Social Engineering: Theft of Data or Assets Through Frauds and Schemes

Often, hackers gain entry to a firm’s systems through the lawyer’s use of the internet. Whether you are perusing the most recent e-newsletter from the bar association or updating your firm’s Facebook page, it is important to protect against unwanted visitors or viruses entering through the portal you’re using at the time.

Start by using and regularly updating the security features that come with your computers and software. Regularly update your web browser software too. Software providers, computer companies, and ISPs are regularly responding to the new threats hackers develop. Use their resources to protect yours.

In the end, though, “Social engineering” frauds may be the biggest risk of all, especially for lawyers who regularly handle transfers of large sums, like in real estate deals or some trusts and estates work.

An example is the email where a scammer poses as an opposing attorney or banker and asks for funds from previously negotiated transactions to be redirected to a different—and, ultimately, fraudulent—account than originally agreed to.

You withdraw the funds from your escrow or trust account, transfer it to the fraudster, and now you are facing claims from both your client and the opposing party for loss of the funds and breakdown of the transaction.

While some of these schemes might be stopped through technological protections against hacking email accounts, the most effective prevention against them is, ultimately, human behavior.

Lawyers and staff should remain alert to potential problems and employ good decision-making about how they respond to unusual and unexpected requests:

• Be alert to signs of fraud in electronic communications: grammatical errors, unfamiliar writing style, or tone. If you’ve been working with the purported correspondent for a while, you may detect that something seems off about a message.

• Be suspicious of unusual timing of such requests; last-minute changes to negotiated plans should be questioned.

• Designate two specific individuals in every transaction who must approve any transfers or procedural changes before they occur.

• Require live, person-to-person confirmation—on the telephone or face-to-face—whenever there is a change of plan regarding monetary transfers or other closing processes.

• Verify with the bank how long an account has been open before transferring money to it. If it has been open for less than 90 days, take additional steps to confirm its authenticity.

• Require confirmation of receipt of any funds every time.

Social engineering schemes can also come in the form of unsolicited emails from potential clients, social media posts, links from other lawyers, and even that electronic birthday card from your great aunt.

Make good choices about what you click on. As one commentator put it, “If you haphazardly visit every link and download every file sent to you in email or posted to your social networking pages, sooner or later you’re going to get nailed. Period.” 

At a minimum, if you absolutely must look at kitten videos or check your fantasy team standings, use a separate device that isn’t connected to your firm’s network or systems, so that, if you do let something or someone in, they won’t make it to your client’s information and assets.