chevron-down Created with Sketch Beta.
July 31, 2018

Who Bears the Risk of Loss When a Hacker Targets a Settlement?

Steven M. Puiszis

I. Introduction

It should come as no surprise that hackers and cyber criminals are targeting settlements or that technology is providing new and sophisticated ways to misdirect a settlement payment to a hacker.1 When this occurs, a court may be asked to resolve who should bear the risk of loss between two seemingly innocent parties. Should the answer be which party was in the best position to prevent the misappropriation of funds? That appears to be the approach taken by one federal district court in Bile v. RREMC, LLC.2

Lawyers traditionally have only owed a duty of care to their client(s).3 However, in Bile a district court concluded that an attorney owes a duty to notify opposing counsel when the lawyer becomes aware that a hacker is targeting a settlement involved in one of the lawyer’s cases.4

II. How The Exploit Occurred

Bile involved the settlement of an employment discrimination claim. Six days after the settlement was reached the lawyer representing the plaintiff received an email that purportedly came from his client. The lawyer noted, however, that the email had a domain extension ending with “” rather than “” The email contained an instruction to wire the settlement to an account in the client’s name in London. The lawyer called his client and confirmed that the client had not sent the email. The lawyer then simply deleted the phony email; he did not notify any law enforcement authorities, the court or opposing counsel.5

Several days later the lawyers discussed how to accomplish payment of the settlement. They agreed that the payment would be made by two checks, one in the amount of $63,000 and a second in the amount of $2,000, less withholding, sent via FedEx to plaintiff at his home. Counsel for plaintiff agreed to send an email confirming the plaintiff’s home address to opposing counsel. Plaintiff’s counsel sent that confirming email from his law firm’s Yahoo email account.6

Several hours later, defense counsel received a second email that appeared to be from plaintiff counsel’s Yahoo email account changing the payment instructions. Rather than send $63,000 payment via check to plaintiff’s home in Virginia, the second email directed that payment be wired to an overseas account in London. Opposing counsel followed those instructions and wired that portion of the settlement to the account in London. The second email containing the wire transfer instructions, however, was not sent by plaintiff’s counsel.

The overseas account referenced in second email directing that the funds to be wired to the account in London was the same overseas account referenced in the “” email that plaintiff’s counsel confirmed had not been sent by his client several days earlier. Once the plaintiff received one settlement check rather than two, it was quickly determined that the wiring instructions were phony.7

After an unsuccessful attempt was made to recall the wire transfer, plaintiff demanded that he be paid the remaining portion of the settlement and refused to dismiss the lawsuit. Opposing counsel and his client refused to make any further payment and demanded the lawsuit be dismissed pursuant to the settlement agreement.8 The assigned Magistrate Judge ordered the parties to brief the matter and initiated a criminal investigation by the United States Attorney’s Office in the Eastern District of Virginia. When the parties were unable to resolve the matter, the dispute was brought to the attention of the district court, which scheduled cross-motions to enforce the settlement and scheduled an evidentiary hearing. The briefs on the cross-motions focused on the reasonableness of each side’s actions and who should bear the risk of loss.9

At the evidentiary hearing, counsel for the defendant introduced expert testimony that the email directing the settlement payment be wire transferred was sent by someone who had access to the plaintiff’s law firm’s Yahoo email account. The expert further testified that nothing about the email header would have alerted opposing counsel that the email was sent by someone other than plaintiff’s counsel, and that industry-standard email filters would not have alerted defense counsel to be wary of this email. The email also contained an atypical salutation used by plaintiff’s counsel in emails to opposing counsel.10

One of the issues raised in the briefing on the cross motions to enforce the settlement was the failure of plaintiff’s counsel to notify opposing counsel, the court, or law enforcement about the phony email that was made to appear that it came from his client but had the “” domain extension. Counsel attempted to defend his conduct by noting his decision was consistent with state ethics opinions advising lawyers that the safest course of action to take when dealing with a phishing email is to simply delete it.11 One ethics opinion on internet scams, however, further explains:

If the attorney concludes after investigating the matter that the email sender is attempting to defraud him, then the attorney “may supply information and documents to those investigating the scheme, without violating any duty of confidentiality that would be owed to persons genuinely seeking legal services.”12

