Associate Wired $2.5M to Client Impersonator

By George Khoury, Esq. on January 24, 2019 | Last updated on March 21, 2019

For many lawyers, it often comes as a surprise that scammers are so bold as to target individual lawyers and law firms. But after you read about what happened at one big Canadian firm, that surprise should fade into paranoia, anxiety, and then, hopefully, action.

Basically, using social engineering or some other method, a hacker breached a client of the firm which was about to receive a large chunk of money. The scammer(s) then impersonated that client via emails and convinced an associate at the firm to wire $2.5 million to the scammer, rather than the client's account. Fortunately, the firm was able to recover a large portion of it, and also has insurance, but the insurance claim is currently being held up in litigation.

Learn From the Mistakes of Other Firms

As reported in the ABA Journal, the firm, Dentons Canada, had just finished helping a client with a property transaction. The scammers, after breaching the client, sent emails to an associate on the matter to have the funds redirected to another account because of an internal audit. The firm went through several steps to confirm that the client really wanted the funds transferred to that other account, and even had the client sign off on authorization forms. Everything was done over email.

But, and this is where it gets scary, the firm got authorization from the scammers, and not the real client. And then transferred the $2.5 million. Luckily, it was able to recover $800K, but unfortunately, the firm's insurer is fighting paying out the remaining $1.7 million.

Pay Clients in Person

When it comes time to give a client that big check, or transfer of funds, personal contact should be part of your process. The larger the sum, the more personal the contact should be.

Generally, smaller sums of money (like a few thousand or less) can be sent via check with a delivery confirmation. But larger amounts (getting into the tens of thousands) probably require a personal courier, or, minimally, delivery confirmation with signature. More than that and you might want to make the trip yourself to the client, or have the client come into the office, especially if there's been some last-minute changes to how your client wishes to be paid.

Related Resources:

Copied to clipboard