Law Firms Remain Vulnerable to Wire Transfer Scams, as Liability and Breach Costs Grow
A lawsuit against Holland & Knight alleging the firm didn't do enough to prevent a wire transfer scam echoes a similar case involving Dentons.
July 28, 2020 at 02:08 PM
5 minute read
The original version of this story was published on The American Lawyer
The most striking thing about the recent cyber scam lawsuit filed against Holland & Knight—which alleges that the firm mistakenly sent $3 million to a fraudulent account in Hong Kong—may lie not in the dollar figure, but the frequency of similar alleged attacks against firms.
"These attacks are super common," said Lewis Brisbois Bisgaard & Smith data security partner Christopher Ballod about wire transfer scams. "The number is big, but I will tell you I have a few cases that are above [$1 million transferred] right now. Above a million is uncommon, but I wouldn't even categorize it as rare."
Law firms are at an even greater risk of cybersecurity liability this year, with scores of law firm employees working from home as well as data-related regulatory laws and subsequent enforcement actions both trending upward.
Ballod, who advises companies and law firms that have suffered data breaches, said he's already seen a massive uptick in breaches, involving wire transfers and other types of cyber fraud.
"We're extremely busy," Ballod said. "There's a simple principle at play: If you broaden the attack surfaces, you'll have more attacks at play," he added, referring to the increased risk from more network entry points.
According to the recent lawsuit against Holland & Knight, the law firm was hired to oversee a $3 million stock sale. But amid the deal, scammers intercepted emails between the firm and plaintiffs. They then assumed the plaintiff's identity and asked that the wire be sent to an account based in Hong Kong instead of the original account.
The plaintiffs, the Sorenson Impact Foundation and the James Lee Sorenson Family Foundation, allege that Holland & Knight did not call to verify the account change, nor did they secure a medallion guarantee—a guarantee from a financial institution—as put forth in the merger agreement between the firm and involved parties. For that, the plaintiffs are alleging breach of contract and negligence and that the firm breached its fiduciary duties.
In a previous a statement on the lawsuit, Holland & Knight spokeswoman Olivia Hoch said the firm's "information technology system was not compromised in any way." She added that the plaintiffs were not clients, and "the firm acted on wiring instructions received from the plaintiff's email system by providing the instructions to the paying agent."
The allegations are eerily similar to a case involving Dentons' Canadian arm in 2017. According to a court ruling in that case, Dentons mistakenly sent $2.5 million to a fraudulent Hong Kong-based account after scammers breached emailed communications and assumed the identity of the company receiving the money.
Behind the assumed identity, scammers told the firm that their original account was being audited and directed Dentons to send the money to a new, Hong Kong-based account.
In that case, Dentons called the recipient to confirm the account change but didn't get through and left a voicemail. The scammers then forged documents and authorisation letters and sent them to the firm. Although they never got a call back from the real recipients, the firm sent the money anyways.
In a previous statement on the case, Dentons Canada spokeswoman Neetisha Seenundun said that the firm has not been targeted by the phishing scheme at any other point, and that the firm provides "extensive training" to its lawyers and employees on cybersecurity issues.
In wire transfer scam cases, the bad actors leverage what cybersecurity experts call the "human firewall" by manipulating employees and lawyers to hand over their credentials. These sorts of vulnerabilities circumvent technology by targeting employees who, for one reason or another, let their guard down or forgot their training.
Many scams could likely be avoided if a lawyer calls to verify over the phone the transfer information, as is best practice, Ballod said. While working from home may increase general cybersecurity liability, attacks like a wire transfer scheme can happen regardless of whether an employee is at home or in the office, cybersecurity experts add.
|Total Costs
Looking at cybersecurity liability in general, security firm LogicForce found last year that, despite recent strides, the legal industry "remains very vulnerable to cybersecurity attacks." Less than the majority of law firms surveyed implement advanced data protection techniques such as multifactor authentication or full disk encryption on all devices, its 2019 report found. Only about half of the companies surveyed have an executive-level IT specialist.
The litigation costs resulting from a cybersecurity lapse can be substantial. In cases of wire fraud where multiple parties are at some fault—a law firm for not calling for verification and the intended recipient's email security measures being breached—both sides usually come to a compromise before litigation.
In other cases, failure to contain a breach can lead to class action lawsuits, unaffordable legal malpractice premiums or harm to the firm's reputation.
With the rise of data privacy laws in Europe and the U.S., potential liability now increasingly includes regulatory and compliance litigation, said David Shonka, a data privacy partner at Washington, D.C., firm Redgrave. The California Consumer Privacy Act, or CCPA, began enforcement July 1. The law lays out breach reporting requirements, noncompliance fines and allows California consumers a way to bring private actions for data breaches.
Europe has long had its own privacy laws. Brazil and India have also passed similar versions as well. And Shonka said there's indications that more states will adopt similar laws.
|Read More
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllEx-Spies Reveal How Cybercriminals Exploit Law Firms’ Holiday Vulnerabilities
5 minute read'Get Your House in Order' SFO Warns Corporates, as UK Government Issues Long-Awaited Fraud Guidance
Law Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250