Firms Are Fending Off Phishing Schemes Involving Fake Clients
Since a series of scam attempts earlier this summer, one Philadelphia firm said it has seen several more efforts to breach its computer system or obtain settlement money for fake parties. Other attorneys have seen similar scams.
September 10, 2019 at 01:00 AM
8 minute read
The original version of this story was published on The Legal Intelligencer
When Philadelphia personal injury firm Ostroff Injury Law received a message about an alleged dog bite victim looking to quickly settle claims against the dog's seemingly wealthy owner, the firm was quick to determine that the whole thing was a hoax. The injury wasn't real, the dog was fake, and, if either party existed at all, they certainly were not who they were claiming to be.
Part of the reason the firm realized the request was a hoax so quickly was because only a few weeks before the firm had received a similar inquiry involving a dog bite—only that case made it nearly to the point of disbursing more than $100,000 in settlement funds before the law firm found out it was dealing with a phony claim.
Not only had a realistic story and a fake Facebook page tricked the firm but a forged check from a major insurance carrier deceived the firm's bank into clearing the fake defendant's settlement check and giving the firm the OK to distribute the funds. And that's one of the things that disturbed firm leader Jon Ostroff the most because, according to some recent case law, even though a bank clears a phony check, it is the law firm that would most likely be on the hook for the scam.
In this case that would mean a $120,000 hit.
"Just because your bank clears your check does not mean it's authenticated," Ostroff said. "It's the plaintiff's lawyer's duty to know their client."
Since a series of scam attempts earlier this summer, the firm said it has seen several more efforts to breach its computer system or obtain settlement money for fake parties. Other attorneys have seen similar scams.
Bryn Mawr, Pennsylvania-based attorney Mark Schwartz, who represents whistleblowers, was contacted last year by a person claiming to be a Pfizer employee who had a complaint about the company's human resources department. However, suspicious details quickly started to arise—like the defendant claiming Pfizer's "board" agreed to the settlement to "avoid prolonging" the matter—and descriptions of the people involved failed to match up. Someone Schwartz consulted with also noticed that the email address claiming to be a company executive offering more than $150,000 in settlement money ended with pfizerbio.com, while email addresses for actual Pfizer employees end with pfizer.com.
Schwartz quickly backed away from the case without losing any money, but, in Schwartz's words, it was "a major pain in the butt."
The incidents are a byproduct of the increasingly tech-heavy backdrop on which cases are litigated, and provide a cautionary tale about just how orchestrated these scams can be.
According to Joshua Crumbaugh, CEO of cybersecurity company PeopleSec, although these types of schemes have been around for more than 20 years, the attacks, which are a form of so-called "phishing" attacks, are getting much more sophisticated, and are increasingly targeting lawyers.
" Phishing attacks are most definitely growing in sophistication, and it's not just with the goal of simply getting you to click on something," he said, noting that some perpetrators could be using AI to implement the schemes. "It's far more devious, and it's often happening through a series of emails."
|The Dog Bite That Never Was
In early summer, Ostroff's firm was contacted about a man claiming to have been visiting a friend in Ambler, Pennsylvania, when a neighbor's dog came onto the property and bit his face. The purported victim claimed to be a resident of Mexico.
Ostroff received the email below:
|According to Ostroff, the man, who claimed he was back at work on an offshore rig, provided photos of his mangled face, as well as photos after his face was stitched up and bandaged. He also sent a photocopy of his driver's license, and the name of his employer. Ostroff said he even spoke with him on the phone a few times briefly, but each time the reception was bad, given he was allegedly on the rig.
The man, Ostroff said, claimed to have already discussed the incident with the dog owner—purportedly a wealthy dog-lover, who wanted to keep the claim out of court both for reputational reasons and because he didn't want anything to happen to the dog. According to Ostroff, the initial offer, which was $120,000, was quickly upped to $180,000 to cover the firm's fee, and the victim was keen to settle the case. The plaintiff, according to Ostroff, claimed to also be a dog-lover.
Ostroff said he wasn't comfortable with the situation, but he wasn't overly suspicious by that point, given how quickly cases can move these days and how much can be done remotely.
"Now, a lot of clients, they docusign paperwork. A lot of clients are fine just retaining us by email. A lot of them want to text retainers," Ostroff said. "In this kind of environment, this kind of scam has more legs."
Ostroff's firm even found a Facebook page for the defendant dating back to 2013, complete with family photos, comments from friends, lots of pictures of dogs and an apparent connection to Penn State.
"When you do the due diligence on the defendant, he seems pretty real," Ostroff said.
There were also parts of the story that seemed very logical. The fact that the plaintiff reached out to the firm's Blue Bell office seemed natural given that the alleged incident took place in neighboring Ambler, and, as a dog-lover himself, Ostroff said he understood why the parties would want to protect the dog.
"I've defended a bunch of dog owners in dog attack cases. Their No. 1 concern is their dog," Ostroff said.
Ostroff said he still advised the client not to take the deal, but the client insisted, and eventually, the dog owner sent Ostroff's firm a forged CitiBank check for $185,000, listing insurance company Marsh as the remitter.
Ostroff sent the check to his bank, but, he said, by that point he was suspicious, so he reached out to the alleged Marsh adjuster. The adjuster never got back to him.
Ostroff received the purported check below:
|In the meantime, the firm's chief operating officer and chief information officer, Enrico DePaolis, began finding even more to be suspicious about. According to DePaolis, the IP address from the messages did not match other information from the supposed dog bite victim, and he further came to believe that the defendant's Facebook was phony, composed of pictures from another person. DePaolis also said the check's font further led him to believe it was a forgery.
The firm's bank, however, initially cleared the check.
Normally, once a check is cleared the firm would deposit the check and send the settlement proceeds along to the client, but by that point the firm was very suspicious. Without giving too much information to the bank due to attorney-client privilege concerns, Ostroff said he pressed the bank to keep looking into the matter.
A few days later the firm's bank, which Ostroff declined to name, called to say the check was not authentic.
At that point, the firm walked away from the claim. Although the event was a waste of time in one sense, the firm walked away prepared for the next phony-client scheme that would come only weeks later.
|Prevention
Ostroff said that, along with bringing in DePaolis as CIO, the firm has trained staff members to help better identify potentially problematic inquiries. They've also added another layer of review to their intake process, and have worked to raise the firm's common-sense awareness of the issue.
"The key thing is we gave our employees the awareness of what's going on," DePaolis said. "That's what brought them to say, 'Hey, could you look at this?'"
Crumbaugh said this type of training, as well as having cybersecurity firms perform fake phishing attacks as a way to expose people to these types of scams, is the best way to combat these types of schemes.
"The easiest way in to any company, or network, is to target the human element, and the bad guys know that," Crumbaugh said.
According to Ostroff, he was hesitant to come to the media about the incident, but, he said, spreading awareness was an important step in preventing other firms from falling for the same scheme.
"If the settlement smells suspicious, don't disburse it," he said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Decision of the Day: Administrative Court Finds Prevailing Wage Law Applies to Workers Who Cleaned NYC Subways During Pandemic
- 2Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 3Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 4'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 5Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250