A lawyer was waiting on a fax with all the information she needed to complete a wire transfer. Fax received, money sent. What she didn’t know? Her email had been hacked. Cybercriminals had intercepted the fax and edited the wire transfer details before sending it. The money was gone. The worst part? This new cybersecurity scam is really easy to execute and happening everywhere. ALPS Risk Manager Mark Bassingthwaighte lays out the details and how to spot the breadcrumbs so you and your firm’s employees won’t be caught off guard.
Hello, and welcome to ALPS In Brief, the podcast that comes to you from the historic Florence Building in beautiful downtown Missoula, Montana. I’m Mark Bassingthwaighte, the Risk Manager here without ALPS. Today, I’m going to do a little solo performance, and thought it would be really worthwhile to talk about how to avoid cybercrime, being a victim of cybercrime. And I am particularly going to focus on wire fraud, business email compromise. We have had a number of lawyers impacted by this with literally millions of dollars, in total together, stolen. And certainly, this problem is not limited to lawyers, but there is one very easy way to avoid falling victim to these types of attacks. And I’d really like to explore that a little bit. And what I’m going to get to is simply do… Explain and describe the process of an out-of-band communication, and actually this process can be valuable in other ways as well.
But I thought the best way to try to share what an out-of-band communication is and explain the whole process, is through sharing two stories and then talking about how it could have been handled differently through the use of an out-of-band communication. So here are two stories that also, I guess, for some of you may underscore how sophisticated cybercrime is becoming. The first is not a law firm situation but an excellent example, and it has to do with what we call deepfake audio. And I think some people are becoming more and more aware that they’re deepfake audios and deepfake videos exist. But let me explain what that is. A deepfake video is when you take a person and you might be… I’ve seen some really good ones with Mark Zuckerberg and President Obama over the years, and it just…
You see these individuals talking, but they are saying something in their voice and it sounds perfect that they never said. And so, these are deepfakes, it’s just altered. And these things can be done, not only with video but with audio. So, sort of with that understanding, here’s what happened. A CEO at a corporation was out of the office on… Just traveling on business. And the CFO at the corporation received a phone call during this time away. And later on, he reported that this call or, I should say, the voice on the call, was absolutely perfect. He was utterly convinced he was speaking with the CEO, the way the CEO used the language, the way he… Just the way he spoke, it was just spot on. So, believing that he was speaking with the CEO, he was instructed and followed through on wiring around $275,000 out of the country.
Because of the success of that, a little bit later another call came in, again to the CFO, purportedly from the CFO, and there are some other discussions in sharing and there are some other reasons he needs some more money moved. And it’s only by happenstance that as the CFO was talking on the phone, he could see… He just glanced at his phone and saw that the number, the originating number, was a New Zealand phone number. And he knew that the CEO was not in New Zealand, and terminated the call, and really started to say, “Oh my gosh, this is fake. And we’ve been scammed.” Unfortunately, the initial funds that were transferred were not recovered, but at least no more money was taken. So with that, that’s an example of a deepfake audio cybercrime.
Now, here’s a second story that did involve a law firm. And, many lawyers are aware of phishing tax, fake emails, spoofed emails, and all kinds of things, but here’s an attack that was very sophisticated. In short, the law firm worked with company that provides eFax services. And they set up a dedicated email account for these fax as to come into the firm, eFax in order to come into the firm. And unbeknownst to anyone at the firm, the firm’s email accounts, all of them, were breached and someone was monitoring what was going on. And this is not uncommon in terms of having someone monitor your email and those kinds of things. It often will go easily, maybe a couple of weeks to several months. And what they are doing is, as their monitoring offices, they’re looking for opportunity, of course, but they are also learning who talks, who the players are, how they communicate in writing and just understand sort of the business model, what’s going on.
Because, when they make their move and there are a variety of ways they’ll make their move, they’re going to look and have it appear to be really accurate and legitimate. But anyway… So, here’s what happened with this situation. The bad guy, if you will, was monitoring and very interested in the eFax account because these lawyers happen to do real estate. And there were a lot of instructions coming through via fax. If a fax had… Was of no interest it would kind of be forwarded along really quickly so no one was aware that these emails were being intercepted and looked at. At one point, a fax came through authorizing… Wiring instructions or whatnot, for a significant amount of money on the sale of a home. And all the hacker had to do was just take that fax and change the routing number, the wiring instructions here on this document. Made that change, set it on.
So, please understand what happened here. A lawyer is expecting a fax with all the information he or she needs to complete this transfer or to follow through [inaudible 00:07:27] moving the money, it’s an expected email, an expected fax coming in via email. It is from a known and trusted source. No one knows, however, that it has been intercepted and the routing information changed. So, based on a belief that everything is absolutely fine, a substantial amount of funds were wired. And of course, to the wrong bank, the wrong individual, and there was a substantial loss there. So, those are two stories about… Just giving examples of how crazy cybercrime has gotten. But, how could you have prevented this from happening? And it really is quite easy. And it’s done through the use of an out-of-band communication. And it simply means we’re going to change the communication channel to verify.
