Published in NH Bar News (4/21/2021)
Law firms commonly handle large electronic funds transfers for clients and ourselves. A few examples include M&A and real estate transactions, investment and lending transfers from banks and equity firms, litigation and family law payments between parties, tax refunds, corporate distributions, transfers to and from our IOLTA accounts, payments to us from clients and from us to vendors and other third parties, and employee payroll. While we may actually initiate and handle the funds for some of these transactions, we also often are responsible for providing directions to others for these transactions, even if we do not handle the funds ourselves.
As a result, law firms are valuable targets for cyber financial crime. We also are vulnerable targets because, unlike banks and other large institutions, law firms generally have not invested comparable resources into security controls to prevent this type of crime.
Threats Are Ubiquitous and Unavoidable
Most cyber financial crime starts with an intrusion into the email account of an individual who has a role in the transaction. Intrusions often originate when an individual clicks a malicious link in a phishing email, visits a website that downloads malware to his or her laptop or mobile device, or uses an unsecure network that permits criminals to download malware. This initial malicious activity is usually invisible to the individual, who has no idea that criminals have gained access to his or her laptop, mobile device, and email account.
Once the criminals have done so, they watch and wait. They gather details about the transactions the individual is involved with, and learn the habits and communication styles of all of the individuals involved in the transaction. They wait until the most opportune moment, then intervene in the email stream to provide payment instructions for their own accounts, while simultaneously ensuring that all emails are redirected through them so other individuals in the chain cannot detect the fraud. They often even use an account with the same bank as the intended recipient, so that the fraud may be more difficult to detect.
The compromised individual could be any person in the chain of a transaction. As lawyers, we certainly could be compromised, permitting criminals to impersonate us and instruct another person in the chain to direct a payment meant for us or our client to themselves. However, other individuals may be equally or more at risk, such as our clients, other counsel, other parties, mediators, experts, vendors, and other third parties. Their vulnerability threatens us, because criminals who have control of their email accounts can direct us or our clients to transfer funds meant for someone else to the criminals.
Determining who is “at fault” in these circumstances is rarely obvious. Is the individual whose email was hacked solely at fault? Does the person who failed to verify the authenticity of the payment instruction have responsibility? Even more significantly, particularly in the short term, the money is likely gone, and the individuals (and their carriers, if coverage exists) are left to fight among themselves about how to deal with a difficult situation.
In times past, cyber financial criminals used awkward language and stilted schemes. But those times are now in the past. These criminals are sophisticated, and this activity is very difficult to detect by just paying close attention to email. As lawyers, we need to implement additional mechanisms to prevent and mitigate this type of crime.
Mechanisms to Prevent and Mitigate Cyber Financial Crime
Multifactor authorization is the most important mechanism to prevent this activity. Many people are familiar with multifactor authentication, which requires individuals to have at least two methods to authenticate themselves when logging in to a system, such as a password and a code sent to their mobile devices. Multifactor authorization requires at least two different methods to ensure that payment instructions are legitimate and transactions are authorized.
The multiple factors to authorize a transaction could be manual, in that they are implemented by humans, but are more effective if technologically mandated. For example, as lawyers, we should have an inflexible rule for ourselves and our staffs that all payment instructions (when initially provided and whenever changed) are confirmed through at least two reliable mechanisms to verify the legitimacy of the authorization to make the payment and the details of the account. An email may be one factor, while a video or phone call to the individual confirming authorization to make the payment and account details could be the second factor. It also may be appropriate in some circumstances to verify with the receiving bank that the owner of the receiving account is the intended recipient. And, for particularly large or sensitive transactions, law firms may require individuals to login to our own secure portals or use our own secure upload links to provide or receive payment instructions to or from us.
Lawyers also should implement additional technological mechanisms to prevent theft from our own accounts. For example, significant payments out of our IOLTA and other accounts, transfers between two of our accounts, creating payees for electronic transfers, and other activities that are indicative of potential fraud should require at least one individual to login to the accounts (using multifactor authentication) to initiate such transactions, and a second individual to separately login to the accounts (using different login credentials) to approve the transactions before they can be consummated. For certain transactions, it may be appropriate to require our financial institutions to verify the legitimacy of the transactions through a video or phone call to a designated individual. Law firms also can implement “positive pay” with banks, ensuring that they only honor checks and permit transactions that we authorize through a specific file upload.
In addition to implementing mechanisms to prevent crime, we need to protect our clients and ourselves by ensuring that liability is allocated by contract and by having appropriate cyber crime insurance for potential losses. For example, contracts between parties to a transaction should contain provisions detailing the manner in which payment instructions will be provided and confirmed, allocating liability to parties that fail to comply with those obligations, and requiring all parties to have appropriate insurance. Our engagement letters with clients and contracts with vendors and other third parties should contain similar provisions.
Immediate Response Is Imperative
If a lawyer or client is in the chain of a cyber financial crime, immediate response is imperative. Many banks place a hold on large transfers for a day or two before permitting the account holders to withdraw some or all of the funds. Also, if the criminals have transferred the funds to debit cards, it may take them a day or two to spend or transfer the funds on the cards. Immediate response may enable recipient banks to freeze the accounts or cards before all the money is gone.
While banks can be helpful (sometimes), involving law enforcement is typically necessary. Privacy laws restrict banks from disclosing the identities of account holders and amounts of funds in accounts. Assistance from law enforcement through warrant procedures is usually needed to obtain information about the accounts and secure the return of any remaining funds.
Law firms are valuable and vulnerable targets for cyber financial crime because of our integral role in many significant electronic funds transfers. We owe it to ourselves and our clients to understand this risk, implement mechanisms to prevent and mitigate it, and know how to respond immediately if funds are stolen.