A three-lawyer shop in suburban Philadelphia and the largest law firm in the world have both fallen victim to it, multimillion-dollar cybersecurity technology can do little to guard against it, and once the damage is done it’s all but irreversible.
“Spear-phishing”—a cyberscam in which a target is induced to reveal confidential information or transfer money by a hacker impersonating, via email, someone the target knows—is a growing concern for law firms, particularly those whose practices involve initiating monetary transactions on behalf of clients.
Cybersecurity lawyers said the key to avoiding such a trap lies in administrative, rather than technical, controls. Firms, they said, must establish clear policies and precautions for dealing with requests for sensitive information and large sums of money.
A more sophisticated, insidious twist on the “old” email scams in which hackers would impersonate colleagues and loved ones pretending to be stranded in some foreign locale and in need of fast cash, the spear-phishing schemes targeting law firms today often involve very convincing emails that appear to be coming from partners and clients, giving detailed instructions for wiring large sums of money.
In many cases, cybercriminals are able to pull off plausible impersonations because they’ve been monitoring real emails between attorneys and clients and have accessed confidential information about specific transactions.
“A lot of times, quite literally, the email [system] has been compromised,” said Richard Borden, a partner at White and Williams in New York and the firm’s chief privacy officer. “What that means is that [the hackers] are in the middle of the conversation. They’re watching it. Sometimes you get an email that looks like it’s from a similar place as someone you know and sometimes they’ve gotten that person’s credentials and they’re actually sending emails from a valid email address.”
There are two recent examples of spear-phishing attacks against law firms that illustrate how vulnerable organizations of all sizes are to such breaches.
In late 2017, three-lawyer real estate and corporate transactional law firm O’Neill, Bragg & Staffin, based in Warminster, fell prey when a hacker posed as a partner of the firm, Gary Bragg, and emailed another partner about a loan transaction of which the hacker seemed to have intimate knowledge.
In the correspondence, the hacker addressed partner Alvin Staffin by his nickname, Mel, making the ruse even more convincing, and asked for a $580,000 transfer from the firm’s IOLTA sub-account to the Bank of China on behalf of a client.
Bank of America made the transfer at Staffin’s request. After the transfer was made, Staffin called Bragg to discuss it, finding out only then that Bragg had no knowledge of the $580,000 request.
The firm’s client’s account had insufficient funds to cover the transfer, only $1,900, according to the complaint. However, Bank of America drew from the firm’s other IOLTA sub-accounts belonging to other clients to cover the fraudulent transfer, the plaintiffs claimed.
The firm sued Bank of America for failing to stop the transfer once it had been notified of the breach, but in November, a federal judge for the Eastern District of Pennsylvania dismissed the action, finding that the firm failed to show that the bank breached any agreement, violated federal regulations or breached the Pennsylvania Commercial Code.
At the time it filed its complaint, the firm had recovered only $58,000.
It may be tempting to view that episode as simply a case of a small firm proving to be no match for sophisticated cybercriminals. However, as revealed in recent court documents, 8,700-lawyer multinational law firm Dentons was swindled by a similar con in early 2017.
The Canadian arm of Dentons was affected by the breach amid a real estate transaction that members of the firm’s Vancouver office worked on, according to the Canadian court ruling. In early 2017, after the real estate deal closed, associate Wilfred Chan was supposed to arrange for some $2.52 million to move from Dentons’ trust account to Timbercreek Mortgage Servicing Inc., which held a mortgage on the property that was sold.
Before the transfer, however, Dentons received emails from people who appeared to be affiliated with Timbercreek. The emails indicated that one of Timbercreek’s accounts was subject to an audit and asked for Dentons to send the money to an international account in Hong Kong, held by a third-party called Yiguangnian Trade Co. Ltd., according to Judge Carole Brown of the Superior Court of Justice for Ontario’s decision.
Following that, the Dentons side attempted to verify, leaving a voicemail at Timbercreek and seeking letters of authorization from the mortgage servicer and the Yiguangnian entity. Although Dentons didn’t receive a phone call back, it did receive what appeared to be authorization letters from Timbercreek and Yiguangnian. The law firm then went ahead with the transfer, sending the $2.52 million to the Hong Kong account, according to the court ruling.
A couple of weeks later, Chan heard from the real representatives of Timbercreek wondering what happened to the wired funds, and the Dentons lawyer realized the money had been misdirected into a scam account.
The law firm managed to recoup about $785,000 on its own, but then put in an insurance claim with Trisura to cover a remaining amount of about $1.73 million. The insurer, however, denied coverage on the grounds that the situation didn’t fall under a computer fraud rider to Dentons’ insurance policy, and the firm filed suit in the Superior Court of Justice for Ontario, where proceedings are ongoing.
Borden said the vast majority of spear-phishing scams are aimed at inducing a target to wire money, as opposed to gaining access to confidential information.
To the extent that hackers are seeking private data from law firms by impersonating clients and colleagues via email, that type of scheme can typically be thwarted by simply encrypting all sensitive documents before sending them, Borden explained. But guarding against an attempt to induce a fraudulent wire transfer requires significantly more legwork.
“Any wire that’s going to be initiated for any reason has to be verbally confirmed,” Borden said, adding, “You need to confirm everything. I don’t care if it’s inconvenient. I don’t care if it slows the deal down. You don’t trust anything that comes off the email or a fax.”
But, he continued, lawyers seeking to verbally confirm a wire transfer request must also be careful to use a phone number they know will connect them to the correct person—not necessarily the phone number listed on the email that made the initial request.
“The email will have a phone number on it and they’ll talk to you,” Borden said. “They may even have a call center set up to do it.”
And while it may seem that a firm’s best defense against spear-phishing attempts would be to block unauthorized access to its email servers in the first instance, Borden said that’s simply not a realistic solution.
“The information security people I know would say you have to assume that [hackers] are in the system and that they’re going to get in in some way or another,” he said. “The goal is to try to prevent them from getting to places that are sensitive.”
Not to mention that for some practices—trusts and estates, for example—enough information is publicly available to allow an impostor to craft a convincing request for a monetary transfer, according to Daniel Siegel, who runs a small Havertown-based litigation firm and also serves as technology consultant for fellow attorneys.
“It’s not necessarily that someone’s been hacked,” he said.
Siegel, who co-chairs the Professional Development Board of the American Bar Association’s Law Practice Division, said combating spear-phishing attacks was one of the topics discussed at the ABA’s Midyear Meeting in late January.
“What you’re talking about is out there,” he said. “It’s a problem.”