III. The District Court’s Ruling

The district court evaluated the actions of both lawyers under ordinary care principles guided by common-law contract principles and several provisions from Article 3 of the Uniform Commercial Code.13 The district court fashioned a rule from these principles to the effect “that a blameless party is entitled to rely on reasonable representations, even when these reasonable representations are made by fraudsters.”14

The district court in Bile acknowledged that there was no case law precisely on point for analyzing this issue,15 and that it was not aware of any decision:

[A]rticulating that an attorney has an obligation to notify opposing counsel when the attorney has actual knowledge that a third party has gained access to information such as the terms of a settlement agreement, or the attorney has knowledge that the funds to be paid pursuant to a settlement agreement have been the target of an attempted fraud.16

Nonetheless, the district court ultimately concluded that plaintiff’s counsel, who was aware of the phony client email, failed to use ordinary care under the circumstances and should bear the risk of loss.17 The district court noted that while “vague references” to “law enforcement and industry advisories” concerning phony emails were made by plaintiff’s counsel, they were never introduced in the record. The court also noted that while advisories from the ABA18 and the FBI19 encourage lawyers to be wary of accepting clients who only communicate by email, to avoid wiring money on behalf of those clients, and to delete emails from suspicious prospective clients, “they say nothing about deleting emails which indicate that a third party is attempting to perpetrate fraud in connection with an ongoing case.”20

In reaching its conclusion, the district court found that defense counsel had no reason to suspect the email asking the settlement be wired to an overseas account was fraudulent.21 Additionally, the district noted that both plaintiff’s counsel and his client were aware that a malicious third party had targeted the settlement for a fraudulent transfer to an overseas account.22 Finally, the court found that both plaintiff’s counsel and his client knew that the lawyer’s email account was implicated in that fraudulent activity.23 The district court ultimately ruled:

As technology evolves and fraudulent schemes evolve with it, the Court has no compunction in firmly stating a rule that: where an attorney has actual knowledge that a malicious third party is targeting one of his cases with fraudulent intent, the lawyer must either alert opposing counsel or must bear the losses to which his failure substantially contributed.24

IV. Risk Management Issues For Lawyers And Law Firms

a) Ethical Duty to Avoid Common Internet Based Scams

Social engineering, business email compromise, spear phishing and whaling exploits refer to a variety of deceptive schemes and techniques used by hackers and cyber criminals aimed at tricking a victim into taking certain action, ranging from providing information, clicking on links or attachments or transferring funds. They can involve phone calls, emails, text messages or any combination thereof. Many of these exploits are based on publicly available information from a law firm’s website or a lawyer’s, or a family member’s, social media activity.

The so-called Nigerian check scam has been replaced by targeted spear-phishing exploits or sophisticated social engineering techniques that can be difficult to spot and are designed to make a victim believe that an email or a text message is from someone that you know or can trust. Inserting a Unicode character into a domain extension as part of a spear phishing exploit is virtually impossible to detect.25

There is a growing recognition that an attorney’s duty of competence26 includes taking reasonable efforts to avoid these types of common internet scams.27 One ethics opinion noted: “Since 2009, email scams have swindled lawyers out of an estimated $70 million.”28 That opinion outlined a series of red flags, obtainedfrom case law, articles and other ethics opinions, that may alert an attorney to a potential scam:

