The General Agency, INC.

Charleston, South Carolina Insurance Agency | (800) 922-5036

Call (800) 922-5036 hello@generalcompany.com
Get Quotes Started

Cyber Liability Insurance

Wire Transfer Fraud: A Growing Threat to Law Firms

The practice of law involves advising clients on the risks and benefits of potential courses of action. Examples range from helping a client decide whether to accept or reject a settlement offer to analyzing whether a proposed contract provision will help or hinder a client’s business objectives.

Lawyers, of course, must often serve as their own risk managers in managing their professional practices. Two of the primary risks involve maintaining the confidentiality of information relating to client representation and safekeeping the property of clients and third parties. These vulnerabilities have intensified due to the pervasive threat of cyber criminals who perceive law firms as repositories of valuable information and significant funds on behalf of clients and others. These bad actors can undo months or even years of a lawyer’s hard work with a few well-placed keystrokes and a law firm lacking the tools and resources to address this exposure.

Wire Transfer Fraud Attempts Are Increasing

Lawyers in any area of practice may fall victim to wire transfer fraud, but the problem is most acute in real estate practice – both residential and commercial. Professional services pertaining to real estate matters present an inviting target for cyber criminals, since the parties and lawyers involved in such transactions often exchange sensitive financial data, face time pressure related to closure, and wire large amounts of funds. The FBI’s Internet Crime Complaint Center’s (“IC3”) data confirms the growing trend in wire transfer fraud. From 2017 through 2019, the IC3 reported the following cyber crime data involving real estate/rental complaints:

Year       Number of Complaints    Reported Losses

2017               9,645                                $56.2 million

2018             11,300                               $150 million

2019             11,677                                $221 million

While not every complaint and reported loss in the above data involved law firms or their clients, the FBI reports reflect a number of cases involving the legal profession. In addition, CNA claim data for the same time frame demonstrates an increase in total incurred losses for law firms defrauded by wire transfer schemes.

 

Claim Scenarios

Although the following scenarios are fictional, they are based upon actual examples of wire transfer fraud schemes involving law firms.

Scenario 1

Jane works as a residential real estate lawyer with a high volume of clients. She relies on her paralegal to organize the closing documents and coordinate the details of the closings with clients and other parties to the transaction. In one closing, where Jane represented the buyers, Jane’s paralegal received an email that purportedly came from the attorney for the sellers. The email address from which the email originated differed by only one letter from the correct email address of the sellers’ attorney, but Jane’s paralegal did not notice this discrepancy. The paralegal encountered an example of email spoofing – a form of social engineering employed by cyber criminals to trick the email recipient into believing that the email was sent from a trusted source.

The email stated that the sellers wanted the funds for the transaction to be wired to a different bank than the sellers’ attorney had initially provided. In the email, the sellers’ attorney explained that he had made a mistake in his prior email and that the initial bank he had listed related to a different transaction and apologized for any confusion. Jane’s paralegal followed the new instructions in the most recent email, without informing Jane or calling the sellers’ attorney to confirm that the new wiring instructions were valid. Of course, cyber criminals had sent the new wiring instructions and stole the funds intended for the real estate sale.

Scenario 2

Jim represents plaintiffs in personal injury matters. In a recent case, Jim negotiated a favorable settlement for his client. During the negotiations, Jim received an email containing poor grammar and spelling that his client purportedly sent. The email also included different wiring instructions for the settlement funds than the client had previously provided to Jim. Jim sensed that he had received a phishing email – another form of social engineering, in which scammers send an email and impersonate a person or entity considered trustworthy by the target and seek to obtain sensitive information or data that can be used for financial gain. Jim immediately called his client, who confirmed Jim’s suspicions about the fraudulent nature of the email. Jim deleted the email without responding to it but did not warn defense counsel of the attempted cyber crime.

Several days after he received the phishing email, Jim contacted the defense and inquired as to the delay in receiving the settlement funds. The defense attorney, confused by Jim’s inquiry, explained that he had wired the funds three days ago, per Jim’s email that contained the new wiring instructions. Knowing that he had never sent such an email, Jim realized that cyber criminals had deceived his opposing counsel, meaning that the funds intended for Jim’s client were now missing and not likely to be recovered.

Scenario 3

Viola serves as the department head of the merger and acquisitions department of an international law firm. While representing her clients in the purchase of a large business, hackers breached email communications between her client and the parent company of the business that was being sold. In the phishing emails sent to Viola’s law firm, the hackers claimed that the original account where the money was to be wired was under audit and gave wiring instructions for a different account to an overseas bank. Sensing potential trouble, Viola made a telephone call to the law firm for the parent company and left a voicemail message, which was not returned. The hackers forged additional documents and authorization letters concerning the new account at the overseas bank, which Viola assumed were being sent to her in response to her voicemail message. Upon receipt and review of these new documents, she authorized release of the funds, which went straight to the hackers’ overseas account.

