Cyber Fraud and Cyber Security—What’s this all about?
We can hardly pick up a legal publication these days, or even a daily newspaper for that matter, without reading about cyber security and resultant cyber fraud. Today, law firms experience security breaches, cyber fraud and victimization like every other professional endeavor, industry or occupation. When lawyers are victimized by cyber fraud, it rarely is seen in the popular media – but it is and has been reported in legal publications often and extensively. But if the reader is like me, you usually don’t bother reading those articles – especially those of us long in the tooth/from another-generation-practitioner.1
This article does not deal with the broad category of potential cyber crimes. Here we are only dealing with the attorney, and therefore his client, whose email address was used to misdirect a wire transfer to or from a client. And please note: this type of victimization is (arguably) not insured against for loss by any of the attorney’s insurance coverages, malpractice, property/casualty, or any other that a law office can purchase. More on this later.
According to a recent report from the National Association of Realtors, cybercrime will cost businesses over $2 trillion annually by 2019. The IRS annually publishes its list of the “dirty dozen” tax schemes. At the top of the list is “phishing,” which is a process where a targeted individual is contacted by email or telephone by someone posing as a legitimate institution to lure the individual into providing sensitive information such as banking information, credit card details, and passwords, or variations of the internet scheme.
According to the IRS, “taxpayers need to be on guard against fake emails or websites looking to steal personal information.” Other such scams include: abusive tax shelters, fake charities, refund preparer fraud and hiding income with fake documents. The full list can be found on the IRS website (www.irs.gov).
I have now become acutely aware of these growing criminal activities in my capacity as chairman of the Illinois State Bar Association/Mutual Insurance Company underwriting committee. All the malpractice insurance carriers are now faced with claims and potential claims concerning fraudulent wire transfer instructions conveyed through pirated emails, often to clients. These problems have arisen in real estate closings, for example.
Claim Departments are handling matters such as:
• An insured instructing his or her client to wire money and the email was intercepted and the wiring instructions changed. The client then wires money to the fraudulent account contrary to the insured’s instructions.
• Another situation reported a matter in which the lawyer ended a real estate transaction for his client without “closing”; the seller, after the insured’s client wrongly wired money to a fraudulent account and the appropriate party was not paid.
• Another scheme involved insureds receiving fraudulent checks from “new clients” who contacted the lawyer over the internet, either directly or by referral. The insured deposits the fraudulent check into his or her client funds account and the new “client” instructs the lawyer to wire money to fraudulent accounts, clears the checks, though the deposited checks were never cleared in the lawyer’s account.
Lawyer malpractice insurance underwriting committees are asked to consider the future direction relative to the availability and level of coverage for claims arising out of certain such (phishing/wiring) schemes that have resulted in potential and actual loss for their policyholders and/or his or her client. These schemes are expected to continue in the future and more claims are anticipated.
It can be argued, as mentioned above, that these wire transfer schemes are not covered by most lawyer malpractice policies. The policy language of most lawyer malpractice insurance requires that a claim arise out of a “Wrongful Act” which is defined in pertinent part as follows:
any actual or alleged negligent act, error, or omission in the rendering of or failure to render Professional Services, including personal injury committed by an Insured in the course of rendering professional services;
Generally, a policy defines “Damages,” “Personal Injury” and “Professional Services” in pertinent part as follows:
Damages mean all sums which an Insured is legally obligated to pay for any Claim to which this Policy applies including judgments, settlements, final arbitration awards, and any taxes, fines, penalties incurred by a third party.
The lawyer malpractice carrier can argue that, in these wire transfer schemes, there was no malfeasance of the insured lawyer, no negligence, no act or admission for which any damage to the client should be indemnified against. Clearly, the lawyer, like the client, was victimized – but without any act or omission on the lawyer’s part.
I think that a strong counter argument can also be made that the “victimized” attorney did not exercise best practices to prevent the potential of this event occuring, ergo, negligence by omission – malpractice. Of course, this begs the question of what are the best practices to protect against wire transfer/phishing fraud?
To emphasize this point, one of the most respected “coverage” counsel lawyers in our legal community feels, if asked, that he could successfully argue that wire transfer (phishing) frauds are not covered by your typical lawyer malpractice policies. When asked, he offered the following:
A lawyer’s professional liability policy covers professional services, not the operation of a business such as a law firm. A lawyer’s policy, unless endorsed, does not cover non-professional services claims.
The question of whether an attorney’s failure to maintain a secure email account is a “professional service” so as to be covered by a professional liability policy is an untested issue. There may be insurance for such claims on the market but it is not typically purchased by attorneys.
There is a difference between acts which require skills typified by the professional and ordinary activities of running a business. Arguably, tasks performed by lawyers are not considered professional services if they are ordinary activities that can be completed by those lacking legal knowledge and skill. One court, commenting on a lawyer’s billing practices stated that “[w]e are not aware that courses in billing clients appear in law school curricula. The billing function is largely ministerial. There are elements of experience and judgment in billing for legal services, but the same goes for pricing shoes. As billing is not a professional service, it does not come within the coverage of a professional liability policy.” Continental Casualty Co. v. Bertucci, 399 Ill.App.3d 775, 786-87 (1st Dist. 2010), quoting Reliance National Insurance Co. v. Sears, Roebuck & Co., 58 Mass. App. 645, 648, 792 N.E.2d 145, 148 (2003).
In closing, it has become crucial that attorneys avoid using email or internet-based communications with clients, banks, closing agents, and/or opposing counsel in relation to wire transfers and/or funding instructions, regardless of the inconvenience more conventional means of communication might create.
Remember, every time a wire transfer instruction is transmitted via the internet, that wire transfer instruction is subject to being pirated by internet hackers. Computer hackers “phish” the internet for emails containing the terms “wire” and “transfer.”
The use of email wire transfer instructions in connection with real estate closings is too much of a risk. Email communications of wire transfer instructions should be avoided. Best practice: do not email wire transfer instructions.
A suggested protection (best practice?) may be to require your clients to sign an agreement that they will not engage in the use of email in connection with wire transfers of funds. Include a provision stating that you will never email wire transfer instructions to them so, should your clients receive an email purportedly from you instructing them to wire funds, whether the instruction comes in the form of a text in the email or as an attachment, they should not wire funds but instead they should immediately contact you. Perhaps provide your clients with written direction that, when wiring funds, your clients must direct their bank to confirm receipt of the funds by the intended recipient.
Just recently, late June of 2016, all Illinois attorneys received an email from the Illinois Attorney Registration and Disciplinary Commission warning that computer hackers are targeting practitioners using “phishing” so as to invade/breach their systems.
The scam involved an email titled “client complaint,” or such other alarming subject line, sent from the ARDC. Once that item is “clicked on,” the attorney becomes a victim and all his or her computer data, records, etc., are invaded.
Like the a fortiori warning to never open an attachment in a spam email, be cautious of these fraudulent “disciplinary warning” emails that are being received by lawyers all over the country.
While real estate transactions continue to be the primary focus of the wire transfer/phishing schemes, it is expanding to all transactions involving the wire transfer of funds. Using the internet to communicate wire transfer instructions is no longer safe even when you believe that your firm’s computer system is secure from hacking or identity theft.