By
Henry J. Dane
No
one is immune to cyber-fraud, so why does everyone think it won’t happen to
them? Lawyers are still getting nailed
every day with altered or fabricated wire instructions that they believe to be
authentic. This is definitely not “old
news” yet. Some of the frauds are very
sophisticated and cleverly disguised to look genuine using names of parties,
attorneys and brokers involved in the
transaction, forging logos and similar
looking email addresses and containing information (presumed to be confidential) that vouches for their genuineness.
When asked why he robbed banks, the well-known
stickup artist, Willie Sutton, said “Because that’s where the money is”. But
today a bank holdup will rarely net the
kind of money that conveyancing attorneys handle every day, hundreds of thousands
if not millions of dollars which can be stolen without a gun, a mask or a brown
paper bag. And yet, even smart
attorneys are still sending out this kind of money every day based on
information given, or more frequently, changed at the last minute by a telephone call, a scrap of paper or an email from an
unverified source.
Think
about it this way, If you were a bank,
the person giving you the instructions would need to have a unique user name and a password
(8 characters, upper and lower
case, a number and a special character)
to pay your $49 phone bill. Although
it hasn’t been suggested that attorneys assign user names and passwords to clients,
fellow attorneys, brokers and mortgage
lenders, it wouldn’t help much even if we did because we cannot
limit incoming communications to
known and verified originators if we are going to effectively conduct our
business or theirs. And the problem for
us is as much what goes out online as what comes in.
The
banks aren’t doing that well either, and the crooks are doing to banks what has
been working on lawyers. If the front
door is double bolted with a couple of steel bars and a combination lock, just
walk around to the back of the building and climb in an open window.
Take for example, the
Berkshire Bank case brought in the US District Court in Boston (Jacobs v.
Berkshire Bank, USDC
3:16-dv-30190-MGM). The following information comes from the
Complaint which I have taken at face value.
The bank has 90 branches in 4 states and belongs to a holding company
with total assets close to $8billion. Not a mom and pop operation. The Plaintiff, Mr. Jacobs, one of the bank’s
customers periodically sent emails to his “personal banker” who he believed to
be an employee of the bank, asking her to wire out funds from his account.
These earlier transactions were remarkable only in that they were the set up
for what was to follow. On October 17, 2016, while Mr. Jacobs was travelling in
Europe, an imposter impersonating him sent
an email requesting that $580,000 be wired to a bank in Hong Kong. The wire was
originated (either with no, or inadequate measures to verify the authenticity
of the request). The next day another
email was received asking how much money remained in the account. The “personal banker” responded that $1,590,000
remained in the account (but not for long).
There was an opportunity to salvage the situation when the original
$580,000 wire bounced. Not to be deterred,
the “personal banker” sent the wire
again, this time successfully putting the funds in the hands of the
imposter. Then, on October 24,
responding to a similar email, another $826,000 was sent to another bank in
Hong Kong. On his return, Mr. Jacobs
found out about the unauthorized wires, asked the bank to restore the funds and
the bank disavowed any liability. (The
Bank, in its Answer filed on February
10, alleges in part that the “personal
banker” was “performing personal services for Mr. Jacobs and his business,
including but not limited to serving as his personal bookkeeper and in conducting
banking transactions for him, she was doing so as his employee, agent and
authorized signer on the account.”)
Without any knowledge of this particular
situation, but based on my experience with similar instances, the bank had much
better security against electronic intrusion than Mr. Jacobs. By means of one of the commonly used methods,
the imposter could have gained access to Mr. Jacob’s computer or the password
to Mr. Jacobs’ email account. He would
then be able to send a request to the “personal banker” that appeared to be
genuine. Probably, by the same means, the
imposter was also able to determine Mr. Jacobs’ travel plans, so he would know
when it would be difficult to verify the instructions by making a phone call to
the account holder.