So for instance, in the first example where we had a deepfake audio. What could have been happened, right? Perhaps I should say, should have happened, is the company would have a policy that says whenever we’re moving any substantial amount of money… And we can define what that is, 5,000, 25,000, whatever works for your own situation, but let’s say it’s $5,000. So, anytime we’re going to move $5,000 or more, you’re going to have an out-of-band communication to verify. And so, with that policy in place, the CFO has received a phone call from someone that he believes is the CEO authorizing or providing instructions to move money. He should hang up. And after that call, he knows what the CEO’s phone number is, he doesn’t have to look it up, he’s not looking at… Just returning the call or anything like that. He texts the CEO, Hey, boss, in accordance with our policy, I’m just confirming that you called me and have asked me to wire 275,000 to Germany or whatever it might be.
And if the boss texts back, yes, thank you, please take care of it. Fine, wire the money. The boss is, “I don’t know what you’re talking about, it seems like there’s a scam going on here.” Stop, don’t wire the money. In the second situation, again, we have this fax coming in from another lawyer, a realtor, I don’t know where it originated and doesn’t really matter. But, it’s coming. And I would guess in this situation more than one… This is a known… The fax is going between probably a realtor and the lawyer on a fair to regular basis. And so, all the lawyer needed to do was, again, pick up his phone because he knows and has the accurate, known, correct number on his cell phone. And if he doesn’t he’ll look it up or even in… If… At the beginning of representation, you verify with all the parties, what is the trusted contact information? What is your real email? What is your phone number? What is your address?
And then, you go back and you look that up so that you know you’re using the correct phone number. You don’t want to look at a phone number that’s in an email coming to you and use that, because the scammer will give you a fake email… I’m sorry, a fake phone number. But… So, you just… You call in and you say, “Susan, yeah, just received the fax. You know the routine here, just want to confirm. Is the routing number that you’ve given us the accurate number?” And you read it off, “It’s [inaudible 00:11:31] 223…” On and on. And if she says, “Yep, that’s right.” Go ahead and move the money. If she says, “No, that’s wrong.” Somebody is breached. So, stop. You obviously can get the accurate information and continue on with the transaction, but you also now know that you’re breached, somebody is breached, and we need to figure out who and clean these systems up, restore and get whoever’s in the system out.
It may be as simple as just changing passwords on all the emails. You’re going to need some help from somebody that really knows what they’re doing here, can determine how far… What does the attacker have access to? But, you know you’re breached and you need to stop. So, that’s an example of how out-of-band communications can really prevent your becoming a victim of a crime. I have talked, obviously, with our claims attorneys over the years many times, I mean we all get along quite well and interact and keep each other up to speed on what’s going on. And I have yet to hear about any situation, both externally and just other stories with peers and internally from all of our claims lawyers, that if an out-of-band communication would have occurred, that would have prevented every single theft that we have seen. And please understand the vast majority of malpractice polices, I can’t say all of them because I have not seen all of them, but the vast majority of malpractice policies do not cover theft of funds.
So, that should also catch your attention as to the value of implementing a firm wide policy, with a little training here, that says, no one, I don’t care if it’s the most senior attorney down to the new bookkeeper, is authorized to move any money under any circumstances unless an out-of-band communication has occurred, so that we know we are sending the money to the correct legitimate recipient. So that’s an out-of-band communication. I hope that you have found some value. And let me… I [inaudible 00:14:06] you can take this a little further. At times people receive email that looks legitimate, and it has nothing to do with wiring money and that kind of stuff. But, we’re being tricked into opening an email or opening an attachment, and doing so can unintentionally allow the installation of a malicious program, a malicious app of some sort. And that might be even the pathway in, so that somebody can now start monitoring your email to look for an opportunity to try to commit wire fraud.
So, think about the value too, of training employees and having everyone at the firm be aware that, Hey, if we have some questions about an email that has come in, what is this bill that… Don’t open it yet. Don’t click, don’t look, don’t investigate, because it just feels odd, it feels off. Reach out to the legitimate company or legitimate individual that purportedly sent this to you and say, “We’re not… This doesn’t make sense. I don’t recall authorizing new folks to provide some service [inaudible 00:00:15:30], we don’t have any account with you, we don’t know what you’re talking about. Thank you for letting us know. Somebody apparently might be using our email address or our company name in a fraudulent way and…” But… Again, you just confirm, you figure out in advance, okay, that’s not trustworthy and I don’t want to open that.
So, out-of-band communications can be used in a variety of ways to really thwart the efforts of what cyber criminals are trying to do. So, that’s it. I hope you found something of value in all of this. And as always, if you have any questions, concerns on risk, ethics, cyber security, and whatnot, please don’t hesitate to reach out to me anytime, and you do not need to be an absent short. My email address is firstname.lastname@example.org. Thanks for listening folks, have a good one. Bye-bye.