If You Are Online, Someone Is Watching

How to Protect Your Practice from Fraud by Social Engineering

To Missouri attorneys, a spate of email-based scams targeting lawyers sounds like déjà vu. Many recall the recent stories of attorneys bilked out of hundreds of thousands of dollars by overseas scammers who requested representation in collecting a substantial debt and then pocketed the ill-gotten gains by both providing and then cancelling their own settlement checks.  Scammed attorneys were left holding the bag and also facing possible ethics violations relating to their trust accounts.

This type of fraudulent scheme is one example of the types of social engineering being engaged in by international hackers.  Social engineering relies not only on the hacker’s ability to access your secure information, but also on your own action or inaction.  Unsurprisingly, as attorneys have become hip to the settlement check scam, hackers have evolved, bringing opposing counsel and even clients in on the action.

The new scam looks something like this: You have reached a settlement of $63,000 for your client’s claims.  You and defense counsel agree that the sum will be paid by check mailed to the client.  After working out these terms, but before defense counsel has issued or mailed the check, your client starts hounding the defendants for quicker payment and even threatens to back out of the settlement if it does not happen.

Then, prior to issuing the check, defense counsel receives an email from your account with instructions to wire transfer the funds to an off-shore account.  The email appears genuine for a number of reasons, but, unfortunately, it is not.  Relying on the email, defense counsel wires the money to the account described therein. Subsequently, it is discovered that your email account has been hacked, the email directing the funds to be wire transferred is bogus and the money has been already transferred out of the account by the thieves.

In a nutshell, that is what occurred in Bile v. RREMC, LLC,2016 WL 4487864, E.D. Virginia, 8/24/2016, where the court was essentially asked by the parties in dueling Motions to Enforce the Settlement to determine which attorney in the case should be held responsible, and, therefore, bear the loss.  The attorneys in Bile are not alone, as The Bar Plan has spoken with other attorneys around the country affected by similar schemes.

This time around, the scammers have figured out a way to make you think these instructions are coming from a trusted, well-known source.  In Bile, this was accomplished by actually hacking into the law firm’s server, but sometimes it occurs by mimicking a party or attorney’s email address in a way that would likely not be noticed by an untrained eye (e.g., substituting a capital i in place of a lowercase L, adding one extra letter, etc.).

In order to avoid becoming the victim of this type of social engineering, attorneys must become attuned to the red flags that signal a potential scam.  In Bile, plaintiff’s counsel was already aware that an attempt had been made to divert the settlement funds through hacking of his client’s account.  If that type of red flag presents itself, all parties should be immediately notified.  Other red flags that might indicate a bogus email include:

  • Grammatical errors or broken English
  • A heightened sense of urgency to receive the payment by either the client or the opposing party
  • Client or opposing party is desperate to meet a deadline, such as a medical emergency or property closing, preying on your sympathies

For scams such as the one in Bile, where wire transfer instructions are changed at the last minute, it is also important to adopt a policy within your firm that you will not ever accept the altering of payment instructions via email from either your client or another attorney without first picking up the phone to confirm that change is accurate.  Make this policy known to all parties and attorneys up front to avoid problems down the road.

It is also essential, as hackers become more and more tech savvy, to have a real relationship with trusted Information Technology professionals who have the resources to immediately address these types of security breaches.

As our technology progresses and we get more “plugged in” through various social media and networking platforms, the potential to be hacked by an enterprising criminal likewise grows.  It is unreasonable to expect attorneys to log off completely, but remembering these tips and putting them into practice can go a long way to preventing or mitigating the damage of scams.  We all need to come to terms with the reality that, if you are online, someone is watching.

If you have questions about your firm’s risks, please contact our Risk Managers at 1-800-843-2277 x171 or email us at info@thebarplan.com.