By Jim Calloway

When I was in law school, a cashier’s check was deemed to be just as good as cash because it was guaranteed by the bank. While that is still technically and legally true today, the question is whether you are holding a valid cashier’s check. Criminals now have the ability to create forged cashier’s checks that are indistinguishable from the real thing, with holograms and watermarks and often drawn on a legitimate bank account. Hopefully everyone in the legal community now understands that depositing a cashier’s check and then wiring money out against the check a few days later is an extremely risky practice.

Recently we received reports of increasingly sophisticated wire fraud schemes directed at Oklahoma lawyers. My advice to you is that in the same way you now have to be suspicious of a cashier’s check, you have to be extremely cautious, double and triple checking, anytime you are wiring money today.

RECENT FRAUDULENT SCHEMES

Just a few months ago, a lawyer reported to us that his banker had saved him from being defrauded. He emailed the banker wiring instructions for a sum of money. He believes that someone intercepted his email, altered the wiring instructions and sent the email along to the banker. When the banker received the email, it all looked legitimate, but the banker spotted the suspicious wiring instructions and contacted the lawyer. No money was lost.

Even more recently, a fraudster had quite a long email exchange with the office manager in an Oklahoma law firm while posing as a senior lawyer. The emails appeared to be from the lawyer’s account. At first, the “lawyer” asked a few questions about wiring since they hadn’t done it recently, which succeeded in convincing the staff person she was corresponding with the lawyer. The fraudster had somehow obtained an actual client’s name to mention in the emails. Luckily, the first attempt was to convince the office manager to wire out far more than the trust account total balance. Then, when an email suggested wiring out a large amount that would’ve involved the deposits of several clients with an explanation of “Don’t worry. I’m bringing a big check in to deposit tomorrow to cover everything,” the staff person recognized that was never something the lawyer would say or do and called the lawyer’s cellphone.

The lesson here seems simple to me. You should never use plain, unencrypted email to deliver wiring instructions. Email is not secure. This is not a secure method of handling your business.

According to the Oklahoma Bankers Association, the typical situation is not someone intercepting an email and altering it, movie hacker style. It is normally that the bad guy is already inside the victim’s computer system. Sometimes they wait for weeks or months reading all of your email traffic until they find a potential target.

One way that could happen is a breach of your Office 365 when you are tricked into giving your username and password to an evil doer who sends you a fake 365 login screen. Many of us who have switched to Office 365 have seen the login screen pop up at odd times. If a fraudster can convince you it is a valid Office 365 login screen and you “login,” then he will have everything needed to access all of your Outlook email, your OneDrive and other Office 365 tools on an ongoing basis.

So how do you keep from becoming a victim?

As I noted in the March 2019 Oklahoma Bar Journal article “Two-Factor Authentication is Critical Today,” two-factor authentication will limit many risks.

A telephone call can also serve as a good security measure. Generally, the process a banker follows for wiring money involves confirmation with a telephone call before wiring any money. Don’t hesitate to also confirm this with
a phone call yourself.

For the law office, a good policy is to explain to everyone they should never wire out any money until they have received voice telephone confirmation from the lawyer in charge whose voice they recognize. All of the frantic emails about how the deadline is today and the lawyer is tied up in court should be ignored until they hear the lawyer’s voice.

Sometimes a phone call is your best solution to a problem.

If you are concerned your law office network has been compromised, change all of the passwords (including Office 365) and consider using two-factor authentication.

Mr. Calloway is OBA Management Assistance Program director. Need a quick answer to a tech problem or help solving a management dilemma? Contact him at 405-416-7008, 800-522-8060, jimc@okbar.org. It’s a free member benefit!

Originally published in the Oklahoma Bar Journal — Apr., 2019 — Vol. 90, No. 4