  • The email sender is based abroad.
  • The email sender does not provide a referral source. (If the email sender is asked how he found the firm, he may respond that it was through an online search. If prospective clients rarely approach the recipient attorney based on an Internet search, this should be an immediate red flag.)
  • The initial email does not identify the law firm or recipient attorney by name, instead using a salutation such as “Dear barrister/solicitor/counselor.”
  • The email uses awkward phrasing or poor grammar, suggesting that is was written by someone with poor English or was converted into English via a translation tool.
  • The email is sent to “undisclosed recipients,” suggesting that it is directed to multiple recipients. (Alternatively, the attorney recipient may be blind copied on the email.)
  • The email requests assistance on a legal matter in an area of law the recipient attorney does not practice.
  • The email is vague in other respects, such as stating that the sender has a matter in the attorney’s “jurisdiction,” rather than specifying the jurisdiction itself.
  • The email sender suggests that for this particular matter the attorney accept a contingency fee arrangement, even though that might not be customary for the attorney’s practice.
  • The email sender is quick to sign a retainer agreement, without negotiating the attorney’s fee (since the fee is illusory anyway).
  • The email sender assures the attorney that the matter will resolve quickly.
  • The counterparty, if there is one, will also likely respond quickly, settling the dispute or closing the deal with little or no negotiation.
  • The email sender insists that his funds must be wired to a foreign bank account as soon as the check has cleared. (The sender often claims that there is an emergency requiring the immediate release of the funds.)
  • The email sender or counterparty sends a supposed closing payment or settlement check within a few days. The check is typically a certified check or a cashier’s check, often from a bank located outside of the attorney’s jurisdiction.29

Additionally, the opinion concludes that if an attorney is defrauded in a manner that results in harm to other clients, such as where the lawyer’s trust account hold funds from multiple clients, an ethical obligation is triggered to promptly notify all affected clients.30 This means that an attorney who receives an email solicitation from an unknown prospective client should consider either ignoring the email,31 or conducting a reasonable investigation to determine if the email sender is a legitimate prospective client.32 The opinion explains this can include verifying the accuracy of the information provided by the email sender including any names, physical and web site addresses, phone numbers and referral sources.33 Recognize, however, that if you call the phone number provided in any solicitation you may be speaking with a fraudster, so look up the person or company’s phone number and call that number.

Circling back to Bile, the scenario addressed by the court did not involve an attorney’s failure to recognize a phishing email, a social engineering exploit or an internet-based scam because the lawyer recognized the phony email domain extension and confirmed that his client did not send the email. Rather, the decision addressed what a lawyer should consider doing when he or she recognizes an attempted scam.

b) Risk Management Issues When a Lawyer Knows That a Hacker is Targeting a Settlement

Obviously, a key factor in the district court’s decision was the actual knowledge on the part of the lawyer that his client had not sent the “” email with the wiring instructions. How the district court would have ruled in the absence of that actual knowledge is far from clear. The lawyer spotted the phony domain extension and called to confirm it was not sent by the client. Should or would the risk of loss be placed on a lawyer who failed to recognize a bogus email? Where does the risk of loss flow if the lawyer failed to recognize a phony email, but allegedly should have recognized it through the exercise of reasonable care? Is that an issue matter on which expert testimony is required? And what if the bogus email from the client did not address the settlement, but another aspect of the case that was not relevant to the settlement? Moreover, email spoofing, which hides the true origin of an email is relatively easy to accomplish.34

Where the decision’s rationale becomes a bit problematic involves the court’s finding that the lawyer’s email account was implicated in the attempted fraudulent activity.35 Large law firms can receive hundreds of phishing emails a day, and spam and virus filters will only catch a fraction of them. Hackers hope that busy lawyers will miss a phony domain extension such as the one involved in this case ( rather than Without more, however, the receipt of phishing email or an email with a spoofed domain extension, even one purportedly coming from a client, should not necessarily put a lawyer on notice that either: 1) the law firm had a malicious insider working for it, 2) a hacker was in the lawyer’s network, or 3) a hacker had remote access to the lawyer’s email system. A phony email from a client would more likely suggest that the client’s email account had been hacked, not the lawyer’s email system.

Moreover, there is any number of ways that a hacker could learn of a settlement or its terms, including the plaintiff or defendant telling a “friend.” If the lawyers or the clients on either side of the case had used unsecured Wi-Fi when emailing one another, even a relatively unsophisticated hacker could use a so-called man-in-the-middle attack36 to monitor that email traffic, send a phony email or change the text of an unencrypted email that was sent by one of them to the other. Whether the data breach suffered by Yahoo in 2014, which involved 500 million user accounts, or the 2013 breach which involved the theft of data from more than one billion Yahoo user accounts played any role in the hack is another unknown. The law firm representing the plaintiff in Bile used Yahoo as its email provider. Yahoo disclosed the 2014 breach several weeks after the Bile decision was announced and reported the 2013 breach months later in December of 2016.37

