A Cyber-Criminal need not break into a law firm’s email system to make the law firm the next data-breach victim. Any time funds change hands electronically there are multiple parties to the transaction. Cyber security is only as strong as the weakest link. Unfortunately, people are the weakest link and while a law firm’s procedures may be top notch, their clients, financial institutions, other law firms or other 3rd parties may have been breached and not know it.
Cyber-Criminals target attorneys using forged emails from other law firms, their clients and/or to financial institutions. Forged emails may change routing information and thus have funds wired to Cyber-Criminal accounts. Cyber-Criminals monitor compromised email accounts (which can be an attorney’s, the client’s or even the bank’s) covering pending transactions that require an outlay of funds, i.e., a real estate purchase, a loan, or the lawsuit settlement. The Cyber-Criminal determines the appropriate time when the parties are expecting a request for funds and the criminal often knows the exact amount being transferred sends wire instructions to the party holding the funds instructing the funds be sent to the Cyber-Criminal’s account. Funds are immediately swept from the account, and the criminal disappears. The emails may originate from an address appearing to be the legitimate sender using a similar, but slightly altered domain name. Sometimes the criminal requests a change to previous wire transfer instructions after a request is made (such as requiring a change in account numbers), or suddenly requiring funds to be transferred by wire when the original agreement was to pay by check.
Avoid being victimized by being cautious before wiring money for transactions. Lookout for email inconsistencies such as email addresses used and different name spellings. Be wary when a party suddenly changes their normal procedures, including instructions to wire money to a different account, using a personal email address as opposed to their usual work email, or contacting a different person at the company. All of these are red flags to potential fraud. To confirm a proposed change first call at a ‘known’ recipient number verifying the accuracy and legitimacy before transferring any funds. Attorneys should instruct their clients and others that email instructions regarding any wire transfer should always be confirmed by phone.
Remember that while the UCC protects the sender of a stolen check with a forged endorsement, there is no such protection for funds wired to the wrong account.
Law firms should consider obtaining a properly endorsed cyber or crime insurance policy to protect their assets.
CLICK HERE TO GET A CYBER QUOTE
Lee Norcross, MBA, CPCU, CPIA
Managing Director, CEO
(616) 940-1101 Ext. 7080