Because
the bank had good security for online financial transactions and access to
customer financial information was
protected with user names, passwords and
perhaps even two factor authentication, the thieves decided to ignore the secure part
of the system, and to just ask for the
money by sending an email to a vulnerable employee. Such a request did not require a signature, a
withdrawal slip, a picture ID, no last 4 of the social, no mother’s maiden
name. Just an email purporting to be
from a customer saying “here are some
wire instructions, please send the
money.”
What happened to Berkshire Bank and Mr.
Jacobs is very similar to the fraud used
to steal closing funds from attorneys. According to my sources, this is how it works:
1. The
thieves identify properties for sale through one of many online listing
services or brokers web sites;
2. They send the chosen brokers an email containing a link that, when
opened, either enables the thief to obtain the email or computer password of broker or the
imposter claims to be the system administrator asking the broker to change his
or her password which the link then transmits to the thief. Real estate brokers do not typically invest
in good internet security, and many individual brokers have their own private
email accounts with little or no security.
3. Once the thief penetrates the broker, all the information regarding the sale is
potentially available: names and email addresses of parties, closing date,
copies of offers and purchase agreements, amount of proceeds etc. and most
importantly, the name and email address
of the conveyancing attorney who is going to be distributing the seller
proceeds.
4. Other participants including buyer and sellers
are likewise vulnerable to infiltration because of weak security but it is more
work to find them than it is to identify properties that are on the market from
online listings.
5. Based on
the information obtained, the thief
sends the closing attorney an email asking that the wire instructions formerly
given be changed to a different account
(sometimes even in the same bank as the authentic instructions) which will be cleared and closed by the thief
as soon as the money is received. Using the information obtained from the
infiltrated computers, it is not
difficult to make these emails look authentic.
If the conveyancing attorney has not
avoided the dilemma by declaring in advance that wire instructions transmitted
by email will not be honored, it is at this point in the transaction that the
conveyancing attorney must intervene either to authenticate the instructions or
to ignore the instructions and decide to send a check by overnight carrier (in such a situation, it is unlikely that the
conveyancing attorney would be bound by any contrary payment provisions of the
P&S Agreement).
As in the Berkshire Bank case, the
thieves gain access to the well secured resource through a poorly defended
access point. Without going into great detail, many of the forged emails are
extremely hard to identify, and you cannot rely on broken English or
suspicious looking return addresses.
They may have genuine looking logos which are easy to cut and paste from
the original documents, and I have even seen an otherwise genuine email from an
attorney in which only the account name and number had been changed.
For these reasons, many attorneys now
refuse to accept wire instructions delivered by email, and are especially cautious about emails that
purport to give new instructions shortly before or after the documents are
recorded. In any event, if such
instructions are to be honored, as a
minimum they must be confirmed by a reliable source at a telephone number known
to be valid (not one contained in the
email giving the instructions). But
keep in mind that if you are unable to reach the confirmation number, you need
to hold the funds until satisfactory confirmation or reliable, alternative
delivery instructions have been obtained. In general, it should be presumed that last
minute changes in wire instructions are per se fraudulent.
It
has been my recommendation that any Purchase and Sale Agreement that provides
for the payment of proceeds by wire
transfer, include language that
specifies that “notwithstanding any agreement to the contrary, the transmittal of proceeds of the sale by wire transfer shall be subject to the satisfaction in the discretion of the
conveyancing attorney that the
instructions given are accurate and duly authorized,” together with a “wet ink” indemnity from the party giving the
instructions.
In addition, I am seeing more and more
attorneys adding to the footer of their email signature line a statement in
bold type stating they will not honor wire instructions given or changed by
email.
Great care is justified, not just
because of the potential financial loss to the attorney and his or her client,
a loss which can only be recovered with good luck, but also because the availability of insurance coverage for
resulting losses remains unclear.
Co-chair of REBA’s ethics section, Henry Dane
has practiced law in Concord for 45 years with a broad-based practice
including, real estate, zoning and land use, permitting, civil litigation and appeals,
municipal law, medical employment
law, medical ethics and research integrity,
non-profit and charitable corporations,
and commercial lending. Henry can
be contacted by email at hdane@danelaw.com.