Looking at this case in real time and not in hindsight, from the perspective of plaintiff’s counsel, why was it unreasonable for the lawyer to conclude that this was a one-time attempt to misdirect a settlement payment? Another court looking at the scenario might conclude plaintiff’s counsel was not put on notice that a hacker was in, or had access to the law firm’s network. Must a lawyer forensically check the security of his or her law firm’s network simply because the lawyer received a phishing email or bogus email? The obvious answer is no. There is no obligation to do so and given the prevalence of phishing emails, the cost and burden involved would be unreasonable.

Another court looking at these same facts might also ask defense counsel why, after agreeing to pay the settlement by two checks, he did not pick up the phone to call plaintiff’s counsel about the change in circumstances? Asking that a wire be sent to an overseas account when the payee resides in the U.S. could be viewed as a red flag by a court using the wisdom of 20-20 hindsight.38

Moreover, what should a lawyer do to fulfill this notification duty? For instance, if plaintiff’s counsel told opposing counsel that he had received a phony email that appeared to come from his client concerning the settlement, would that disclosure fulfill the lawyer’s duty? Would that information provide opposing counsel with any reason to be suspicious of an email from the lawyer as opposed to the lawyer’s client? Anything short of telling opposing counsel that the phony client email involved a request to wire transfer the settlement to an overseas account would likely not have provided any reason for opposing counsel to be suspicious of the subsequent phony email from the lawyer with the wire transfer instructions.

Although Bile is a district court decision, which is not considered precedential,39 and does not necessarily establish a standard of care, its rationale may be considered persuasive by another court addressing a similar scenario. Accordingly, where a lawyer receives a suspicious email that addresses a proposed settlement, the lawyer should consider notifying other lawyers involved the case about that development. The Bile decision reflects the old adage that an ounce of prevention is worth a pound of cure.

V. Social Engineering and Phishing Risk Management Considerations

One noted computer security expert has offered a sobering reminder about phishing and social engineering risk: “Always remember, amateurs hack systems, professionals hack people.”40 The weakest link in the security of any computer system is the human beings who use it. Even the most robust technological and administrative safeguards can be obviated by employee error. As a result, training on social engineering and phishing exploits is a critical consideration for any lawyer or law firm’s security program.

Moreover, as a profession, we all need to slow down just a bit. With our increasingly connected 24x7 practices, lawyers are particularly at risk of falling prey to phishing schemes and spoofed emails. There are three anti-phishing rules for email and text messages which, if followed, can help to at least mitigate the risk from this type of exploit.

The first rule is never click on a link or an attachment in an email from someone you don’t know, no matter how harmless the email, the attachment or link may appear. Ransomware has been loaded into what purports to be a resume from a law student seeking a job.

The second is never click on any link or attachment you were not expecting to receive even if it appears to come from a known sender. We all have heard horror stories of persons who have been hacked which resulted in malicious emails being sent from a compromised email account. It may sound old fashioned, but pick up the phone and call the person who sent the email and confirm he or she sent the link or attachment to you.

Finally, if you forget the first two rules and click on a link or any type of attachment and a pop up appears asking you to enable a new software version, update or enter information, open a zip file or to “double click” on a “protected document” to unlock its contents, close out of email immediately. Otherwise, you may be releasing a “malicious macro” or weaponing the malware in the link or attachment.

While email has replaced the telephone as the primary mode of communication for many lawyers, the unfortunate circumstance presented in Bile possibly could have been avoided had either of the lawyers picked up the phone to call the other about the spoofed client email, or to ask about the change in the payment method from check to a wire transfer.

