Update: There was no phishing scam today

So, earlier today, I warned of a phishing scam that I believed to be targeting lawyers.

Here’s how the afternoon went.

  • An attorney contacted the Professional Responsibility Program.  The attorney informed my assistant of receiving an email from the “ethics board” that informed the attorney that a complaint had been filed.  The attorney indicated that the e-mail invited the attorney to click on a link to review the complaint and another to file a response.
  • My assistant asked the attorney to forward the e-mail. Then, my assistant informed me that there might be a phishing scam targeting lawyers and that she’d forward the e-mail as soon as she received it from the attorney who contacted her.  Minutes later, she received the e-mail and forwarded it to me.
  • It was obvious that the e-mail was not from Bar Counsel, Disciplinary Counsel, or anyone associated with the Professional Responsibility Program. So, I immediately posted to my blog, warning about the scam. I also posted the warning on Twitter and Instagram.
  • Next, I sent out a warning via e-mail to a very large distribution list.  In it, I warned about the scam.  Finally, I notifed lawyers in the Secretary of State’s Office of Professional Regulation, for their own benefit and in case the scammers were also targeting other licensed professionals.  As I was typing the e-mail, Disciplinary Counsel Sarah Katz left me a voice mail. In her message, she said that an attorney had contacted her to ask about an e-mail that purported to notify the attorney that a complaint had been filed with the “ethics board.”  Sarah and the attorney were concerned that the e-mail was fake and a phishing scam.  The attorney who contacted Sarah was not the same attorney who contacted my assistant.
  • In short, within minutes of each other, two different attorneys contacted the Professional Responsibility Program to register concern about what appeared to be a phishing scam targeting lawyers.
  • Turns out, the two lawyers work at the same place.  I’ve since heard from another lawyer who works there, as well as someone from their IT.  Here’s what the IT person wrote:  “Mike, please call me on my cell (xxx-xxxx) or at work at (xxx-xxxx) so that we can talk about the email scam which was a phishing test originated by me.”

That’s right.  False alarm.

Interesting.

Especially since today’s “phishing test”  was almost identical to an actual scam that targeted lawyers last summer, prompted warnings from the state bars of Nevada, California, and Florida, and resulted in this blog post from me.

I apologize for any inconvenience that I caused.

To be clear,  I did not have prior notice.  The office where it happened isn’t exactly small.  I wonder if schools let the fire department know before they conduct fire drills.

In any event, it’s a learning opportunity.  As I mentioned last year and again today, the scam is not uncommon.  The Professional Responsibility Program will never ask a lawyer to click on a link to open or respond to a disciplinary complaint.

false alarm

 

 

 

Advertisements

Scam Alert: Fake Notice of a Disciplinary Complaint

I’ve become aware of a phishing scam that targets attorneys.

The scam is in the form of an e-mail from the “Ethics Board.”  The e-mail header indicates:

From:  Ethics Board <ethicsboard (at) vermont.gov>

Subject: Notification of Ethics Complaint No. xxxxx

Reply-to:  Ethics Board <ethicsboard (at) vermont.gov>

THIS IS A SCAM.  DO NOT CLICK ON THE LINKS IN THE BODY OF THE E-MAIL!!

Here’s a picture of the e-mail.  It was forwarded to my office by an attorney whose name I have redacted.

Scam

THIS IS A SCAM.  DO NOT CLICK ON THE LINKS IN THE BODY OF THE E-MAIL!!

I hovered over the links and it is clear that the links are to malware.

Bar Counsel notifies lawyers whenever a disciplinary complaint is filed.  I will NEVER do so by asking you to click on a link.

Please forward notice of this scam to other lawyers.  If you are targeted, please let me know.

Protect Client Funds, and your Law License, by Learning to Identify Trust Account Scams

Re-posted on May 24, 2017 to reinforce the message and because I inadvertently posted a draft version last night.

I am scheduled to present several CLE programs on various topics between now and the end of June.  At each, no matter my assigned topic, I will use some of the time to warn about trust account scams.

At the seminars, I will be very clear: in my opinion, we’re not far from the day when “but I was scammed!” will not excuse a violation of the rules.  It might mitigate the ultimate sanction, but it will not excuse the failure to safeguard client funds.

