I. Law Firm Cyber Risk Wire Transfer Fraud – Explained
Wire fraud is financial fraud involving the use of telecommunications or information technology.
Example: the New Jersey Law Journal recently reported that a law firm lost $119,000 in an alleged Nigerian internet scam:
The firm “received an email from someone calling himself Miguel Francisco, who was seeking help with an employment dispute over severance pay.”
He stated that “he wanted to bring a claim against his former employer, LabCorp, for $119,000 in unpaid severance. The firm also received emails from someone purporting to be a LabCorp employee, who confirmed the company’s purposed debt to Francisco. Contrary to its usual procedures, the firm did not meet Francisco in person but spoke to him by phone…It’s unclear whether Francisco is a real person.”
10 days later, “the firm received a check for $119,000, made out to Francisco, and deposited it in the firm trust account.” The next day, “Francisco called the firm’s bookkeeper and gave instructions for wiring the funds to him”. The firm then wired the funds to a Citibank account. Four days later, “the firm learned that the check it received was fraudulent.”
It tried “to recall the wire transfer from Citibank, but received no response to its request.”
II. Law Firm Cyber Risk Wire Transfer Fraud – How to Prevent It
Great Western Bank offers eight tips to prevent wire transfer fraud:
- Verbal Confirmation
Verbally confirm that the request to initiate the wire is from an authorized person within the company. - Verify Changes
Anytime you receive new wire instructions or a change to existing wire instructions verbally verify with your wire transfer vendor. - Investigate Unique Requests
If you receive a request for a payment that is out of your ordinary payment arrangement, confirm by phone with your vendor. - Double Check Email Addresses
A common trick is to slightly modify an email address. For example, john.smith@abc.com might be changed to jon.smith@abc.com - FWD Instead of Reply
Rather than reply to an email, forward the email to the address that you have on file. - Establish Dual Controls
For Great Western Bank Treasury Banking Suite (TBS) customers, this could mean having one TBS user who initiates the wires and another TBS user who approves the wires. - Be Alert
Be on alert for fraud anytime the wire transfer instructions include tight deadlines or pressure you to act quickly. - Be Suspicious of Confidentiality
Whenever wire transfer instructions specify keeping the transaction a secret – verbally verify with an executive or the person requesting the transaction.
An important 9th control for law firms, is ‘know your client’, i.e., meet with a potential client before accepting an engagement.
The best defenses against wire fraud include internal procedures and training team members to recognize the signs of suspicious activity.
A former FBI official advises:
You need to tell employees, particularly in financial areas, that the movement of money should never be generated by an incoming communication, but to always confirm it with you directly, Figliuzzi says. Tell your employees point blank: “‘It’s going to take your picking up the phone and going, ‘I’m sorry to bother you, but did you just tell me to move a million dollars or not?
III. Law Firm Cyber Risk Wire Transfer Fraud – The Role of Insurance
Wire fraud and other ‘social engineering’ losses, i.e., phishing, are best covered under a commercial crime policy, not a cyber policy. Most cyber policies either exclude coverage for claims arising out of wire fraud, phishing, etc., or offer a small limit, i.e., $25,000.
Crime policies will cover these losses up to $1,000,000 or more, if a law firm has good risk controls in place, like those mentioned above, especially “out-of-band” verification, wherein a phone call is placed to double-check any email instructions, before funds are disbursed.
V. Further Reading
A Typical Wire Fraud Scam Scenario Faced By Lawyers
Wire Fraud in Real Estate Transactions
How to Prevent Wire Transfer Fraud at Your Law Firm
Identifying Social Engineering Red Flags
Best Practices to Avoid Wire Fraud
Cyber Security Best Practices for Law Firms