Since numerically most external financial fraud attempts begin over email, this article covers business email compromise and then transitions to practical tactics of financial controls. Though there is appreciable risk in domestic transactions, the threat of fraud multiplies when transferring funds into international markets, and we must shore up the defenses in both contexts. Granted, it is difficult for lawyers to accept a less than perfect solution and painful to admit lack of ability. Unfortunately, when it comes to confronting financial fraud outside your practice, you cannot possibly hope to solve it, so you best get better fighting it.
Taking the Punches
Business email compromise is the prevailing strategy in financial fraud where a criminal actor impersonates an individual known to the victim through a business relationship and tries to cause the victim to transfer funds.
Typically accomplished through email phishing attempts, the victim may be you, an employee in your practice, one of your vendors, one of your clients or a third party involved in one of your practice’s transactions or litigations. Law Practice’s September/October 2020 issue featured “Financial Fraudsters Want You: Avoiding Scams Targeting Lawyer Trust Accounts” by Dan Pinnington, and I can’t possibly recommend the article enough for a thorough discussion on email compromises.
As covered with real examples in Pinnington’s article, we all have received an email “from a colleague” that requests timely help with a financial transaction. Typically, impersonation emails come from a sender who appears—especially on mobile devices—to be a colleague who is identified on your website. They are often sent before office hours and begin with a query whether you are in the office, smartly playing the odds. When you are off balance and responding to the first email, the impersonator offers a business reason that requires immediate satisfaction of a transaction, often a wire transfer but occasionally credit card payments and online purchase of gift cards. Usually by the third email exchange, they are overly aggressive since they realize they are in danger of not closing the deal.
Anticipate the Blow
If you have any international dynamic to your practice, you use Western Union—even if you don’t send funds through it, it has certainly handled money you receive. The leader of financial transfers in global market share, Western Union suggests the following red flags may help uncover contemplated fraudulent financial activity:
- Payment advice changes for the beneficiary’s bank. If a foreign associate, international client or law firm notifies you that their banking institution is changing, you need to be on guard. If the reason provided for the change smells fishy, follow up on it. If the bank name remains the same but its country has changed, hit the pause button.
- Changes in the beneficiary name in payment advice. Mergers and acquisitions among both international clients and law firms happen frequently, and beget new entity names, but that doesn’t make each transition, including banking details for occasionally ancient invoices, at all smooth.
- A new email address or variant of the one in your records. If you’ve always corresponded with Jimmy at firstname.lastname@example.org and suddenly correspondence arrives from email@example.com or firstname.lastname@example.org, stall payment while you sort out the details.
Stop being the punching bag and deliver a few blows for the good guys:
- Update contact info. It’s impossible to detect changes in email addresses unless you track and constantly update contact information of all business associates, even opposing counsel. If you or your employees lack current contact information, there is little hope of catching more sophisticated fraudulent correspondence.
- Verify payment advice outside of email. If you chose to delay processing the transaction for any of the flagged reasons above, authenticating wire instructions verbally, on the phone or over videoconference is the kidney punch. Clearly your routinely updated contact information comes in handy here. Other best practices include verifying via fax (yes, facsimile!) on letterhead or insist on dual email authorization from more than one contact at your business associate’s company.
- Block spammers the first time. Don’t just delete the obvious phishing emails but routinely block or blacklist sender addresses. The usual suspects include the messages from someone you don’t immediately recall and where English is clearly a second language. The capability to spoof email addresses has existed since the dawn of email in the 1990s—those emails where the sender’s address doesn’t match who the sender is represented to be. Simply click on the sender’s name and look for things like From: email@example.com <firstname.lastname@example.org>. Bottom line: if something doesn’t seem right about an email, go with your gut and don’t click on links or attachments.
- Lock that data down. Especially when routinely transferring funds internationally, keep your data as secure as possible. The best move is enabling single sign-on across your systems coupled with multifactor authentication tied to your practice’s devices. It may add inefficiency but two-step authentication on your email is currently the most reliable backstop for account compromises. If you don’t have a solution to encrypt your email, set up Citrix ShareFile, Zix or Microsoft 365 today. Then, only send banking details via encrypted email.
- Seek training repeatedly. Like any data security solution, your weakest link will always be your internal end users. Train lawyers and staff to bolster awareness of financial fraud and confront social engineering. After you complete comprehensive training, test your employees with clickbait while also planning your next training session: rinse and repeat.
The one wild card you can always play is the technical knockout: Don’t send the money. If you simply don’t send the money, financial fraud can’t possibly take place. When you’ve exhausted every reliable way to authenticate the wire instructions and doubt remains, step away from the keyboard. If the transaction is valid, the worst-case scenario to not paying is that they will send notice of past due balance and eventually open some new means of communication.