By way of analogy, I’ve used this blog to stress the duty to safeguard client information.

With respect to client information:

  • Rule 1.1’s duty of competence includes a duty to act competently to protect client communications.
  • Rule 1.6 prohibits a lawyer from disclosing “information relating to the representation” absent client consent.
  • Rules 1.1 and 1.6 operate to impose a duty to take reasonable precautions to ensure that client information is not disclosed to or accessed by people who shouldn’t receive or access it.
  • The duty necessarily includes taking reasonable precautions to safeguard client information that is transmitted and stored electronically.

I feel the same about client funds.

  • Rule 1.1 requires lawyers to provide competent representation.
  • Rule 1.15 is entitled “safekeeping property.”
  • I construe the two rules as operating to impose a duty to act competently to safeguard client funds.
  • The duty necessarily includes a duty to take reasonable precautions to ensure that client funds are not disbursed to or accessed by people who shouldn’t receive or access them.

In order to take reasonable precautions to safeguard client funds, it’s crucial to understand the various threats to client funds.  Here are 3 common trust account scams and their telltale signs.

  1. Client Outside Vermont is Owed a Debt by a Vermonter
  2. Compromised E-Mail/Wire Instructions
  3. Recipient of Trust Account Check Asks for Wire Instead

Client Outside Vermont is Owed a Debt by a Vermonter.  Client, who is outside of Vermont, contacts Lawyer by e-mail and asks Lawyer for help collecting a debt from someone in Vermont. This version of the scam can take various forms, including:

  •  Client recently divorced and moved away (or was deployed).  The marital property was in Vermont.  Ex-spouse sold the property and has refused to send Client’s share of the proceeds.
  • Client manufactures & sells goods.  Client shipped goods to Purchaser in Vermont.  Purchaser has refused to pay.

Typically, within a very short time of Lawyer agreeing to represent Client, UPS or FedEx delivers a check from “debtor” to Lawyer.  Client is thrilled at how quickly Lawyer convinced debtor to pay! Client directs Lawyer to deposit the check, keep a chunk, and wire the remainder to Client.  Lawyer deposits the check into trust & disburses Client’s share.

A few weeks later, Lawyer’s bank informs Lawyer that the check from “debtor” was fraudulent.  Money that belonged to other clients is no longer in trust, having vanished with the wire to Client.  Trust me, we ain’t in Kansas anymore.  The odds of contacting “Client” and having him or her return the money are not good.

This has happened MULTIPLE times in Vermont over the past year.  Last year, disciplinary counsel recommended that a hearing panel of the Professional Responsibility Board admonish a lawyer who had fallen for this precise scam and improperly disbursed over $400,000 from trust.  The panel rejected the request, concluding that falling for the scam did not rise to the level of an ethics violation.

It’s inconceivable to me that this version of the scam isn’t a violation.  It’s not the equivalent of a football team scoring a touchdown by surprising the defense with a trick play.  It’s Tom Brady throwing a pass to Rob Gronkowski running uncovered down the middle of the field – – with the defenders claiming in the post-game press conference that they didn’t know the Patriots might do that.

To be clear, if Gronkowski is double-teamed but makes an incredible catch of an even more incredible pass, that’s one thing.  On the other hand, the failure to cover Gronkowski as he runs down the middle of the field amounts to a failure to take reasonable precautions against a touchdown pass byTom Brady.

Compromised E-Mail/Wire Instructions.  This version scam typically targets real estate closings.  Attorney holds, or soon will hold, Seller’s proceeds. Attorney receives an e-mail instructing Attorney to wire the proceeds to an account that is different from any account Seller may have previously provided to Attorney.

In one version of this scam, the e-mail account is fake.  For example, let’s pretend I am the Seller.

My e-mail address is michael.kennedy@vermont.gov.  Attorney holds the proceeds of the sale of my house.  Attorney receives an e-mail from micheal.kennedy@vermont.gov instructing Attorney to wire the proceeds to an account that is not the same account that I previously provided to Attorney.

Do you see the scam? If not, here’s a hint.  My name is Michael.  Look closely at how I spelled my first name in the 2nd email address.

