It all seemed so routine, so straightforward. The case was settled, with a $500,000 payment to be made to the approved settlement administrator. The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions. Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated. Poof – gone in an instant.
Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions. But how did the bad guys know precisely when and to whom to send the phony email, and exactly what to say? Was it from publicly available information in the court file? Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator? Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials? Continue Reading Bad news on law firm data security