Solid internal controls are key to mitigating the risk posed by business email compromise or whaling exploits (emails that appear to originate from within a law firm that actually originate outside the firm). Accordingly, law firms should consider developing an administrative policy or practice that requires verbal confirmation of any email request for a wire transfer, any transfer of protected health information, PHI, personally identifiable information, PII, or any type of non-public financial information. The policy could be as simple as the firm will not transfer funds, PHI, PII or non-public financial information based strictly on an email or telefax. Alternatively, such a policy could prohibit wire transfers above a certain amount before a wire is sent based strictly on an email. That dollar threshold could be influenced by any number of factors such as whether the intended destination is a domestic or overseas account, the number of transfers made each day on average and the firm’s risk tolerance. Obviously when using phone verifications, use a pre-established or previously known and trusted phone number on file, not a number provided in any email. Otherwise you could be calling a hacker. Once a policy or practice is adopted, then all employees should be trained on the policy.

Because of the immediacy of wire transfers, a law firm may also want to consider reviewing available banking controls or security procedures for wires. This could potentially include a standing instruction that the bank not accept wire transfer authorizations via email or telefax. Additionally, consider the use of multi-factor authentication such as the use of tokens, call-back verifications, or requiring authorizations from two authorized employees for any wire transfer. Consider establishing a bank alert if any change is made to the wire instructions involving recurring payments to firm vendors. Another control to explore is having the bank hold any request for an international wire transfer “for an additional period of time to verify the legitimacy of the request.”41

Lawyers should not assume that financial losses due to social engineering or phishing exploits are covered by a fidelity/crime or cyber policy simply because a computer was involved in the exploit.42 Unless an employee was involved in an embezzlement scheme, or the phony instruction appeared to originate from another employee or partner of the firm, a crime policy typically will not cover the loss. There exist social engineering endorsements that can be purchased as part of a firm’s crime coverage.

Depending on the type of loss involved, social engineering may also not be covered by a cyber policy. Cyber policies will typically cover the loss of information, but in the absence of a special endorsement, they may will not cover the loss of “money or securities” due to social engineering. Thus, consultation with a knowledgeable insurance broker is an important consideration to avoid a gap in insurance coverage as it pertains to this type of risk.

Law firms should also consider discussing with their IT staff or consultant available email authentication controls that can help to detect email spoofing to hopefully mitigate the risk of business email compromise.

VI. Sample Law Firm Policy

POLICY ON wIRe transfers security

Hackers and criminals are targeting law firms with scams seeking the transfer of funds to domestic or overseas accounts they control. These increasingly sophisticated schemes can involve spoofed emails with erroneous wiring instructions or requests to wire funds before a check has cleared the issuing bank. Email scams have swindled law firms out of millions of dollars. Therefore, [law firm] has enacted the following policy on the issuance of wire transfers.

The firm will not issue any wire transfer of funds [above (insert dollar amount)] based strictly on an email request. It is expected that our accounting department or the firm’s attorney who is making or is involved with any such transaction or request will verbally confirm the legitimacy and accuracy of the wiring instructions with the client, opposing counsel, or other attorneys involved in any transaction or deal, or with any other entity involved, if that entity is not represented by counsel. Red flags to evaluate include when a previously agreed upon manner or method of payment is changed by subsequent email or when a wire transfer is directed to an overseas account when the opposing party is located in the U.S. Confirmation is required, however, even in the absence of any red flags.

The firm will also not issue any wire transfer without a confirmation that any check received is legitimate, has cleared the issuing bank, and that the funds from the check are available for transfer. Attorneys involved in deals or transactions should structure the timing of any closing to comply with this policy. Red flags to evaluate include situations where the client is located abroad or the wire transfer is to be sent to an overseas account, the client insists that the funds be wired as soon as the check has cleared or when the check is issued by a bank from a foreign jurisdiction. Confirmation is required, however, even in the absence of any red flags.

The firm’s lawyers should be on the lookout for other red flags of internet-based scams such as: the initial email from a “prospective client” does not include or provide a referral source, or does not refer to our firm or the lawyer by name but rather involves a salutation such as “Dear barrister/counselor/solicitor,” or is sent to undisclosed recipients, or requests legal services in an area of law in which the lawyer does not practice, or refers to a matter in the attorney’s jurisdiction rather than specifying the jurisdiction, or assures the attorney the matter will resolve quickly or uses poor grammar or awkward phrases.

Violations of this policy could result in discipline up through and including discharge or suspension from the firm.