This happened in northern Vermont last year.  Seller’s attorney wired the funds after receiving an e-mail that appeared to be from Seller, but was from Seler.  In a stroke of incredible good fortune, Seller happened to walk into Attorney’s office within minutes of Attorney wiring the funds.  They quickly figured out what had happened, contacted Attorney’s bank, and stopped the wire.

In another version of this scam, the e-mail is actually from Seller or Seller’s attorney, but the account has been hacked/compromised.  The e-mail includes new wiring instructions and is often followed-up by a phone call from a number that’s been hacked to appear as if it’s from Seller or Seller’s attorney.  Like the others, this version of the scam recently caught a Vermont lawyer.

When wiring instructions are changed by e-mail or phone call, take the time to confirm the change by speaking with someone who you know (a) is who they say they are; and, (b) has the authority to make the change.

The North Carolina State Bar issued a warning about this version of the scam.   Please read the warning.  In my view, the duties that it highlights are as applicable in Vermont as they are in North Carolina.

Recipient of Trust Account Check Asks for Wire Instead.  This has been going on for years.  Attorney delivers a trust account check.  The recipient asks Attorney for a wire instead.

Alarm bells should go off whenever you deliver a check and the recipient asks that you disburse by wire instead.

Even if this happens at the closing table, and the request for a wire comes 3 seconds after you handed a trust account check to Seller, beware!  Without you noticing, Seller might have used a mobile device to scan and “deposit” the check.  When you take it back and send a wire instead, the money could be gone TWICE from your trust account. Money that belongs to other clients.

This too happened many years ago in Vermont.  Client arrived at Lawyer’s office to pick up a check.  Lawyer handed the check to Client.  Client left the office, but came back in about a minute later.  Client gave the check back to Lawyer and asked for a wire.  Lawyer took back the check, ripped it up, and wired the funds.

In the parking lot, Client had used an app to “cash” the check.

Key takeaway: your antennae should be tuned into any situation in which you deliver funds by trust account check & the payee later asks for them by wire instead.

Again, I do not think we’re far from the day when a lawyer who falls for a scam will be disciplined.  My thinking mirrors the conclusion reached by the North Carolina State Bar in Inquiries #4 & #5 of 2015 Formal Opinion 6.  As the NC Bar stated:

  • a lawyer has a duty to implement reasonable security measures to protect client funds;
  • a lawyer has a duty to stay abreast of the risks associated with online banking and to actively maintain end-user security at the law firm, including by non-legal staff; and,
  • the failure to verify a disbursement change constitutes a failure to use to reasonable precautions to protect client funds.

I understand that scams are sophisticated and ever-evolving.  But most scams share telltale signs.  At some point, we’re going to have accept the old adage: fool us once, shame on you.  Fool us twice, shame on us.

scam-alert

Trust Account Scams: they won’t be an excuse for long.

Re-posted on May 24, 2017 to reinforce the message and because I inadvertently posted a draft version last night.

I am scheduled to present several CLE programs on various topics between now and the end of June.  At each, no matter my assigned topic, I will use some of the time to warn about trust account scams.

At the seminars, I will be very clear: in my opinion, we’re not far from the day when “but I was scammed!” will not excuse a violation of the rules.  It might mitigate the ultimate sanction, but it will not excuse the failure to safeguard client funds.

By way of analogy, I’ve used this blog to stress the duty to safeguard client information.

With respect to client information:

  • Rule 1.1’s duty of competence includes a duty to act competently to protect client communications.
  • Rule 1.6 prohibits a lawyer from disclosing “information relating to the representation” absent client consent.
  • Rules 1.1 and 1.6 operate to impose a duty to take reasonable precautions to ensure that client information is not disclosed to or accessed by people who shouldn’t receive or access it.
  • The duty necessarily includes taking reasonable precautions to safeguard client information that is transmitted and stored electronically.

I feel the same about client funds.

  • Rule 1.1 requires lawyers to provide competent representation.
  • Rule 1.15 is entitled “safekeeping property.”
  • I construe the two rules as operating to impose a duty to act competently to safeguard client funds.
  • The duty necessarily includes a duty to take reasonable precautions to ensure that client funds are not disbursed to or accessed by people who shouldn’t receive or access them.

