How to Minimize the Risk of Becoming a Victim of Wire Fraud
By Mark Bassingthwaighte
If you aren ’ t already aware , attorneys are increasingly being targeted by scammers hoping to get away with wire fraud . Here ’ s just one example of how it can play . An attorney represents a seller in a real estate transaction . Unbeknownst to anyone involved , someone has hacked into and been monitoring the seller ’ s email for a period of time . Once aware that a transaction is about to take place , the hacker uses a spoofed email address of the seller to send new wiring instructions to the attorney in order to have the funds sent to an account the hacker can access . Attorney fails to catch the altered email address and ends up wiring the proceeds to the wrong bank . So not good .
As an aside , some may wonder what a spoofed email might look like . Although there are a number of ways to spoof email , it can be as simple as this . If an actual email address is Lawfirm @ aol . com , a spoofed address might be Lawfirm @ aoi . com . If the actual email happens to be Mark . Bassingthwaighte @ RECompany . net , a spoofed address might read Mark . Bassingthwaite @ RECompany . net . Given the busy days we all have , would you catch a subtle change in an email address like the two examples above ? Many would not .
If this isn ’ t enough to worry about , there ’ s more . In a recent situation in Virginia , a plaintiff attorney ’ s email account was similarly hacked . The hacker sent a spoofed email to this attorney ’ s client . Fortunately , the client questioned the legitimacy of the email , contacted the lawyer who confirmed the email was a fake , and the email was deleted . Unfortunately , the plaintiff attorney failed to notify defense counsel that his email account had been hacked . The hacker switched tactics and used a spoofed email to persuade the defense lawyers to wire settlement proceeds to an overseas account . Long story short , a U . S . District Judge basically held the plaintiff ’ s lawyer responsible for the loss due to the lawyer ’ s failure to warn .
Worse yet , the FBI reported that , in the first three months of 2016 in the United States alone , more than $ 209 million had been stolen in attacks of this type , and the frequency of these attacks continues to rise . Now that I have your attention , the real issue is what in the world can you do to try not become a victim of such attacks ? As the title of this post suggests , short of never being responsible for transferring funds of any kind , I ’ m not aware of any steps that can be taken to make sure you are safe 100 percent of the time . However , the good news is you can get close .
First , and I know you ’ ve heard this before , security basics always play a role . You must avoid the use of free web-based email . If you don ’ t already have a firm website domain , get one and use it to establish your own firm email accounts . Always delete unsolicited email from unknown parties . Never open this spam nor any attachments they may contain . Keep your firewall , operating
ALPS Risk Manager Mark Bassingthwaighte , Esq ., has conducted over 1,000 law firm risk management assessment visits , presented numerous continuing legal education seminars throughout the United States , and written extensively on risk management and technology . Check out Mark ’ s recent seminars to assist you with your solo practice by visiting our on-demand CLE library at alps . inreachce . com . Mark can be contacted at : mbass @ alpsnet . com . system , and security software current ; avoid using unsecured Wi-Fi ; and use unique strong passwords ( a combination of letters , numbers , and symbols ) on all accounts and devices . Limit what you post on firm websites and other social media accounts , such as information about staff roles and responsibilities and out of office information . Hackers can use this kind of information to determine who to target and when . Most importantly and wherever able , use multi-factor authentication on all email and financial accounts .
Second , establish a policy on wire transfers and couple that with appropriate training of anyone at your firm who may at some point be involved in a wire transfer , to include all attorneys . Initially , the policy should mandate the gathering and verification of contact information from all parties involved at the outset of representation and prohibit the use of any other non-verified contact information during the course of representation . With that in hand , the most important provision of any such policy would be the implementation of a process whereby all wiring instructions are confirmed by use of this previously verified contact information . For example , if wiring instructions initially come via email , use a previously verified number to place a call to the relevant party to confirm the accuracy of the information received . An additional relevant provision might be that all last minute changes requesting that finds be transferred by a different method or to a different account should be treated as suspect . The request should never be followed until verified by contacting the person purportedly making the request through the use of previously verified contact information . If email security is a concern , another provision might be to require the use of faxes for the exchange of wiring instructions or , better yet , the use of encrypted email or a secure client portal . The absolute best option might be a provision that requires wiring instructions be delivered
12 THE GAVEL