As cybersecurity attorneys we live and breath security issues – from the latest mammoth breach to perennial phishing scams. In this spectrum is a well-honed “cyber grift” that targets law firms and attorneys. As a service to our fellow attorneys we’ve put together this primer to help spot and react to such fraud attempts, which can have dire financial consequences as well as potential ethical consequences from bar grievance committees due to the fact they (when successful) can leave trust accounts in disarray.
So when an attempt was recently launched against us we immediately recognized it for what it was, and to report on the scam (as well as gain additional details to forward to law enforcement officials) we donned a naïve, but well-intentioned attorney, persona to “scam the scammer” and reel them in on their own hook.
Typically the scam follows a formulaic pattern: a foreign entity claims they have a breach of contract or other dispute with a party in the same jurisdiction as the attorney; perfunctory inquiries are made by the scammer; an “agreement” underpinning the putative dispute is sent to the attorney, followed, mirabile dictu, by a check from the local party made out to the attorney’s firm as a “partial settlement” – often before the attorney has completed due diligence of the “client” or sent a formal engagement agreement.
Here’s what the recent attempt revealed.
Lessons Learned – How to Spot The Law Firm Cyber Grift
In truth, red flags went up immediately. As with many boutique law firms, our client base consists both of entities and individuals we have long relationships with as well as other clients who come and go as they need our expertise. As a result, inquiries are constant and go through our standard client intake process.
Attorney cyber grifts attempt to circumvent the typical intake process or make it more difficult by design to conduct proper due diligence. Here’s what our attempted scamster tried in classic style, and the warning signs at each step:
- They inevitably say that are located in a foreign or distant locale.
- Our attempted scammer used a Japanese company as a backdrop. When queried why he was using a gmail.com account instead of an email issuing from the firm’s co.jp domain the scammer said their “domain server provider is down at the moment.” Red flag.
- They will not or cannot provide key information necessary for any legitimate dispute resolution.
- For example, when we asked who their general counsel was so we could discuss legal issues directly we were told “we are searching for a new counsel.” Red flag.
- When asked for the putatively breaching party’s counsel they said they didn’t know. Red flag.
- When asked if he was located in the U.S. or Japan we were told the company was in Japan, but he was “out of country for a week regarding a business seminar.” Red flag.
- They will push quickly for a retainer agreement and provide an agreement that would never have been issued by an attorney.
- For instance, the “intellectual property agreement” we were provided for review was five pages, and missing virtually every component an actual IP agreement would contain – i.e. no meaningful description of IP, no confidentiality provision, nothing as to limitation of liability or indemnification, and our favorite, deeming exclusive jurisdiction for purposes of “any suit, action or other proceeding arising out of this agreement” to the “Supreme Court of [sic] United States.” Sea of red flags.
- A check will miraculously appear from the opposing party.
- Following on the heels of the agreement, we received an email that they notified opposing party they were seeking to retain us and were “happy to notify” us with the news that the opposing party was sending a $350,000 check as partial settlement, out of which we should “deduct your retainer fee from the sum.” Red flag.
- In connection were we directed to “pause any further action now that they have complied to start making payment.” Red flag.
- The check will be drawn on a foreign bank.
- Sure enough, we received a $350,000 check. Dispute the fact that the scammer’s adversary was located in Naugatuck, CT the check was putatively issued from the Banque Royale du Canada, in Montreal. Red flag
- The cover note accompanying the check will be perfunctory.
- Along with the check, the cover note was laughable, and once again, no real information tied to the patsy local company being used was provided. For example, the name given on the cover note from the putative adversary indicated no title, provided no phone number, and again used an email address not tied to the company itself. More red flags.
- They will be unavailable to speak directly.
- When asked for a time to speak directly, we were told “I am out of the country 3 weeks business seminar, I will phone you once I am back, update us once you receive the payment, have a great day.” Red flag.
Steps to Take.
Needless to say, at no point were we taken in or fooled by any of these efforts. We led the scammer on to learn what they would try next and to have a detailed report to provide to law enforcement. We also notified the local Connecticut company that they were being used as well by scammers.
While this attempted grift was painfully inadequate at every step, there are much more sophisticated scams, cons and grifts out there, which require a high level of due diligence to both detect and thwart and that may target companies of all types – not merely law firms and attorneys.
The key is to stay alert and to adhere without fail to the old motto “trust but verify.”