In order to take reasonable precautions to safeguard client funds, it’s crucial to understand the various threats to client funds.  Here are 3 common trust account scams and their telltale signs.

  1. Client Outside Vermont is Owed a Debt by a Vermonter
  2. Compromised E-Mail/Wire Instructions
  3. Recipient of Trust Account Check Asks for Wire Instead

Client Outside Vermont is Owed a Debt by a Vermonter.  Client, who is outside of Vermont, contacts Lawyer by e-mail and asks Lawyer for help collecting a debt from someone in Vermont. This version of the scam can take various forms, including:

  •  Client recently divorced and moved away (or was deployed).  The marital property was in Vermont.  Ex-spouse sold the property and has refused to send Client’s share of the proceeds.
  • Client manufactures & sells goods.  Client shipped goods to Purchaser in Vermont.  Purchaser has refused to pay.

Typically, within a very short time of Lawyer agreeing to represent Client, UPS or FedEx delivers a check from “debtor” to Lawyer.  Client is thrilled at how quickly Lawyer convinced debtor to pay! Client directs Lawyer to deposit the check, keep a chunk, and wire the remainder to Client.  Lawyer deposits the check into trust & disburses Client’s share.

A few weeks later, Lawyer’s bank informs Lawyer that the check from “debtor” was fraudulent.  Money that belonged to other clients is no longer in trust, having vanished with the wire to Client.  Trust me, we ain’t in Kansas anymore.  The odds of contacting “Client” and having him or her return the money are not good.

This has happened MULTIPLE times in Vermont over the past year.  Last year, disciplinary counsel recommended that a hearing panel of the Professional Responsibility Board admonish a lawyer who had fallen for this precise scam and improperly disbursed over $400,000 from trust.  The panel rejected the request, concluding that falling for the scam did not rise to the level of an ethics violation.

It’s inconceivable to me that this version of the scam isn’t a violation.  It’s not the equivalent of a football team scoring a touchdown by surprising the defense with a trick play.  It’s Tom Brady throwing a pass to Rob Gronkowski running uncovered down the middle of the field – – with the defenders claiming in the post-game press conference that they didn’t know the Patriots might do that.

To be clear, if Gronkowski is double-teamed but makes an incredible catch of an even more incredible pass, that’s one thing.  On the other hand, the failure to cover Gronkowski as he runs down the middle of the field amounts to a failure to take reasonable precautions against a touchdown pass byTom Brady.

Compromised E-Mail/Wire Instructions.  This version scam typically targets real estate closings.  Attorney holds, or soon will hold, Seller’s proceeds. Attorney receives an e-mail instructing Attorney to wire the proceeds to an account that is different from any account Seller may have previously provided to Attorney.

In one version of this scam, the e-mail account is fake.  For example, let’s pretend I am the Seller.

My e-mail address is michael.kennedy@vermont.gov.  Attorney holds the proceeds of the sale of my house.  Attorney receives an e-mail from micheal.kennedy@vermont.gov instructing Attorney to wire the proceeds to an account that is not the same account that I previously provided to Attorney.

Do you see the scam? If not, here’s a hint.  My name is Michael.  Look closely at how I spelled my first name in the 2nd email address.

This happened in northern Vermont last year.  Seller’s attorney wired the funds after receiving an e-mail that appeared to be from Seller, but was from Seler.  In a stroke of incredible good fortune, Seller happened to walk into Attorney’s office within minutes of Attorney wiring the funds.  They quickly figured out what had happened, contacted Attorney’s bank, and stopped the wire.

In another version of this scam, the e-mail is actually from Seller or Seller’s attorney, but the account has been hacked/compromised.  The e-mail includes new wiring instructions and is often followed-up by a phone call from a number that’s been hacked to appear as if it’s from Seller or Seller’s attorney.  Like the others, this version of the scam recently caught a Vermont lawyer.

When wiring instructions are changed by e-mail or phone call, take the time to confirm the change by speaking with someone who you know (a) is who they say they are; and, (b) has the authority to make the change.

The North Carolina State Bar issued a warning about this version of the scam.   Please read the warning.  In my view, the duties that it highlights are as applicable in Vermont as they are in North Carolina.

