Law firms are prime targets for phishing scams. Firms have a wealth of confidential information that they are in charge of protecting and a leak could be catastrophic.
Recently, in Los Angeles, Judge John Shepard Wiley warned lawyers that colleagues were duped into paying $500,000 to email scammers instead of sending the money to the wage and hour class action settlement fund it was intended for.
The judge said:
“A defense firm apparently received what it thought were emails from an administrator, a well-known administrator, Rust [Consulting Inc.], instructing it to wire money to such and such address. The defense firm apparently told the bank to wire the money to this address, at which point the money disappeared.”
Law Firms: Ground Zero for Phishing Scams
Targeted emails are one of the most successful forms of hacking run by cybercriminals. Phishing attacks take place when an attacker uses social engineering to develop legitimate-looking emails that can mirror anything from booking confirmations to bank statements. These emails appear in a user’s inbox and impersonate a reputable source.
The fooled recipient then opens an infected attachment, clicks on a malicious link that captures password information, or, believing the email to be valid and from a trusted source, follows the directions contained therein, to disastrous effect.
Half-a-Million Dollars in the Wrong Pocket
This recent Los Angeles case was a wage and hour claim by golf course employees who claimed they were owed overtime pay. In October 2016, the Los Angles court granted a $600,000 settlement to the employees with an initial $500,000 transfer to Rust Consulting, the settlement administrator.
With the settlement reached, Rush emailed the defense team to set up the $500,000 payment. The defense claims to never receive these emails. However, Rush was receiving emails offering excuses for the delayed payment – apparently sent straight from the scammer.
The defense team received an email supposedly from Rust with wiring instructions right before the initial sum was due. The defense attorney forwarded the wire information to the bank, unaware that the email was not from Rust.
After several months, Rust finally got in touch with the defense team in March 2017 via email. Only then was it discovered that the payment was never received. The FBI is now investigating the missing money.
Targeting Settlements for Fun(ds)
Unfortunately, this is not the first settlement funds scam for lawyers. Another incident took place in August 2016. The U.S. District Court of the Eastern District of Virginia had a similar situation with a $65,000 settlement. The plaintiff received $2,000 while the remaining $63,000 went to hackers.
The plaintiff’s attorney used a compromised yahoo.com account throughout the trial. A scammer used the account to email the defendant’s team for the remaining funds. Similar to the Los Angeles case, the defense wired the money to the scammer, unaware that the plaintiff’s attorney did not send the email.
A simple phone call could have prevented both scams. Per Law360.com, Tagore Subramaniam, counsel for the golf course workers said:
“This could have been resolved if when receiving that email the defense attorney called the administrator to confirm that they had the right wiring account number and the administrator could have signed off on that. If that were to have occurred, this situation would not have resulted.”
Such a simple solution could have resulted in both cases having a very different outcome. If anyone at your firm is ever unsure of who they’re wiring money too, pick up the phone and call the other party. It may be an extra step, but it also might just prevent a similar mistake from happening to you.