The following is a social engineering fraud alert recently posted to Law.com/Daily Business Review, with a scenario that could also threaten Nova Scotia lawyers:
“Last year, a Canadian man thought he had wired $120,000 to his law firm for the purchase of a Pompano Beach, Florida, property. In fact, he sent the money to a third party purporting to be the attorneys, according to a new suit.
The plaintiff retained the 15-lawyer Miami firm Levine, Kellogg, Lehman, Schneider Grossman, and sued his former lawyer at the Oates & Oates boutique, a closing agent hired by the property’s seller, and their respective firms for negligence in early October. The case on Monday moved from a Broward County court to federal court in Florida’s Southern District. The case serves as a cautionary tale for law firms, underlining how wire scams can create professional liability headaches for any lawyer in a deal. Attorneys are reporting an uptick in email compromise scams, in which a third party hacks into a law firm’s email account to contact clients while impersonating the firm, typically for the purpose of convincing clients to wire them money. The Southern District of Florida case, which names Oates & Oates attorney Thomas Oates and closing agent David Coven as defendants, hinges on the fact that the plaintiff, Christian Alexandre, received text messages from someone pretending to be Coven. In an interview, Coven said he was representing the seller in the transaction, and that he never spoke with Alexandre. When Alexandre received text messages and emails asking him to wire $120,000 to Coven to “enhance a smooth transaction and avoid any form of delay at closing,” the complaint alleges Alexandre contacted Oates — his attorney for the deal — to inform him of the messages. That, according to the complaint, should have tipped off Oates to a potential scam — the Florida Bar’s rules of professionalism prohibit lawyers from contacting people who they know already have representation without permission. The complaint alleges that Oates should have contacted Coven to inquire about the interaction with his client, but he instead instructed Alexandre to send all correspondences to his offices and cc him. After receiving more emails from a party purporting to be both Coven and Oates, Alexandre wired the $120,000 in mid-September to a Chase bank account that appeared to belong to Oates & Oates. In an interview Tuesday, Thomas Oates said the firm’s email had not been hacked but otherwise referred the Daily Business Review to his attorney, Christopher Hopkins of 140-lawyer West Palm Beach firm McDonald Hopkins, who did not immediately return requests for comment. “I’ve never seen such garbage in my life, to be blunt,” Coven said in an interview, about being named as a defendant in the lawsuit. “This is a lawsuit that was filed by the buyer, who was represented by counsel. I had no contact with the individual.” Coven said it is possible that any of the parties — Oates & Oates, the realtors on the email chain, and even his own firm — could have been hacked, but that he didn’t violate his duty as the transaction’s escrow agent because he never received any funds. Coven continued that if he were to be held liable, “theoretically, anyone’s name on a contract could be sued if their email was hacked along the line and funds don’t get where they’re supposed to get.” He added, “It imposes a duty that’s incapable of being complied with. You can’t guarantee what is and isn’t going to be hacked.” The Levine Kellogg litigator representing Alexandre in the lawsuit, Stephanie Traband, declined to comment on this lawsuit but said that the specifics of a given case determine whether a firm is liable in an email compromise scam. “Did the firm have a full plan on how to address such an information breach? Does the firm have cyberinsurance?” she said. “Did the firm, when it realized something happened, get in front of it to contact clients and let them know to contact their banks immediately?”
Real estate transactions have a multitude of deadlines, Traband said, so attorneys should maintain regular contact with their clients to minimize the chance of a phishing or spoofing email succeeding in tricking a client. Law firms should also advise clients to call and confirm wire transfers before sending any money, Traband said.
The complaint noted that email compromise scams are on the rise. According to FBI data referenced in the complaint, about 40,000 victims lost nearly $3 billion to the scams between 2013 and 2018.“
With people working remotely, authenticating and confirming instructions becomes more challenging. Lawyers and their firms should be closely monitoring financial transactions and confirm that any new approval protocols allow for proper verification and documentation of instructions. Preventing fraud requires constant diligence as does maintaining proper cyber security.
We recognize the importance of helping you appreciate and mitigate against potential cyber issues. Take appropriate steps to confirm, perhaps by phone, that emailed fund transfer instructions you receive from a client, especially if they seem odd or are significantly different from your original instructions, (which could include a wire transfer to a foreign country) are correct. Social engineering fraud is not part of the cyber coverage we offer in our policy. Depending on the facts, there may not be coverage for such a fraud under the professional liability part of your insurance policy either. Accordingly, a lawyer falling victim to such a fraud who lacks appropriate insurance coverage could be in the position of having to reimburse their trust account for the loss.
Where possible, use the Large Value Transfer System (LVTS), an electronic funds transfer system that allows large payments to be exchanged securely and immediately.
For tips to avoid being victimized, visit the Fraud section on lians.ca. To report or seek advice on dealing with fraud and scam attempts, contact Cynthia Nield at cnield@lians.ca or 902 423 1300, x346.