Risk Update

Scam Edition — Law Firm Cybersecurity, Financial Risk & Preventing Incidents

We’ve seen a few high profile stories about troublesome hacking/phishing and other fraud causing losses and embarrassment for firms. Here’s a podcast (with convenient transcript) from ALPS, covering the basics, how to manage these risks, and the growing threat of fake/deepfake attacks entering the mix: “ALPS In Brief — Episode 49: Would You Send All Your Money to a Scammer? Maybe You Just Did.” —

  • “A lawyer was waiting on a fax with all the information she needed to complete a wire transfer. Fax received, money sent. What she didn’t know? Her email had been hacked. Cybercriminals had intercepted the fax and edited the wire transfer details before sending it. The money was gone. The worst part? This new cybersecurity scam is really easy to execute and happening everywhere. ALPS Risk Manager Mark Bassingthwaighte lays out the details and how to spot the breadcrumbs so you and your firm’s employees won’t be caught off guard.”
  • “We have had a number of lawyers impacted by this with literally millions of dollars, in total together, stolen. And certainly, this problem is not limited to lawyers, but there is one very easy way to avoid falling victim to these types of attacks. And I’d really like to explore that a little bit.”
  • “And unbeknownst to anyone at the firm, the firm’s email accounts, all of them, were breached and someone was monitoring what was going on. And this is not uncommon in terms of having someone monitor your email and those kinds of things. It often will go easily, maybe a couple of weeks to several months. And what they are doing is, as their monitoring offices, they’re looking for opportunity, of course, but they are also learning who talks, who the players are, how they communicate in writing and just understand sort of the business model, what’s going on.”
  • “The bad guy, if you will, was monitoring and very interested in the eFax account because these lawyers happen to do real estate. And there were a lot of instructions coming through via fax. If a fax had… Was of no interest it would kind of be forwarded along really quickly so no one was aware that these emails were being intercepted and looked at. At one point, a fax came through authorizing… Wiring instructions or whatnot, for a significant amount of money on the sale of a home. And all the hacker had to do was just take that fax and change the routing number, the wiring instructions here on this document. Made that change, set it on.”
  • “At the beginning of representation, you verify with all the parties, what is the trusted contact information? What is your real email? What is your phone number? What is your address? And then, you go back and you look that up so that you know you’re using the correct phone number. You don’t want to look at a phone number that’s in an email coming to you and use that, because the scammer will give you a fake…”
  • “So, that should also catch your attention as to the value of implementing a firm wide policy, with a little training here, that says, no one, I don’t care if it’s the most senior attorney down to the new bookkeeper, is authorized to move any money under any circumstances unless an out-of-band communication has occurred, so that we know we are sending the money to the correct legitimate recipient.”