Lawyers and their offices remain soft targets for cyber criminals. Our concerns include hacking, phishing and malware. Data theft is a constant worry. Most exposures to crime result from failures of technical barriers, but more common issues arise from attorney and staff reactions to incoming emails.
The global insurer Hiscox annually produces a Cyber Readiness Report. The latest report found that 61% of law firms had been breached in the past year. That was a substantial increase from the 45% reporting a breach in the prior year. Although the largest firms are targeted most frequently, small-and medium-sized firms reported the largest percentage increases year over year. In 2018, one-third of the smaller firms (< 50 employees) were targeted; in the latest report, that figure rose to 47%. Corresponding data from the medium firms rose from 36% to 63%. The rapid increase in the number of these targeted attempts and their prevalence should give cause for concern.
New threats continue to arise and evolve. One type is a business email compromise (BEC), sometimes known as an email account compromise (EAC). These are a popular tactic used by crooks to facilitate wire transfers to a controlled bank account. They require little technical skill but only penetration into an office email system or insertion into the funds transfer processes in every transactional or litigation closing. They are potentially very harmful to our financial well-being because the losses may not be covered by insurance.
A simple tactic involves an email that contains revised instructions for closing or an email from someone with apparent authority that contains a link to a misdirected bank account. Once the wire transfers are accomplished, the funds are transmitted, and then removed from the country before anyone detects the arrival failure or misdirection.
In a recent example, a firm partner unknowingly transferred about $600,000 from the firm’s client trust account to computer hackers in Hong Kong. How could this happen? By phishing, the criminals had gained access to the email account of a firm partner. They then emailed from that account requesting another partner’s help transferring funds from the client trust account. The partner imposter said that he was out of the office and claimed the client needed the funds promptly to close the transaction. The firm transferred the money out of its client trust account at Bank of America, and it was long gone when the firm discovered the mistake. The firm sought the assistance of Bank of America, but that bank responded that it could only request that the Hong Kong bank reverse the transfer. By the time the Hong Kong bank froze the destination bank account, there was only $24,000 left. So the firm sued Bank of America alleging various contractual and negligence theories. The trial judge refused to transfer the risk of loss from the firm to the bank.
In another example, a big law firm sent $2.5 million to the criminal’s bank account in Hong Kong. Again the transfer was part of a closing transaction. The firm received an email apparently from the intended recipient of those funds requesting a change in the destination account. The firm was careful enough to leave a voice mail message at the intended recipient’s office and sought letters of authorization from that company and from the bank to which the funds would go. They never received a call back, but they did receive authorization letters that were, of course, also fraudulent. So they transferred the funds to the scam account. The firm recovered only a few hundred thousand dollars and litigated with its insurer. The insurer claimed the loss was not covered by the computer fraud provisions of the policy.
Damages from malware and ransomware may be covered by a good cybersecurity policy. However, cybersecurity insurers are loath to extend the coverage of their policies to the results of poor wire transfer policies. But the government may provide help. The FBI has an excellent Internet Crime Complaint Center (IC3). It just issued its 2018 Internet Crime Report chronicling 352,000 complaints in the past year involving a reported $2.7 billion in losses from various internet crimes. BAC/EAC campaigns were only the sixth most common cybercrime, but they accounted for almost half of the total losses. To combat that rapidly increasing threat, IC3 established a Recovery Asset Team. Working with other task forces to recover fraudulently wired funds, the team recovered 75% of the lost monies. So when the inevitable loss occurs to you or your office, the first thing you should do is head to the IC3 website and file a complaint (www.ic3.gov).
The threats will not go away. They will continue to increase, but we can minimize the risks and financial losses. Constant employee training, appropriate use of cybersecurity insurance and a promptly executed disaster recovery plan can work together to make the real risk small.
Bill Kammer is a Partner with Solomon Ward Seidenwurm & Smith, LLP.