Ride the Lightning

Law Firm Wire Fraud: Your Money is Gone – Will Your Insurer Cover Your Loss?

August 6, 2019

Virginia Lawyers Weekly (sub.req.) had an interesting post on July 29 about wire fraud involving law firms. We see this all the time, so the story grabbed our attention. Though the title of the article is "Hacked!," be aware that not all wire fraud involves hacking.

Still, the basic story is the same. A transaction is done or a settlement made, papers are signed and the money is sent. Then comes the scary part – a call or an email that the money never arrived.

It may be that a criminal has hacked someone, spoofed the email of the intended recipient of the monies, or even made a phone call (and don't get me started on the brand new technique of deepfaking someone's voice!) The end result is that the victim is persuaded to divert the funds to an account controlled by the bad criminals. If you move quickly to contact the FBI's IC3, you may get your money back. Recently, the IC3 has reportedly been successful in recovering monies 75% of the time – but only if they are quickly notified. If you wire money, CONFIRM THE RECEIPT PROMPTLY.

The losses we have seen in Virginia range from five to six figures.

The article describes two cases, the first from West Virginia. Sean Murphy of Fairmont, West Virginia, represented Betty Parmer in a collection dispute with United Bank Inc. The parties settled the case at mediation on April 4, according to pleadings in the case. The settlement amount was not disclosed in court papers.

On April 11, Murphy asked the plaintiff bank's lawyer for instructions to wire Parmer's settlement payment. The bank's lawyer said he would send instructions as soon as he received them from the bank.

Later that day, a hacker pretending to be the bank's lawyer sent wiring instructions to Murphy, who forwarded them to his client's bank. In accordance with the phony instructions, on April 15, the money was sent to a bank account in Texas.

It was not until May 3 that the plaintiff bank's counsel advised Murphy that the bank had never received the settlement payment. The money was gone.

Murphy notified his insurance carrier, the ALPS Property & Casualty Insurance Co., of the potential claim on May 6. The bank's lawyer wrote a letter May 23 alleging Parmer's bank and Murphy had a duty to "verify that instructions are accurate" before acting on them.

ALPS filed suit July 1 in the Northern District of West Virginia asking a judge to declare it owed no coverage for Murphy under its professional liability policy. The insurer said the policy excludes, among other things, wrongful disbursement of funds "held or controlled" by the insured.

"Murphy exercised direct or indirect control over the Settlement Payment when he conveyed wire transfer and payment instructions" to his client's bank, ALPS contended.

Murphy was not available for comment and no response had been filed to the ALPS action as of July 25.

Onward to Virginia: A Virginia lawyer who was sued after passing along fraudulent wiring instructions in 2016 failed in his attempt to pass the blame to third party involved in the transaction. In a March 29 opinion, U.S. District Judge M. Hannah Lauck found an escrow service had no duty to protect third parties from its own data breach.

The case involved a Fredericksburg land deal. Attorney Craig Buck handled the closing transaction and was supposed to wire payment of $158,671.80 to plaintiff Deutsche Bank National Trust Co., according to the complaint in Richmond federal court.

The bank had hired Altisource Portfolio Solutions as a title and escrow service, the complaint said. Altisource was to hold the closing funds in escrow. Altisource reportedly sent wiring instructions to Buck. Before the funds were sent, however, hackers posing as Altisource sent fraudulent closing instructions to Buck. Buck allegedly followed the second, fraudulent notice of instructions and sent the money to the criminals.

In court papers, Buck said it became clear that a hacker gained access to Altisource's email accounts, posed as Altisource, inserted himself in the middle of the transaction without any interference from Altisource, and then sent fraudulent instructions to the law office.

Buck filed a third-party complaint against Altisource for contribution and equitable indemnity. Altisource knew or should have known about the hacker's actions, the claim said.

Lauck said the contention that Altisource had a duty to safeguard private information of another individual invoked a developing area of law: "whether or how to impose liability on a party whose potentially negligent conduct flows from a data breach.

The judge added, "Case law directly on point is sparse." Very true, that. Lauck dismissed Buck's claims against Altisource, saying he failed to establish a legal duty Altisource owned to Deutsche under Virginia law. Lauck allowed Buck to amend his complaint. To date, he has not done so.

In a July 19 joint status report, Buck and the bank reported they are hopeful about settlement. Lauck referred them to U.S. Magistrate Judge Roderick C. Young for a settlement conference.

Not all cases of bogus wiring instructions hit the public court dockets, but losses are becoming more frequent. The FBI says 662 Virginia victims were hit with scams involving business email compromise in 2018, with $18,992,122 in reported losses in this state.

The scam "continues to grow and evolve, targeting small, medium and large business and personal transactions," the FBI said in a news release last year titled, "Business e-mail compromise: The 12 billion dollar scam." Between December 2016 and May 2018, there was a 136% increase in identified global actual and attempted losses, the FBI said. The real estate sector has been heavily targeted.

A frequent aspect of a scam is the use of "money mules" in this country. When funds are diverted to a U.S. bank, often an unwitting person has been recruited through "confidence/romance scams" to receive and redirect the money, the FBI said.

Lessons? Verify all requests for a change in payment instructions. Call a known valid number of the person supposedly giving the instructions. Never call a number given in an email without verifying that it matches the number you have for that person. This is also true if the email appears to come from one of your colleagues or another lawyer involved in a deal.

You cannot assume that you are covered under your insurance policy. A good policy will specifically reference wire fraud coverage to remove all doubt about coverage. Without that reference, you cannot be SURE that you are covered. Many lawyers have discovered this to their dismay and there are multiple court cases pending across the country – not a place you want to be in. Verify your coverage – it is well worth your time. I recently did that same exercise on behalf of Sensei and found that the "wrong boxes" were checked under our cyber liability policy renewal. I have no idea how it happened, but I sure am glad I checked!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson