Protecting Your Clients and Your Practice

It happened at an ATG closing just last week — the buyer’s attorney sent ATG wire instructions to his clients via unencrypted email. A fraudster intercepted the email, changed the instructions so the funds would be secretly diverted, then sent the email along to the buyers as if it were from the attorney. The homebuyers followed the instructions, but their $500,000 never showed up at the closing.

Fraudulent wire transfer and other forms of business email compromise continue to rise, and the cost is in the billions (see Reuters' April 2016 article). The example above is recent and extreme — and there are many more. Several ATG agents have been targeted in recent years, fortunately they were able to detect the problems before their systems were compromised. Upgraded vigilance is necessary to protect your escrow accounts.

We recommend all lawyers take the following precautions, updated here from an April 2014 Trusted Adviser post:

Encrypt your email communications | There have been instances of original, valid emails being intercepted and the content modified to divert funds from their intended recipients. Utilizing encrypted emails for delivery of personal or financial information is highly recommended. In absence of that option, a follow-up phone call to verify instructions is always a good idea.

Guard your account number and bank routing number | This is very important in protecting against fraudulent transactions. Both of these numbers are readily available, and having them is all a fraudster needs to perpetrate an attack. These numbers appear on every check you write. You give this information to anyone who requests wire information for a transaction.

Limit or ban access to social media websites on office computers | Social websites are a major source of a multitude of viruses and other malware that could wipe out your account balance. One in particular is quite deadly: It waits in hiding for you or someone in your firm to access your bank’s website. When you perform a wire transfer, you think it went to Party A, but it was hijacked. The malware changed the payee and bank information to that of the fraudster. These fraudsters are good at what they do. The wire goes to a domestic bank first and is ultimately wired outside the country. Please keep this in mind: Once the money leaves the country, it is almost impossible to recover.

Use electronic banking | Many people shy away from electronic banking for fear of a fraudulent attack. For the bad guy, it is easier to gain access to your account and routing number than it is your ID and password. With electronic banking it is much easier to detect the potential fraud early — no waiting until you receive your bank statement.

Be cautious when delivering wiring instructions | Ensure that your internal procedures relating to the sending of a wire are strong enough to prevent a fraud. Have procedures in place that require two people to send a wire — one to initiate and one to approve. Many banks today have changed their banking agreements to specifically say that the bank is not liable should an unauthorized wire be sent from an account that does not use two people to send it. Consider using one computer exclusively for wire transfers. If you cannot dedicate a computer solely to wire transfers you should ban access to social media websites, as this is the main source of malware used to hijack accounts.

Be vigilant in monitoring your bank accounts and transactions | The sooner you recognize a problem, the better your chances of a positive outcome.

Be wary of requests to act outside established procedures | A current trend in wire fraud, "Social Engineering," uses fraudulent emails, faxes, and sometimes phone calls, to trick the recipient. The request appears to be official, typically from an officer of the organization, or his/her assistant or designee, and is "urgent" or regarding "confidential" matters and therefore needs to be processed outside of normal company procedures.

Protect your electronic systems | Install and maintain (i.e., update regularly) strong anti-virus and anti-malware applications at all workstations or at the very least those used to communicate with financial institutions.

We hope you find this information helpful. We value your business and hope to assist you protecting your law practice against cyber crime.

Darryl E. Schroeder
ATG Senior Vice President and Chief Financial Officer

EDITOR'S NOTE: For detailed information about protecting yourself from cyber crime, see the LawPRO’s AvoidAClaim blogpost, Protecting Yourself from Cybercrime Dangers: Lock Down and Protect Your Data Wherever it Is.

[Last update: 5-26-16]