Risk Control Tips

Several important risk control lessons may be learned from the claim scenarios described above.

Train your support staff

As Scenario 1 demonstrates, continuous employee training should be implemented, focusing on social engineering schemes, which can result in wire transfer fraud or other cyber crimes. Supervisory lawyers are responsible for making reasonable efforts to ensure that the conduct of a support staff member is compatible with the professional obligations of the lawyer. Such training should help law firm staff members identify email spoofing and other targeted phishing emails and also provide clear instructions on what to do when in receipt of suspicious emails. In order to be more confident that email senders are who they purport to be, type the name of email recipients instead of hitting “reply.” Training also should instruct law firm staff to avoid clicking on unfamiliar links and attachments from unknown senders. Law firms may wish to consider testing their employees by sending them simulated phishing emails to determine whether or not they are applying their training on data security to their routine activities and the scenarios they encounter.

Share information on cyber crime attempts with all relevant parties

In Scenario 2, the lawyer thought that merely identifying and deleting a phishing email fulfilled his duty to his client. The existence of the phishing email, however, should have placed the lawyer on notice that cyber criminals obtained confidential information about the settlement agreement and might attempt to steal the settlement funds by deceiving other parties involved in the settlement. The lawyer, therefore, should have warned opposing counsel to be alert for a phishing email such as the one that he had received. Courts have held that where one party fails to exercise ordinary care that substantially contributes to a loss, such a loss must be borne by that party.

Mandate dual authentication for wire transfers

Before wiring client funds, lawyers always should initiate a phone call to the intended recipient (or the intended recipient’s lawyer) to verify the wiring instructions. Lawyers should call phone numbers known to be valid, rather than phone numbers referenced in e-mails that purport to confirm the wiring instructions. If any sudden and emergency changes to prior wire instructions occur, law firms should be on high alert and verify that the changes are authentic. Moreover, a written response to a telephone message is insufficient, as delineated in Scenario 3. Oral confirmation of wiring instructions must be provided, preferably by an individual whose voice is known to the lawyer or support staff member making the call. To convey their commitment to dual authentication, law firms also may wish to consider inclusion of disclaimer language to their outgoing email messages and website that the law firm will not wire transfer funds absent such a protocol.

Use caution when wireless/remote

With more lawyers and support staff working remotely, law firms must ensure that their network is accessible to authorized users, while also secure from outsiders and bad actors. Most law firms use virtual private networks (VPNs) to facilitate individual remote access. VPNs create a secure tunnel between a lawyer’s local network on one end and the law firm’s network on the other end across a public network (i.e., the internet). Data traveling within the tunnel is encrypted and, if intercepted, is indecipherable.

Encrypt emails

All emails should be encrypted, whether in transit or at rest (a/k/a end-to-end encryption). Encryption secures confidentiality by transforming emails sent and received by the law firm into an unreadable format for unauthorized users. Many successful wire transfer schemes occur when law firm personnel use non-secure email communication systems. Email encryption, however, is only as secure as the account from which it originates. For example, if cyber criminals obtain access to a lawyer’s email account and pass-word, through a phishing scam, they will be able to view the emails in the lawyer’s inbox in an unencrypted (i.e., readable) format.

Consider client portals

Secure client portals offer an additional safety measure for law firms. Instead of accessing sensitive messages or documents via email, clients will receive an email notification that there is an item awaiting their review in the portal. Through the portal, the clients click on a link, enter their login information, and access the content contained in the message on a cloud-based platform. Sending wire transfer information via secure client portals reduces the risk of confidential information being breached.

Practice good Information Technology (“IT”) hygiene

All law firm IT devices should be equipped with up-to-date antivirus and anti-malware solutions. An IT professional should ensure that all software updates and security patches are implemented on a timely basis. Sound password protocols help deter data breaches. Law firms should require strong passwords, preferably 8 to 20 characters, with a combination of capital and lowercase letters, numbers, and characters. Access to the law firm’s network also should require users to change their passwords on a quarterly basis. In addition, the law firm should implement multi-factor authentication for account access, irrespective of whether the firm uses a VPN or a web-based provider via email access. If someone attempts to login from an unknown browser or IP address, a code will be sent to the user’s designated cell phone number in order to gain access.

Vet your vendors

Law firms frequently outsource various tasks, such as file storage or eDiscovery services, to third-party vendors. Scammers will sometimes obtain confidential law firm data by hacking through the network security of a third-party vendor that is providing out-sourcing services to the law firm. Lawyers have ethical duties to ensure that their vendor’s conduct aligns with the professional obligations of lawyers, which includes the duty of confidentiality.9Law firms should inquire about the cyber security practices and other safety protocols of potential vendors in order to safeguard against the inadvertent or unauthorized disclosure of client or law firm information.

