It continues to amaze me how law firms fall for phishing scams, sometimes believing that they might have a potential client and sometimes, as here, clicking where they shouldn't click. The latest law firm is Wallace & Pittman PLLC in North Carolina who reportedly got scammed to the tune of over $300,000.00. And it only went downhill from there.
The scam started with a batch of e-mails in May supposedly from an industry group saying that a transaction hadn’t cleared properly. These e-mails directed readers to click on a link to resolve the problem. Apparently, someone at the law firm did, which allowed hackers to install a keylogger on at least one law firm computer.
After figuring out the law firm’s online banking passwords, the hackers directed their bank, Park Sterling, to send a $336,600.01 transfer through JPMorgan Chase & Co. to a “Konstantin Pomogalove” in Moscow, according to a legal document filed by the law firm. As soon as the law firm received a confirmation of the transaction, it called the bank to cancel it, but it was too late. The bank initially refunded the stolen funds to the law firm's account.
Later, the bank demanded the funds be returned. State and federal law does not compel banks to restore funds lost through fraudulent activity for commercial customers so long as the bank has reasonable security in effect.
But before the bank could debit the fund, the law firm obtained a restraining order against the bank, removed its funds and closed the account, igniting a lawsuit by the bank.
Park Sterling argues in court papers that Wallace & Pittman did not use an extra layer of security that would require two people to authorize wire transactions and that the request looked legitimate. It also said its customer agreement with the firm places the burden of loss on the customer.
Though the firm uses wire transfers regularly for real estate transactions, this was the first to go outside the country which the firm argues should have raised suspicion enough to put a hold on the transactions. Unsurprisingly, the firm questions the security practices of the bank.
Trial is scheduled for the fall.
There are conflicting cases on whether banks can be held liable, though most have found that they can be, putting a higher burden on information security for banks. My initial take, without having all the facts, is that a bank which suddenly received a high-figure transfer out of the country from a firm which has never done that before should sure as heck have flagged the transaction as potential fraud. And Wallace & Pittman needs to institute two-person authorizations and do some serious employee training!
E-mail: firstname.lastname@example.org Phone: 703-359-0700