Skip to the main content.
What Size Law Firm Are You?

We've crafted solutions tailored to your firm

Insurance Glossary

The world of insurance for law firms can be confusing, and difficult to navigate. We've created this glossary because these common insurance terms should be easy to understand.

← Blog Home

How To Minimize The Risk Of Becoming A Victim Of Wire Fraud

4 min read

How To Minimize The Risk Of Becoming A Victim Of Wire Fraud

Updated 07/2023

Lawyers remain a high-profile target for scammers hoping to get away with wire fraud and the attack vectors they are using continue to evolve. Here’s just one example of how these scams typically work today. A lawyer represents a seller in a real estate transaction. Unbeknownst to anyone involved, someone has hacked into and been monitoring the seller’s email for a period of time. Once aware that a transaction is about to take place, the hacker uses a spoofed email address of the seller to send new wiring instructions to the lawyer in order to have the funds sent to an account the hacker has access to. The lawyer fails to catch the altered email address and ends up wiring the proceeds to the wrong bank. So not good.

As an aside, some may wonder what a spoofed email might look like. Although there are a number of ways to spoof email, it can be as simple as this. If an actual email address is Lawfirm@aol.com, a spoofed address might be Lawfirm@aoi.com. If an actual email happens to be Mark.Bassingthwaighte@RECompany.net a spoofed address might read Mark.Bassingthwaite@RECompany.net. Given the busy days we all have; would you catch a subtle change in an email address like the two examples above? Many would not. Also, be aware that in situations like the above example, the person whose email account has been breached varies, sometimes it’s a lawyer’s account, sometimes it’s the seller, and often it’s the realtor.

Regardless, all lawyers need to understand that hackers don’t act immediately. Oft times hackers will monitor breached email accounts for at least several weeks, and sometimes for months, in order to understand the business practices that are in play and to wait for an opportunity to redirect a significant wire. And just as important, lawyers need know that these scams are not directed solely at those who practice in the real estate space. Scammers know that lawyers in a variety of practice areas move money and thus view all lawyers as potentially lucrative targets.

The more common wire fraud attack vectors scammers are currently using include bogus invoices, altered documents to include e-faxes, email spoofing, false impersonation, and the oldie but goodie counterfeit check scam that continues to trip up far too many, which begs the question of what can be done to avoid becoming the next victim. Short of never being responsible for transferring funds of any kind, there aren’t any steps that can be taken to make you safe 100% of the time. However, the good news is you can get close.

First, security basics will always play a significant role. Of particular importance here are the following. Never open any attachments or click on any links in email if the email comes from someone you don’t know or is unexpected. Make a habit of checking to make sure inbound email addresses are legitimate. Periodically review sent and deleted email for suspicious activity. With cloud-based email accounts, periodically check account rules to make sure no unauthorized rules have been established, for example, an automatic forward rule to an unknown account. Use unique strong passwords (a combination of letters, numbers, and symbols) on all email accounts. Beware of SMS/text messages notifying you of that your password has been rest without your knowledge. Enable two-factor authentication if available on all email and all financial accounts. Keep your firewall, operating system, and security software current and avoid using unsecured Wi-Fi. Limit what you post on firm websites and other social media accounts such as information about staff roles and responsibilities and out of office information because hackers can use this kind of information to determine who to target and when.

Second, establish a policy on wire transfers and couple that with appropriate training of anyone at your firm who may at some point be involved in a wire transfer, to include all attorneys.  Initially, the policy should mandate the gathering and verification of contact information from all parties involved at the outset of representation and prohibit the use of any other non-verified contact information during the course of representation.

With that in hand, the most important provision of any such policy would be the implementation of a process whereby all wiring instructions are confirmed by use of this previously verified contact information by way of an out-of-band communication channel. For example, if wiring instructions initially come via email or eFax, use a previously verified cell number to place a call to the relevant party to confirm the accuracy of the information received. 

An additional relevant provision might be that all last-minute changes requesting that funds be transferred by a different method or to a different account should be treated as suspect. The request should never be followed until verified by contacting the person purportedly making the request through the use of previously verified contact information. If email security is a concern, another provision might be to require the use of faxes for the exchange of wiring instructions or, better yet, the use of encrypted email or a secure client portal.  The absolute best option might be a provision that requires wiring instructions be delivered in person, for example, by the seller at a closing.

Finally, everyone in the firm should be trained to be suspicious and learn how to spot these kinds of scams. Underscore the necessity of remaining vigilant at all times. Training examples that address how these attacks look today might include the following. Look for inconsistencies with email such as various email addresses in use, different spellings of a name, and be suspicious of any email that comes from a free service such as Gmail or Yahoo. Always carefully check the address of relevant email coming in to make sure it exactly matches the previously verified address in your file. Always question requests for money to be sent to an account that is not in the name of the seller or not in the jurisdiction where the seller is. Be suspicious of requests to wire money when key personnel, such as the attorney in a solo practice, is out of the office or requests that are urgent in nature. And last but not least, remind everyone that just because the grammar and spelling look great, that doesn’t mean the email is legit. Scammers have learned to draft professionally written email.

 

 

printfriendly-pdf-button-nobg-md-Nov-01-2022-08-44-54-4335-PM

 

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 600 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.

Trusting Your Co-Counsel is a Good Thing, Until It Isn’t

3 min read

Trusting Your Co-Counsel is a Good Thing, Until It Isn’t

As I’m often apt to do, I have a story to share. A solo employment law attorney, let’s call her Betty, has substantial trial experience. In light of...

Read More
Selecting Your Backup Attorney

2 min read

Selecting Your Backup Attorney

A solo attorney recently reached out wanting to know how to select a backup attorney. Having now addressed his concerns, I thought it would be...

Read More
Why Effective Client Communication Is all About Details and Documentation

6 min read

Why Effective Client Communication Is all About Details and Documentation

ABA MRPC Rule 1.4 Communication seems clear on its face. Attorneys are to keep clients reasonably informed about the status of their matters as well...

Read More