Discuss cyber and other insurance coverage with your insurance broker

Since wire transfer fraud and other social engineering crimes may involve the release of company funds by a person within your law firm – standard lawyers’ professional liability policies may not cover your losses. Even a law firm with comprehensive preventive protocols may fall victim to social engineering fraud. Your lawyers professional liability policy should include coverage for social engineering, subject to the terms and conditions of the policy. If it does not include such coverage, your claim may not be covered. To help insure your law firm against wire transfer fraud and other scams, contact your insurance agent or broker to ensure that your law firm has the appropriate insurance coverage for this exposure.

Conclusion

Law firms face an increased threat of wire transfer fraud via social engineering schemes from cyber criminals. Preparing for this reality prior to an attempt may prevent or minimize the damage such fraudulent schemes can inflict upon law firms. Continuing education and vigilance surrounding this threat, including sound risk control and IT practices, provide the safest path for law firms and their clients in navigating the complex issues of today’s cyber environment.

Click Here to Read the Full Article

Increased Cyber Risk Due to COVID-19

Many businesses across the country have been forced to work remotely with very little time to prepare due to the coronavirus. Below are some examples of cyber exposures, relevant coverage you need in your policy, and ways business owners can secure their operations while working remotely.

Cyber criminals have registered over 4,000 domain names containing “Corona” and/or “Covid.” These hackers are using their fraudulent domains to deploy phishing and ransomware attacks. They are impostors luring people into thinking they are COVID-19 help. They send deceitful messages, with malicious intent, appearing as if they are coming from a medical specialist, the World Health Organization (WHO), the Center for Disease Control & Prevention (CDS), or even internal workplace notifications.

What is Cyber Insurance?

It’s coverage for your intangible assets. The assets in your servers, systems and computers. Your data.

Is it expensive to get hacked?

Yes, it’s very expensive. You can be fined by the federal government, state government, and private regulatory bodies.

Next you’re required to notify and provided credit monitoring to the individuals whom you lost their information.

Finally, you’re going to have to hire an IT forensic specialist to find out exactly what happened. They typically cost $200-300 per hour.

Do you accept credit cards? If so, you can be fined up to half a million dollars. This is before the fraud and reissuance costs.

Lose health care information? That can cost up $50,000 per record lost.

And that’s not everything you need to be worried about. What if a hacker takes down your system and you cannot work? You need to be concerned about business interruption and reputational harm.

What about the cost of social engineering, phishing, and extortion?

Cyber Liability Insurance is necessary for every business given the world we live in today.

Thankfully a stand-alone cyber liability, also known as data breach, insurance policy covers all these things and more!

What does a General Agency Insurance Cyber Liability Insurance Plan do for you?

  • Third Party Liability for financial loss
  • Notification Coverage and Call Center Services
  • Forensic Expense Coverage
  • Lost Income Coverage
  • Business Interruption Coverage
  • Risk Management services provided to policyholders, including, but not limited to:
    • Best Practices
    • Recent related cyber threats
    • Prevention methods from expert partners
    • On-demand webinars
    • E-learning website for employees
    • And more…

Three Practices we Recommend to Business Owners to Avoid a Cyber Attack during COVID-19

1)      Multi Factor Authentication:

          Since most employees are now working from home. We recommend using Multi-Factor Authentication (MFA) when logging into a remote desktop or email related accounts that require a user name and password. MFA is an authentication method in which a computer only allows access to the user after they successfully entered two or more pieces of evidence to prove it is indeed that user. This is one of the most successful methods to prevent hackers from using brute force attacks. This is when they run a program that rallies through a series of passwords until one works. There are several free MFA options available to everyone.

2)      Employee Training:

           When it comes to a cyber attack, you are only as strong as your weakest link. If one person clicks a bad link or opens the wrong email, the whole company is at jeopardy. Most cyber liability polices come with several preventative training solutions. Some have training videos for employees that teach them about Ransomware, social engineering, phishing and malware, password and identity thief protection and more. Others ways to train employees include Phishing training. Doing this allow you to create fake phishing email campaigns to send to employees. If someone on the staff opens the email and clicks on a link, you can be notified and they will be promoted to watch an educational video to raise awareness.

3)      Create a Business Continuity Plan:

           In the event of a cyber attack, it’s best to have a plan of action ready to be put in place to help contain the incident as quickly as possible. Most of the cyber liability insurance policies come with serval risk management tips including how to create, develop and test your plan.

Protecting yourself from a cyber attack can be scary and it’s not something to try to do on your own. That’s why The General Agency offers Cyber Liability Insurance to its clients. We are here to help your business survive a cyber attack. Make sure that you’re not the one stuck paying for it when you’re one of the 60% of businesses that will be hacked this year.

Check out our prior blog post, “Best Practices for Law Firms During a Pandemic

Contact Us

The General Agency, INC.
1527 Sam Rittenberg Blvd
#1
Charleston, SC 29407
Get Directions
(843) 766-9091
(800) 922-5036
hello@generalcompany.com
Mo,Tu,We,Th,Fr 8:30 am – 4:30 pm

Get Connected

The General Agency