'Spear-Phishing' Is a Growing Cyberthreat to Law Firms—and Expensive Tech Can't Stop It
A three-lawyer shop in suburban Philadelphia and the largest law firm in the world have both fallen victim to it, multimillion-dollar cybersecurity technology can do little to guard against it, and once the damage is done it's all but irreversible. "Spear-phishing" is a growing concern for law firms of all sizes.
February 25, 2019 at 03:58 PM
7 minute read
A three-lawyer shop in suburban Philadelphia and the largest law firm in the world have both fallen victim to it, multimillion-dollar cybersecurity technology can do little to guard against it, and once the damage is done it's all but irreversible.
“Spear-phishing”—a cyberscam in which a target is induced to reveal confidential information or transfer money by a hacker impersonating, via email, someone the target knows—is a growing concern for law firms, particularly those whose practices involve initiating monetary transactions on behalf of clients.
Cybersecurity lawyers said the key to avoiding such a trap lies in administrative, rather than technical, controls. Firms, they said, must establish clear policies and precautions for dealing with requests for sensitive information and large sums of money.
A more sophisticated, insidious twist on the “old” email scams in which hackers would impersonate colleagues and loved ones pretending to be stranded in some foreign locale and in need of fast cash, the spear-phishing schemes targeting law firms today often involve very convincing emails that appear to be coming from partners and clients, giving detailed instructions for wiring large sums of money.
In many cases, cybercriminals are able to pull off plausible impersonations because they've been monitoring real emails between attorneys and clients and have accessed confidential information about specific transactions.
“A lot of times, quite literally, the email [system] has been compromised,” said Richard Borden, a partner at White and Williams in New York and the firm's chief privacy officer. “What that means is that [the hackers] are in the middle of the conversation. They're watching it. Sometimes you get an email that looks like it's from a similar place as someone you know and sometimes they've gotten that person's credentials and they're actually sending emails from a valid email address.”
There are two recent examples of spear-phishing attacks against law firms that illustrate how vulnerable organizations of all sizes are to such breaches.
In late 2017, three-lawyer real estate and corporate transactional law firm O'Neill, Bragg & Staffin, based in Warminster, fell prey when a hacker posed as a partner of the firm, Gary Bragg, and emailed another partner about a loan transaction of which the hacker seemed to have intimate knowledge.
In the correspondence, the hacker addressed partner Alvin Staffin by his nickname, Mel, making the ruse even more convincing, and asked for a $580,000 transfer from the firm's IOLTA sub-account to the Bank of China on behalf of a client.
Bank of America made the transfer at Staffin's request. After the transfer was made, Staffin called Bragg to discuss it, finding out only then that Bragg had no knowledge of the $580,000 request.
The firm's client's account had insufficient funds to cover the transfer, only $1,900, according to the complaint. However, Bank of America drew from the firm's other IOLTA sub-accounts belonging to other clients to cover the fraudulent transfer, the plaintiffs claimed.
The firm sued Bank of America for failing to stop the transfer once it had been notified of the breach, but in November, a federal judge for the Eastern District of Pennsylvania dismissed the action, finding that the firm failed to show that the bank breached any agreement, violated federal regulations or breached the Pennsylvania Commercial Code.
At the time it filed its complaint, the firm had recovered only $58,000.
It may be tempting to view that episode as simply a case of a small firm proving to be no match for sophisticated cybercriminals. However, as revealed in recent court documents, 8,700-lawyer multinational law firm Dentons was swindled by a similar con in early 2017.
The Canadian arm of Dentons was affected by the breach amid a real estate transaction that members of the firm's Vancouver office worked on, according to the Canadian court ruling. In early 2017, after the real estate deal closed, associate Wilfred Chan was supposed to arrange for some $2.52 million to move from Dentons' trust account to Timbercreek Mortgage Servicing Inc., which held a mortgage on the property that was sold.
Before the transfer, however, Dentons received emails from people who appeared to be affiliated with Timbercreek. The emails indicated that one of Timbercreek's accounts was subject to an audit and asked for Dentons to send the money to an international account in Hong Kong, held by a third-party called Yiguangnian Trade Co. Ltd., according to Judge Carole Brown of the Superior Court of Justice for Ontario's decision.
Following that, the Dentons side attempted to verify, leaving a voicemail at Timbercreek and seeking letters of authorization from the mortgage servicer and the Yiguangnian entity. Although Dentons didn't receive a phone call back, it did receive what appeared to be authorization letters from Timbercreek and Yiguangnian. The law firm then went ahead with the transfer, sending the $2.52 million to the Hong Kong account, according to the court ruling.
A couple of weeks later, Chan heard from the real representatives of Timbercreek wondering what happened to the wired funds, and the Dentons lawyer realized the money had been misdirected into a scam account.
The law firm managed to recoup about $785,000 on its own, but then put in an insurance claim with Trisura to cover a remaining amount of about $1.73 million. The insurer, however, denied coverage on the grounds that the situation didn't fall under a computer fraud rider to Dentons' insurance policy, and the firm filed suit in the Superior Court of Justice for Ontario, where proceedings are ongoing.
Borden said the vast majority of spear-phishing scams are aimed at inducing a target to wire money, as opposed to gaining access to confidential information.
To the extent that hackers are seeking private data from law firms by impersonating clients and colleagues via email, that type of scheme can typically be thwarted by simply encrypting all sensitive documents before sending them, Borden explained. But guarding against an attempt to induce a fraudulent wire transfer requires significantly more legwork.
“Any wire that's going to be initiated for any reason has to be verbally confirmed,” Borden said, adding, “You need to confirm everything. I don't care if it's inconvenient. I don't care if it slows the deal down. You don't trust anything that comes off the email or a fax.”
But, he continued, lawyers seeking to verbally confirm a wire transfer request must also be careful to use a phone number they know will connect them to the correct person—not necessarily the phone number listed on the email that made the initial request.
“The email will have a phone number on it and they'll talk to you,” Borden said. “They may even have a call center set up to do it.”
And while it may seem that a firm's best defense against spear-phishing attempts would be to block unauthorized access to its email servers in the first instance, Borden said that's simply not a realistic solution.
“The information security people I know would say you have to assume that [hackers] are in the system and that they're going to get in in some way or another,” he said. “The goal is to try to prevent them from getting to places that are sensitive.”
Not to mention that for some practices—trusts and estates, for example—enough information is publicly available to allow an impostor to craft a convincing request for a monetary transfer, according to Daniel Siegel, who runs a small Havertown-based litigation firm and also serves as technology consultant for fellow attorneys.
“It's not necessarily that someone's been hacked,” he said.
Siegel, who co-chairs the Professional Development Board of the American Bar Association's Law Practice Division, said combating spear-phishing attacks was one of the topics discussed at the ABA's Midyear Meeting in late January.
“What you're talking about is out there,” he said. “It's a problem.”
Read More
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCourting Growth, Pennsylvania Law Firms Expanded to Farthest Corners of the Country
3 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250