With all the massive data breaches, these cases are on the rise. Law Firm’s and client’s e-mail systems are being hacked at an ever increasing rate. Once the cybercriminal has hacked the e-mail system, they can monitor in the background e-mails being sent and received. Cybercriminals wait for the right moment to strike.
Say you are doing a closing on a real estate venture. The funds should be transferred right after closing. Because the cybercriminal has hacked the e-mail system the criminal can modify the e-mails in the e-mail system of an individual. They alter the client’s e-mails to the attorney or vice versa, altering bank details so funds go to the criminal. The attorney and clients are now a victim of ‘Social Media Fraud’ or the previously blogged ‘Friday Afternoon Fraud’.
According to some insurers, over 75% of the cybercrimes reported were from the ‘The Friday Afternoon Fraud’. Such e-mail scams often take place on a Friday, as this is the time that many deals are finalized and the transfer of funds often take place. This buys criminals additional time to avoid detection. A quarter of law firms have been targeted by cybercriminals, with nearly one in ten resulting in money being stolen.
Not all Attorney Malpractice or Title Agent E&O polices cover this exposure. Some do and some don’t. Insurers are contemplating having to increase rates and/or tighten coverage because of the frequency and severity of these claims.
How to detect the Friday Afternoon Fraud or similar e-mail modification scams:
Law Firms and Title Agencies that hold large sums of client money are at the most risk. Even for those who do not hold large amounts of client money, it is worth considering this risk. Many phishing efforts also seek to redirect funds. The following steps that help against Friday Afternoon Fraud will also work against other scams.
Basic Steps:
1. confirm client and third party payment details, for example sending $1.00 to the account details provided and confirming it has been received by a prearranged phone number and contact person
2. provide information to clients confirming they will never be asked by you to send money to a different account than that originally given
3. be suspicious of requests to change payment details, in particular those sent by e-mail with high urgency, and confirm them with the client on a known telephone number
4. confirm that money sent details provided by a third party lawyer is genuinely going to the party intended
5. follow the ABA recommendation on encrypting e-mails
These are not the only steps that can be taken but it is a good start. It is worth noting that most cybercrimes start with attacking individuals and not systems. Ongoing training of staff is essential.
If your firm conveys funds, make sure that your malpractice insurance policy covers this exposure. If not a properly endorsed cyber or crime policy is needed.