Q: What protection does a Lender or a consumer have if they wire funds to an lawyers IOLTA (trust) account for a closing and someone hacks in and takes the money?
A: Well, that all depends on where and how the hacker got in.
There are brute force hacks, Trojans, and interceptions.
In a brute force, the hacker would crack through the attorney or lender firewall, and get the sensitive information. We have installed a commercial grade router/firewall that cost about $1200 to prevent these attacks, and encrypted the information on our servers.
In a Trojan, the hacker would use social engineering to get an employee of the attorney to download malicious code that would allow the hacker to gain access to passcodes. We have antivirus and malware sweepers that run 3 times per day on every computer and server to prevent this. In addition, we require strong passwords, and are required to change them every 60 days.
Interception would be where the hacker intercepts an email and uses it to trick an employee of the attorney, or the client themselves, to somehow transfer the money. To prevent this, we use commercial grade encrypted emails for any information that could be used to attempt this, or emails that contain NPI (non-public personal information). We advise our clients in our initial letter to them that they will receive wiring instructions from us via a secure email. They should confirm those instructions with us by phone prior to using them, and again if they receive any changed instructions.
Even if they got this information from us, they could not initiate any transfers from our account, as we have ACH blocks on our IOLTA accounts. So the only way to get money out of our IOLTA is to write a physical check or do a wire. All our check stock is locked in a secure room in our office, not connected to any exterior walls. Our IOLTA account setup requires us to go in to the bank, produce Identification and initiate the wire in person. Some Attorneys have gone to electronic wires, which they can initiate from their desktop computer in their office. That is certainly more convenient, but expose the account to more risk. We specifically have not done that, despite the inconvenience, to protect client’s money as best we can.
The most likely scenario is the fraudulent wire instructions. Of that, there are two variations. One, we wire to the wrong place, or two, the client does.
We verify with the clients by phone any wire instructions they send to us. And just like our instructions to them, we call again and verify any changes. It is unlikely that we would wire to the wrong place.
The more likely scenario is that the client wires to the wrong place. This has happened (not to us, but to some other CT Attorneys). The client gets a false email, spoofed to look like it came from the attorney. The false email has wire instructions that are different from the actual attorney ones, and the client does not verify the change. This scenario starts with the attorney sending, by secure email, to one spouse the instructions and amounts. That spouse then sends the information to the other spouse (who will actually do the wire transfer) by unsecured email. That unsecured email is intercepted. Using it, the hacker spoofs an email to the spouse, appearing to be from the attorney, and changes the instructions. The sending Spouse fails to call the attorney and verify, and just initiates the wire to the wrong account.
In this case, the client is out of luck.
For more information about this subject, contact us directly.