Effective: [insert date]


1. See, e.g., N.Y.C. Bar Ass’n, Op. 2015-3 (2015), available at /ethics/ethics-opinions-local/2015opinions/2161-formal-opinion-2015-3-lawyers-who-fall-victim-to-internet-scams.

2. Bile v. RREMC, LLC, 2016 WL 4487864 (E.D. Va., Aug. 24, 2016).

3. See, e.g., Pelham v. Greisheimer, 92 Ill. 2d 13, 19 (1982) (“The traditional, general rule has been that the attorney is liable only to his client, not to third persons.”).

4. Bile, 2016 WL 4487864 at * 13.

5. Id. at *3.

6. Id. at *4.

7. Id. at *4-5.

8. Id. at *5.

9. Id. at *2. Additional arguments were presented involving substantial performance, materiality, and various provisions involving Article 3 of the Uniform Commercial Code. Id.

10. Id. at *4.

11. N.Y.C. Bar Ass’n, Op. 2015-3 (2015) at 4 (“if an email or course of dealing with the [purported] client contains one or more of the red flags … the safest course may be to delete it.”) citing California Committee on Professional Responsibility and Conduct Ethics Alert: Internet Scams Targeting Lawyers (Jan. 2011) [hereinafter Internet Scams Targeting Lawyers], available at (noting that “[t]he best approach is to ignore such solicitations altogether.”).

12. N.Y.C. Bar Ass’n, Op. 2015-3 (2015) at 5 (emphasis added), quoting N.Y. State Bar Ass’n, Ethics Op. 923 (2012) (“if the purported prospective client is actually seeking to defraud the lawyer rather than to obtain legal services, then the person is neither an actual not a prospective client and is not entitled to those confidentiality protections.”); Utah Advisory Op. 15.03 (2015) (explaining “an attorney has no duty of confidentiality under Rule 1.6 because the ‘client’ never intended to form an attorney-client relationship, but rather sought to defend the lawyer. Thus, the attorney may report the scheme without violating any duty of confidentiality.”). See also Bradford & Bradford, P.A. v. Attorneys Liability Protection Society, Inc., 2010 WL 4225907, at *5-6 (D.S.C. 2010) (holding no attorney-client relationship was formed where the representation was sought “solely for the purpose of perpetuating a fraud”).

13. By its terms, Article 3 applies to negotiable instruments, whereas Article 4 applies to wire transfers. Bile, 2016 WL 4487864 at *7, n.17. The parties agreed that Article 3 could provide persuasive authority. Id. at *7, n.18.

14. Id. at *8.

15. Id. at *6.

16. Id. at *11.

17. Id.

18. The district court at *12 of its decision noted that the ABA republished an ethics alert from the State Bar of California’s Ethics Hotline. See Internet Scams Targeting Lawyers, supra note 11.

19. Id. at 12, citing New Twist on Counterfeit Check Schemes Targeting U.S. Law Firms, Federal Bureau of Investigation, available at

20. Bile, 2016 WL4487864 at *12.

21. Id.

22. Id. at *3.

23. Id.

24. Id. at *13.

25. This Phishing Attack is Almost Impossible to Detect on Chrome, Firefox and Opera, The Hacker News, Apr. 17, 2017, available at

26. Model Rules of Prof’l Conduct R. 1.1 (2018).

27. N.Y.C. Bar Ass’n, Op. 2015-3 (2015) at 5 (“an attorney who fails to exercise reasonable diligence to identify and avoid an Internet scam may violate Rule 1.1.”), citing Iowa Sup. Ct. Disciplinary Bd. v. Wright, 840 N.W.2d 295 (Iowa 2013) (attorney violated duty of competence by failing to conduct a cursory Internet search, which would have revealed the existence of an Internet scam that resulted in financial loss to the attorney’s other clients).

28. Id. at 1. See also Business E-Mail Compromise The 5 Billion Dollar Scam, Federal Bureau of Investigation, May 4, 2017, available at /2017/170504.aspx.

29. N.Y.C. Bar Ass’n, Op. 2015-3 (2015) at 3-4.

30. Id. at 5.

31. Id. at 4 (“if an email or the course of dealing with the [prospective] client contains one or more of the red flags noted above, the safest course is to delete it”) citing Internet Scams Targeting Lawyers, supra note 11(“The best approach is to ignore such solicitations altogether.”).

