Everyday, there are reports of another company being hacked (Sony, Target, Chase, etc.). A New York law firm was recently attacked by a sophisticated cyber fraudster attempting to steal a substantial amount of money. Learn from this incident so that it doesn’t happen at your firm.
What Happened: The firm received an email from the other side’s attorney requesting the transfer of funds. The routine instructions were to send the funds from the recent real estate transaction to their bank account. Everything looked in order. The referenced real estate deal had just closed and the request was on firm letterhead, sent to the right lawyer at the firm, and with routine proper instructions for this type of transaction.
The astute attorney at the firm sensed something seemed a little not right. Hard to quantify, but something about the lawyer’s language seemed a bit oddly worded. The attorney called the other attorney who was shocked and horrified. He had not sent the instructions and learned that he was the victim of a sophisticated but simple cyber fraud.
How: The criminal fraudster illegally gained access to the small law firm’s email system. For some undetermined time, he monitored the email account – reading the emails, learning the legalese, and waiting patiently to strike. He saw the emails about the transaction being completed and then applied what he had learned in drafting the fraudulent instructions to the larger firm. Put on stolen firm letterhead (easily accomplished in a virtual letterhead environment), the criminal instructed the transfer to his bank account attempting to steal the proceeds.
So what can you do to protect your firm?
- Pick an amount in transfers that require verbal confirmation to the requester (whose identity you must know) by initiating the phone call to them. Like requiring double signatures on large firm expenditures, it’s inconvenience, but worth it. Unfortunately, even if your firm environment is secure, your counter parties can harm you and your clients.
- Make sure that your crime insurance coverage is properly structured to include these kinds of frauds. While there may have been some Cyber Insurance coverage applicable in this scenario, cyber coverage limits are frequently insufficient for these larger losses.
- Have Cyber Insurance in place to cover you for the fallout from breaches (as the attorney in the case above) when they occur at your firm. While these policies are narrow in the cyber scope and not structured to cover outright theft, they are critical to crisis management when you do (and it isn’t if – it’s when) get breached by cyber criminals. This policy is currently very inexpensive.
- Hire street-smart people and train them. Lawyers and non-legal staff have to adapt to the new world. Just like we all adapted to walk alertly at night in dark neighborhoods, we need to conduct business defensively so as not to become cyber victims.
We have become highly reliant on our computers, software, and the internet. It has made us more efficient, knowledgeable, and profitable. While some of the inherent risks can be controlled and monitored to a certain extent, virtually all businesses are susceptible to cyber crime. This insurance policy is a necessary way to transfer risk and support you at the time of crisis. Speak to your law firm insurance advisers to keep your firm from suffering from this kind of cyber plot.
Unfortunately, this is not all that surprising. Since most firms allow access to their email systems through the web, there is a doorway available for a hacker to gain entry. It’s easy for the hacker to get an attorney’s email address because most firms publish them on their websites as a communications convenience. This is good for marketing and client relations but unfortunately makes it that much easier for a hacker. While knocking at the proverbial door, access to an attorney’s email can be easily gained when certain basic policies are not followed. The hacker can crack the password fairly easily if one of the most fundamental preventions is not followed – the requirement of a complex password that is reset on a periodic basis. Seems like an advisable thing to do, but there are far too many people out there who refuse to follow such simple protection measures because of personal inconvenience. Now this may not be the case for this particular attack but for those out there who think it can’t happen to them and therefore don’t want to be hassled with the most basic of security measures then be forewarned that you leave yourself vulnerable to these kind of intrusions.