Recipient of Trust Account Check Asks for Wire Instead.  This has been going on for years.  Attorney delivers a trust account check.  The recipient asks Attorney for a wire instead.

Alarm bells should go off whenever you deliver a check and the recipient asks that you disburse by wire instead.

Even if this happens at the closing table, and the request for a wire comes 3 seconds after you handed a trust account check to Seller, beware!  Without you noticing, Seller might have used a mobile device to scan and “deposit” the check.  When you take it back and send a wire instead, the money could be gone TWICE from your trust account. Money that belongs to other clients.

This too happened many years ago in Vermont.  Client arrived at Lawyer’s office to pick up a check.  Lawyer handed the check to Client.  Client left the office, but came back in about a minute later.  Client gave the check back to Lawyer and asked for a wire.  Lawyer took back the check, ripped it up, and wired the funds.

In the parking lot, Client had used an app to “cash” the check.

Key takeaway: your antennae should be tuned into any situation in which you deliver funds by trust account check & the payee later asks for them by wire instead.

Again, I do not think we’re far from the day when a lawyer who falls for a scam will be disciplined.  My thinking mirrors the conclusion reached by the North Carolina State Bar in Inquiries #4 & #5 of 2015 Formal Opinion 6.  As the NC Bar stated:

  • a lawyer has a duty to implement reasonable security measures to protect client funds;
  • a lawyer has a duty to stay abreast of the risks associated with online banking and to actively maintain end-user security at the law firm, including by non-legal staff; and,
  • the failure to verify a disbursement change constitutes a failure to use to reasonable precautions to protect client funds.

I understand that scams are sophisticated and ever-evolving.  But most scams share telltale signs.  At some point, we’re going to have accept the old adage: fool me once, shame on you.  Fool me twice, shame on me.

scam-alert

Don’t Click

Last week, I warned about the latest scam.

Yesterday, I saw this story on the ABA Journal’s website.

For those of you taking the title of this post literally, it’s a story of a prosecutor’s office in Pennsylvania that had to pay $1400 in bitcoin to hackers who had taken control of the office’s computer network.  The hackers gained control when an office employee clicked on a link in an email.  The link installed malware that infected and encrypted the office’s network.

I don’t know if it was the same scam I warned about.  But it was similar. And that’s how malware scammers work: they bait you into clicking.

Don’t Click.

I wonder if I should write a “Don’t Click” version of No Doubt’s Don’t Speak.

Five for Friday: Week 42

UPDATED. Earlier version was a draft posted by mistake.  Nice tech competence by bar counsel.

Before we get to the quiz, an alert: scams continue to target lawyers.  This month alone, Vermont lawyers have been targeted as follows:

  • #1. Out-of-state client retained lawyer to “buy a crane” from a Vermonter.  Client was only available by e-mail and did not need lawyer to contact the party selling the crane.  Client only needed a contract, and to have lawyer run the purchase money through lawyer’s trust account.  A check arrived by Fed Ex. It was drawn on a Canadian bank and exceeded the sum of purchase price + lawyer’s fee.  Client sent an e-mail instructing lawyer to wire funds to the seller and to “keep the extra.”
  • #2. Closing attorney received an e-mail from Seller’s attorney instructing Closing attorney to wire purchase proceeds to Seller’s attorney. The e-mail had all of the details of the transaction correct. Closing attorney wired funds, pursuant to the instructions.  Days later, Seller’s attorney contacted Closing attorney to ask where the money was. All involved determined that Seller’s attorney’s email had been hacked and monitored.  Scam detected, money, however, gone.
  • #3.  Not sure this one is a scam, but I think so.  Attorney received a phone call from someone Attorney had never heard from before.  Caller informed Attorney that Caller is calling about a matter that Attorney is working on with another lawyer.  Caller used the name of an actual Vermont lawyer. Fortunately, in this scenario, Attorney recognized Lawyer’s name, knew she did not have any pending matters with him, and hung up. She called Lawyer who confirmed that he had never heard of Caller and did not represent Caller.  We suspect it was the beginning of a scam.

Scenario 1 is increasingly common.  It often involves a caller purporting to be from Texas.  It usually involves a crane, but perhaps being modified to apply to Vermont, often involves large farm vehicles.