32. Id. at 5.

33. Id.

34. Email spoofing involves “faking the return address on an outgoing email to hide the true origin of the message.” See Gmail Help, (last visited June 14, 2018). An email account does not have to be compromised in order to send a spoofed email message. Spoofing an email address is relatively easy. All that is required is a server that sends email using the traditional Simple Mail Transfer Protocol (SMTP), and some readily available software. A spoofed email contains an email header specified by the sender rather than the email address for the registered domain from which the email is sent. The spoofing victim receives an email appearing to be from the address specified by the sender. See, e.g., Alan Henry, How Spammers Spoof Your Email Address (and How to Protect Yourself), Life Hacker, May 21, 2014, available at

35. Bile, 2016 WL 4487864 at *3.

36. Dennis Fisher, What is a Man-in-the-Middle Attack?, Kaspersky lab Daily, Apr. 10, 2013, available at

The most common MITM attack involves an attacker using a WiFi router as the mechanism with which to intercept user communications. This can be done either by setting up a malicious router that appears to be legitimate, or by exploiting a flaw in the setup of a legitimate router in order to intercept users’ sessions on the router. In the former scenario, an attacker could configure his laptop or other wireless device to act as a WiFi hotspot and give it a name commonly used in a public area such as an airport or coffee shop. Then, as users connect to the “router” and attempt to reach sensitive sites such as online banking sites or commerce sites, the attacker can capture their credentials for later use. In the latter example, an attacker identifies a weakness in the configuration or encryption implementation of a legitimate WiFi router and then exploits that flaw in order to eavesdrop on communications between users and the router.

37. Brian Krebs, Yahoo: One Billion More Accounts Hacked, Krebson Security, Dec. 16, 2016, available at

38. Business E-Mail Compromise, an Emerging Global Threat, Federal Bureau of Investigation, Aug. 28, 2015, available at /business-e-mail-compromise (suggesting, among other things; to verify changes in vendor payment location; to confirm requests for transfer of funds; and with regard to wire transfer payments, to be suspicious of requests for secrecy or pressure to take action quickly).

39. See, e.g., Wirtz v. City of South Bend, 669 F.3d 860, 863 (7th Cir. 2012) (“[a] district court decision does not have precedential effect”); Camretta v. Greene, 563 U.S. 692, 131 S.Ct. 2020, 2033, n. 7 (2011) (“[a] decision of a federal district court judge is not binding precedent in either a different judicial district, the same judicial district, or even upon the same judge in a different case”).

40. Bruce Schneier quote, The Information Warfare Site, available at (last visited June 15, 2018).

41. Business E-Mail Compromise The 5 Billion Dollar Scam, Federal Bureau of Investigation, May 4, 2017, available at Other strategies to consider include avoiding the use of free web-based email accounts, not posting detailed information about job duties or out-of-office details on social media and firm websites, to be wary of sudden changes in business practices, any last-minute changes to wire instructions and any requests for secrecy or pressure to take action quickly. Id.

42. See, e.g., Pestmaster Servs. v. Travelers Cas. & Sur. Co., 2016 U.S. App. LEXIS 13829 *2 (9th Cir. 2016) (“Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and a fraud at some point in the transaction would convert this Crime Policy into a ‘General Fraud’ Policy.”).

Steven M. Puiszis

Steven Puiszis is a partner in the Chicago office of Hinshaw & Culbertson LLP. He serves as the Firm’s General Counsel–Privacy, Security & Compliance. Steve is certified in information privacy (CIPP/US) by the International Association of Privacy Professionals. He is a member of Hinshaw’s Lawyers for the Professions Practice Group, which represents and counsels lawyers and law firms on professional liability, professional responsibility and risk management issues. Steve is a Fellow of the American Bar Foundation and is a Past President of the Illinois Association of Defense Trial Counsel. He also serves as the Chair of DRI’s Center for Law and Public Policy. Steve has authored book chapters on law firm risk management, data protection and privacy in the U.S., mitigating law firm cyber risk, and on electronic discovery.