Attention lawyers: There is a sophisticated new hacking scam the FBI refers to as “Business Email Compromise” Lawyers in multiple states have already fallen victim to this scam.

This three-part blog series will provide you with the details of the scam, help you identify the legal and ethical concerns, and provide you with effective risk management tips to prepare you and your business.

So, what’s this scam all about, anyway?
The scam targets lawyers who process client funds from their attorney trust accounts. Transactions involving real estate closings or legal settlements are vulnerable to this ploy. Typically, the hacker will impersonate the intended recipient of a payment via email communications and will manipulate the lawyer into wiring client funds to a fraudulent bank account. After the funds are fraudulently transferred, the lawyer may be obligated to replace the lost client funds.

Here is a detailed, step-by-step breakdown of how the scam works:
 

• Step 1. A criminal hacks into a lawyer’s email account and monitors the email traffic in an undetected manner. Eventually, the criminal learns the attorney will be wiring client funds relating to a settlement or transaction.
   
• Step 2. The criminal then creates a “spoof” email address that is almost identical to the email address of the intended recipient of the funds. For example, the fraudulent email address may be the same as the intended recipient’s email address, except for one character. Using this fraudulent email address, the criminal emails the attorney and requests the attorney wire the funds to a bank account in the United States.
   
• Step 3. The lawyer wires the money to the sham bank account. Typically, the bank account belongs to an innocent party who has been instructed to open the account in order to receive wire transfers. The criminal has told this individual that he or she simply must wire the funds to a foreign bank, and he or she can then retain 10% of the funds for his or her trouble. The funds are then wired to the foreign bank, rendering the funds unrecoverable.
   

The scam is ultimately dependent upon the lawyer failing to follow up with the actual intended recipient to confirm the instructions in the fraudulent email. If the lawyer were to contact the true recipient prior to following the emailed instructions, then the fraud would be discovered.

Why isn’t this scam immediately detected?
The criminal continues to perpetrate the scheme by creating a fraudulent email address based upon the attorney’s own email. The criminal then sends emails to the true intended recipient of the funds, purportedly from the attorney, providing an excuse as to why the funds have not yet been delivered. The excuse often involves a fabricated family emergency or other personal loss.

As a result, the intended recipient of the funds may delay for several days before contacting the attorney. By the time the intended recipient telephones the attorney, all but 10 percent of the funds have been transferred out of the country. The intended recipient inevitably demands satisfaction from the lawyer, who no longer has access to the client’s funds and must use his or her personal resources to compensate the client for the difference.

What’s next?
Does being a target of this cyber-crime sound frightening? It should. However, effective risk control measures can help prevent you from becoming a victim of such an attack. The first step is to understand how the scammers are executing their plan and what you need to know. Part two of this three-part blog series will discuss the legal and ethical concerns for lawyers. Part three of this series will conclude with actionable tips to reduce your risk of being a victim.