When Philadelphia personal injury firm Ostroff Injury Law received a message about an alleged dog bite victim looking to quickly settle claims against the dog's seemingly wealthy owner, the firm was quick to determine that the whole thing was a hoax. The injury wasn't real, the dog was fake, and, if either party existed at all, they certainly were not who they were claiming to be.

Part of the reason the firm realized the request was a hoax so quickly was because only a few weeks before the firm had received a similar inquiry involving a dog bite—only that case made it nearly to the point of disbursing more than $100,000 in settlement funds before the law firm found out it was dealing with a phony claim.

Not only had a realistic story and a fake Facebook page tricked the firm but a forged check from a major insurance carrier deceived the firm's bank into clearing the fake defendant's settlement check and giving the firm the OK to distribute the funds. And that's one of the things that disturbed firm leader Jon Ostroff the most because, according to some recent case law, even though a bank clears a phony check, it is the law firm that would most likely be on the hook for the scam.

In this case that would mean a $120,000 hit.

"Just because your bank clears your check does not mean it's authenticated," Ostroff said. "It's the plaintiff's lawyer's duty to know their client."

Since a series of scam attempts earlier this summer, the firm said it has seen several more efforts to breach its computer system or obtain settlement money for fake parties. Other attorneys have seen similar scams.

Bryn Mawr, Pennsylvania-based attorney Mark Schwartz, who represents whistleblowers, was contacted last year by a person claiming to be a Pfizer employee who had a complaint about the company's human resources department. However, suspicious details quickly started to arise—like the defendant claiming Pfizer's "board" agreed to the settlement to "avoid prolonging" the matter—and descriptions of the people involved failed to match up. Someone Schwartz consulted with also noticed that the email address claiming to be a company executive offering more than $150,000 in settlement money ended with pfizerbio.com, while email addresses for actual Pfizer employees end with pfizer.com.

Schwartz quickly backed away from the case without losing any money, but, in Schwartz's words, it was "a major pain in the butt."

The incidents are a byproduct of the increasingly tech-heavy backdrop on which cases are litigated, and provide a cautionary tale about just how orchestrated these scams can be.

According to Joshua Crumbaugh, CEO of cybersecurity company PeopleSec, although these types of schemes have been around for more than 20 years, the attacks, which are a form of so-called "phishing" attacks, are getting much more sophisticated, and are increasingly targeting lawyers.

" Phishing attacks are most definitely growing in sophistication, and it's not just with the goal of simply getting you to click on something," he said, noting that some perpetrators could be using AI to implement the schemes. "It's far more devious, and it's often happening through a series of emails."

|

The Dog Bite That Never Was

In early summer, Ostroff's firm was contacted about a man claiming to have been visiting a friend in Ambler, Pennsylvania, when a neighbor's dog came onto the property and bit his face. The purported victim claimed to be a resident of Mexico.

Ostroff received the email below:

|

According to Ostroff, the man, who claimed he was back at work on an offshore rig, provided photos of his mangled face, as well as photos after his face was stitched up and bandaged. He also sent a photocopy of his driver's license, and the name of his employer. Ostroff said he even spoke with him on the phone a few times briefly, but each time the reception was bad, given he was allegedly on the rig.

The man, Ostroff said, claimed to have already discussed the incident with the dog owner—purportedly a wealthy dog-lover, who wanted to keep the claim out of court both for reputational reasons and because he didn't want anything to happen to the dog. According to Ostroff, the initial offer, which was $120,000, was quickly upped to $180,000 to cover the firm's fee, and the victim was keen to settle the case. The plaintiff, according to Ostroff, claimed to also be a dog-lover.

Ostroff said he wasn't comfortable with the situation, but he wasn't overly suspicious by that point, given how quickly cases can move these days and how much can be done remotely.

"Now, a lot of clients, they docusign paperwork. A lot of clients are fine just retaining us by email. A lot of them want to text retainers," Ostroff said. "In this kind of environment, this kind of scam has more legs."

Ostroff's firm even found a Facebook page for the defendant dating back to 2013, complete with family photos, comments from friends, lots of pictures of dogs and an apparent connection to Penn State.

"When you do the due diligence on the defendant, he seems pretty real," Ostroff said.

There were also parts of the story that seemed very logical. The fact that the plaintiff reached out to the firm's Blue Bell office seemed natural given that the alleged incident took place in neighboring Ambler, and, as a dog-lover himself, Ostroff said he understood why the parties would want to protect the dog.

"I've defended a bunch of dog owners in dog attack cases. Their No. 1 concern is their dog," Ostroff said.

Ostroff said he still advised the client not to take the deal, but the client insisted, and eventually, the dog owner sent Ostroff's firm a forged CitiBank check for $185,000, listing insurance company Marsh as the remitter.

Ostroff sent the check to his bank, but, he said, by that point he was suspicious, so he reached out to the alleged Marsh adjuster. The adjuster never got back to him.

Ostroff received the purported check below:

|

In the meantime, the firm's chief operating officer and chief information officer, Enrico DePaolis, began finding even more to be suspicious about. According to DePaolis, the IP address from the messages did not match other information from the supposed dog bite victim, and he further came to believe that the defendant's Facebook was phony, composed of pictures from another person. DePaolis also said the check's font further led him to believe it was a forgery.

The firm's bank, however, initially cleared the check.

Normally, once a check is cleared the firm would deposit the check and send the settlement proceeds along to the client, but by that point the firm was very suspicious. Without giving too much information to the bank due to attorney-client privilege concerns, Ostroff said he pressed the bank to keep looking into the matter.

A few days later the firm's bank, which Ostroff declined to name, called to say the check was not authentic.

At that point, the firm walked away from the claim. Although the event was a waste of time in one sense, the firm walked away prepared for the next phony-client scheme that would come only weeks later.

|

Prevention

Ostroff said that, along with bringing in DePaolis as CIO, the firm has trained staff members to help better identify potentially problematic inquiries. They've also added another layer of review to their intake process, and have worked to raise the firm's common-sense awareness of the issue.

"The key thing is we gave our employees the awareness of what's going on," DePaolis said. "That's what brought them to say, 'Hey, could you look at this?'"

Crumbaugh said this type of training, as well as having cybersecurity firms perform fake phishing attacks as a way to expose people to these types of scams, is the best way to combat these types of schemes.

"The easiest way in to any company, or network, is to target the human element, and the bad guys know that," Crumbaugh said.

According to Ostroff, he was hesitant to come to the media about the incident, but, he said, spreading awareness was an important step in preventing other firms from falling for the same scheme.

"If the settlement smells suspicious, don't disburse it," he said.