By Henry J. Dane
No one is immune to cyber-fraud, so why does everyone think it won’t happen to them? Lawyers are still getting nailed every day with altered or fabricated wire instructions that they believe to be authentic. This is definitely not “old news” yet. Some of the frauds are very sophisticated and cleverly disguised to look genuine using names of parties, attorneys and brokers involved in the transaction, forging logos and similar looking email addresses and containing information (presumed to be confidential) that vouches for their genuineness.
When asked why he robbed banks, the well-known stickup artist, Willie Sutton, said “Because that’s where the money is”. But today a bank holdup will rarely net the kind of money that conveyancing attorneys handle every day, hundreds of thousands if not millions of dollars which can be stolen without a gun, a mask or a brown paper bag. And yet, even smart attorneys are still sending out this kind of money every day based on information given, or more frequently, changed at the last minute by a telephone call, a scrap of paper or an email from an unverified source.
Think about it this way, If you were a bank, the person giving you the instructions would need to have a unique user name and a password (8 characters, upper and lower case, a number and a special character) to pay your $49 phone bill. Although it hasn’t been suggested that attorneys assign user names and passwords to clients, fellow attorneys, brokers and mortgage lenders, it wouldn’t help much even if we did because we cannot limit incoming communications to known and verified originators if we are going to effectively conduct our business or theirs. And the problem for us is as much what goes out online as what comes in.
The banks aren’t doing that well either, and the crooks are doing to banks what has been working on lawyers. If the front door is double bolted with a couple of steel bars and a combination lock, just walk around to the back of the building and climb in an open window.
Take for example, the Berkshire Bank case brought in the US District Court in Boston (Jacobs v. Berkshire Bank, USDC 3:16-dv-30190-MGM). The following information comes from the Complaint which I have taken at face value. The bank has 90 branches in 4 states and belongs to a holding company with total assets close to $8billion. Not a mom and pop operation. The Plaintiff, Mr. Jacobs, one of the bank’s customers periodically sent emails to his “personal banker” who he believed to be an employee of the bank, asking her to wire out funds from his account. These earlier transactions were remarkable only in that they were the set up for what was to follow. On October 17, 2016, while Mr. Jacobs was travelling in Europe, an imposter impersonating him sent an email requesting that $580,000 be wired to a bank in Hong Kong. The wire was originated (either with no, or inadequate measures to verify the authenticity of the request). The next day another email was received asking how much money remained in the account. The “personal banker” responded that $1,590,000 remained in the account (but not for long). There was an opportunity to salvage the situation when the original $580,000 wire bounced. Not to be deterred, the “personal banker” sent the wire again, this time successfully putting the funds in the hands of the imposter. Then, on October 24, responding to a similar email, another $826,000 was sent to another bank in Hong Kong. On his return, Mr. Jacobs found out about the unauthorized wires, asked the bank to restore the funds and the bank disavowed any liability. (The Bank, in its Answer filed on February 10, alleges in part that the “personal banker” was “performing personal services for Mr. Jacobs and his business, including but not limited to serving as his personal bookkeeper and in conducting banking transactions for him, she was doing so as his employee, agent and authorized signer on the account.”)
Without any knowledge of this particular situation, but based on my experience with similar instances, the bank had much better security against electronic intrusion than Mr. Jacobs. By means of one of the commonly used methods, the imposter could have gained access to Mr. Jacob’s computer or the password to Mr. Jacobs’ email account. He would then be able to send a request to the “personal banker” that appeared to be genuine. Probably, by the same means, the imposter was also able to determine Mr. Jacobs’ travel plans, so he would know when it would be difficult to verify the instructions by making a phone call to the account holder.
Because the bank had good security for online financial transactions and access to customer financial information was protected with user names, passwords and perhaps even two factor authentication, the thieves decided to ignore the secure part of the system, and to just ask for the money by sending an email to a vulnerable employee. Such a request did not require a signature, a withdrawal slip, a picture ID, no last 4 of the social, no mother’s maiden name. Just an email purporting to be from a customer saying “here are some wire instructions, please send the money.”
What happened to Berkshire Bank and Mr. Jacobs is very similar to the fraud used to steal closing funds from attorneys. According to my sources, this is how it works:
1. The thieves identify properties for sale through one of many online listing services or brokers web sites;
2. They send the chosen brokers an email containing a link that, when opened, either enables the thief to obtain the email or computer password of broker or the imposter claims to be the system administrator asking the broker to change his or her password which the link then transmits to the thief. Real estate brokers do not typically invest in good internet security, and many individual brokers have their own private email accounts with little or no security.
3. Once the thief penetrates the broker, all the information regarding the sale is potentially available: names and email addresses of parties, closing date, copies of offers and purchase agreements, amount of proceeds etc. and most importantly, the name and email address of the conveyancing attorney who is going to be distributing the seller proceeds.
4. Other participants including buyer and sellers are likewise vulnerable to infiltration because of weak security but it is more work to find them than it is to identify properties that are on the market from online listings.
5. Based on the information obtained, the thief sends the closing attorney an email asking that the wire instructions formerly given be changed to a different account (sometimes even in the same bank as the authentic instructions) which will be cleared and closed by the thief as soon as the money is received. Using the information obtained from the infiltrated computers, it is not difficult to make these emails look authentic.
If the conveyancing attorney has not avoided the dilemma by declaring in advance that wire instructions transmitted by email will not be honored, it is at this point in the transaction that the conveyancing attorney must intervene either to authenticate the instructions or to ignore the instructions and decide to send a check by overnight carrier (in such a situation, it is unlikely that the conveyancing attorney would be bound by any contrary payment provisions of the P&S Agreement).
As in the Berkshire Bank case, the thieves gain access to the well secured resource through a poorly defended access point. Without going into great detail, many of the forged emails are extremely hard to identify, and you cannot rely on broken English or suspicious looking return addresses. They may have genuine looking logos which are easy to cut and paste from the original documents, and I have even seen an otherwise genuine email from an attorney in which only the account name and number had been changed.
For these reasons, many attorneys now refuse to accept wire instructions delivered by email, and are especially cautious about emails that purport to give new instructions shortly before or after the documents are recorded. In any event, if such instructions are to be honored, as a minimum they must be confirmed by a reliable source at a telephone number known to be valid (not one contained in the email giving the instructions). But keep in mind that if you are unable to reach the confirmation number, you need to hold the funds until satisfactory confirmation or reliable, alternative delivery instructions have been obtained. In general, it should be presumed that last minute changes in wire instructions are per se fraudulent.
It has been my recommendation that any Purchase and Sale Agreement that provides for the payment of proceeds by wire transfer, include language that specifies that “notwithstanding any agreement to the contrary, the transmittal of proceeds of the sale by wire transfer shall be subject to the satisfaction in the discretion of the conveyancing attorney that the instructions given are accurate and duly authorized,” together with a “wet ink” indemnity from the party giving the instructions.
In addition, I am seeing more and more attorneys adding to the footer of their email signature line a statement in bold type stating they will not honor wire instructions given or changed by email.
Great care is justified, not just because of the potential financial loss to the attorney and his or her client, a loss which can only be recovered with good luck, but also because the availability of insurance coverage for resulting losses remains unclear.
Co-chair of REBA’s ethics section, Henry Dane has practiced law in Concord for 45 years with a broad-based practice including, real estate, zoning and land use, permitting, civil litigation and appeals, municipal law, medical employment law, medical ethics and research integrity, non-profit and charitable corporations, and commercial lending. Henry can be contacted by email at firstname.lastname@example.org.