeds to the wrong bank. So not good.
As an aside, some may wonder what a spoofed email might look like. Although there are a number of ways to spoof email, it can be as simple as this. If an actual email address is Lawfirm@aol.com, a spoofed address might be Lawfirm@aoi.com. If the actual email happens to be Mark.Bassingthwaighte@RECompany.net a spoofed address might read Mark.Bassingthwaite@RECompany.net. Given the busy days we all have; would you catch a subtle change in an email address like the two examples above? Many would not.
If this isn’t enough to worry about, there’s more. In a recent situation in Virginia a plaintiff attorney’s email account was similarly hacked. The hacker sent a spoofed email to this attorney’s client. Fortunately, the client questioned the legitimacy of the email, contacted the lawyer who confirmed the email was a fake and the email was deleted. Unfortunately, the plaintiff attorney failed to notify defense counsel that his email account had been hacked. The hacker switched tactics and used a spoofed email to persuade the defense lawyers to wire settlement proceeds to an overseas account. Long story short, a U.S. District Judge basically held the plaintiff’s lawyer responsible for the loss due to the lawyer’s failure to warn.
Worse yet, in 2015 the FBI reported that in the U.S. alone over $179 million had been stolen in attacks of this type over a 14-month period and it has only gotten worse since. Now that I have your attention, the real issue is what in the world can you do to try not become a victim of such attacks? Short of never being responsible for transferring funds of any kind, I’m not aware of any steps that can be taken to make you safe 100% of the time. However, the good news is you can get close.
First, and I know you’ve heard this before, security basics always play a role. You must avoid the use of free web-based email. If you don’t already have a firm website domain, get one and use it to establish your own firm email accounts. Always delete unsolicited email from unknown parties. Never open spam or any attachments contained therein. Keep your firewall, operating system and security software current; avoid using unsecured Wi-Fi; and use unique strong passwords (a combination of letters, numbers and symbols) on all accounts and devices. Limit what you post on firm websites and other social media accounts such as information about staff roles and responsibilities and out of office information. Hackers can use this kind of information to determine who to target and when. Most importantly and wherever able, use multi-factor authentication on all email and financial accounts.
Second, establish a policy on wire transfers and couple that with appropriate training all staff who may at some point be involved in a wire transfer. Initially, the policy should mandate the gathering and verification of contact information from all parties involved at the outset of representation and prohibit the use of any other non-verified contact information during the course of representation. With that in hand, the most important provision of any such policy would be the implementation of a process whereby all wiring instructions are confirmed by use of this previously verified contact information. For example, if wiring instructions initially come via email, use a previously verified number to place a call to the relevant party to confirm the accuracy of the information received. An additional relevant provision might be that all last minute changes requesting that finds be transferred by a different method or to a different account should be treated as suspect. The request should never be followed until verified by contacting the person purportedly making the request through the use of previously verified contact information. If email security is a concern, another provision might be to require the use of faxes for the exchange of wiring instructions or, better yet, the use of encrypted email or a secure client portal. The absolute best option might be a provision that requires wiring instructions be delivered in person, for example, by the seller at a closing.
Finally, all staff should be trained to be suspicious and learn how to spot these kinds of scams. This isn’t optional because staff have been the target to many times. Underscore the necessity of remaining vigilant at all times. Training examples that address how these attacks look today might include the following. Look for inconsistencies with email such as various email addresses in use and different spellings of a name. Always carefully check the address of relevant email coming in to make sure it exactly matches the previously verified address in your file. Always question requests for money to be sent to an account that is not in the name of the seller or not in the jurisdiction where the seller is. Everyone should be suspicious of requests to wire money when you, as the attorney, are personally out of the office or of requests that are urgent in nature. And last but not least, remind everyone that just because the grammar and spelling looks great, that doesn’t mean the email is legit. Scammers have spell check too and many of these scammers draft very well written email.
All opinions, advice, and experiences of guest bloggers/columnists are those of the author and do not necessarily reflect the opinions, practices or experiences of Solo Practice University®.