An element common to most scams is the out-of-state client, who you never meet, who either buys something from a Vermonter or seeks to enforce a debt against a Vermonter.  Within days of your involvement, a bank check arrives by Fed Ex or UPS, followed by an e-mail with instructions to wire the funds somewhere outside of Vermont.  It is not uncommon for the amount of the check to exceed the sum of the purchase price/debt & your fee, with the out-of-state caller instucting you to keep the rest for doing such prompt work.

As for receiving an e-mail from a lawyer whose account has been hacked, I do not know what to tell you other than, perhaps, confirm instructions by phone.

I also heard this week from a lawyer whose bank had assured him that it had placed an “ACH block” on his trust account.  Meaning, no ACH debits to the account.  In fact, it had not and someone was able to access the account and withdraw funds.  Even after the lawyer contacted the bank, sorted out what had happened, and was informed that, now, the ACH block was in place……it happened again.

Finally, there is a scam in which an e-mail purporting to be from the client will instruct funds to be wired.  Using me as your client in this example, the e-mail will come from micheal.kennedy@vermont.gov …. hold that thought, it’s relevant to today’s quiz.

  • The rules:
    • No rules.  Open search engine. Exception – Question 5.
    • You may enter as a team.
    • Please forward this to as many colleagues and friends as possible.
    • Important: please email answers to michael.kennedy@vermont.gov

Question 1

In the paragraph above that begins with Finally, what is the scam?

Question 2

The following quote is me talking, either at a CLE or in response to an inquiry.  There will be two blanks, each filled by the issue I’m discussing (same answer for each). Identify the issue.

  • “Your duty is to act competently to safeguard client information, including taking reasonable precautions to safeguard client communications from unauthorized access or receipt by third parties.  Historically, ‘reasonable precautions’ have not included __________. Recently, however, several people associated with attorney regulation have indicated that it may no longer be reasonable not to ____________.”

Question 3

Client retains you for a flat fee of $2000.  One month later, the fee agreement has not been reduced to writing and you have done some, but not much, work for Client.  Which is most accurate under Vermont’s Rules of Professional Conduct?

  • A.  Unless it’s a criminal case, you’ve violated the ethics rules.
  • B.  The bulk of the funds should be in your trust account.
  • C.   Fees paid in advance are earned upon receipt, so the funds should be in your operating account.
  • D.  You violated the ethics rules by failing to reduce the agreement to writing within a reasonable time of commencing the representation.

Question 4

Lawyer called me with an inquiry. I listened, then I responded “whether you can represent Mr. Orange will turn on whether you received from Mr. Blonde information that could be significantly harmful to Mr. Blonde.”

Given my statement, what do we know for sure?

  • A.  Mr. Blonde is Lawyer’s former client.
  • B.  Mr. Orange is suing Mr. Blonde.
  • C.  Mr. Blonde is deceased.
  • D.  Mr. Blonde met with, but did not retain, Lawyer.

Question 5

A few weeks ago, Sarah Paulson won the Emmy for Best Lead Actress in a Limited Series or Movie for a role in which she played a well-known prosecutor.  The show also starred John Travlota, Cuba Gooding Jr., and David Schwimmer and re-told the story of a  trial that took place over 20 years ago.

Part 1:  Name the prosecutor who Paulson portrayed.

Part 2:  Name the defendant.

Another Scam

Here’s the latest scam to target real estate practitioners and their clients.

  • Lender forwarded to Law Firm a request for a title search and for representation of Buyer at closing.
  • Two days later, Buyer received a call from someone purporting to be from Law Firm.
  • Caller had  the address of the property, Realtor’s name, and other pertinent information.
  • Caller told Buyer that Law Firm required a prepayment of $500.00 to commence work.
  • Buyer gave Caller a credit card number and authorized a charge of $500.

It was a fraud.  Someone’s email had been hacked – either Law Firm’s, Lender’s,  Buyer’s or Realtor’s.

Law Firm now includes in its engagement letter language indicating that it WILL NOT ask for credit card info over the phone.

Remember Sergeant Phil:

Image result for sergeant phil esterhaus