ethicking.com

View Original

"Oh I know it'll happen, but it'll never happen to me..."

First, many sympathies to my friends at Holland & Knight. For those of you not in my little nerd world, H&K has one of the biggest and most robust legal ethics and risk management practices in the country. Unfortunately, it is now facing a lawsuit alleging that it was hacked and a fraudster posed as a stock seller, leading to a diversion of a $3.1 million wire transfer. I know nothing about the merits of this suit so I won’t try to guess to comment, but still. Ouch.

When I talk to lawyers about scams, any kind of scams, most respond somewhat defensively. “How could anyone possibly fall for that? My BS detector would have picked that up.” And yes, we know that the IRS doesn’t make robocalls requesting a credit card number; that we don’t know any royalty in Nigeria who want to wire us money; and that nobody who really needs legal help in the United States starts an email with “Hello Barrister I am in need of enlisting your aid in enforcing a loan agreement in your jurisdiction” (which is why, when versions of that email come in, we quickly delete them—you do that, right?).

The problem is, the scams are getting smarter. The overseas prince has sophisticated cousins. The introductory message looks good, and references real-life companies, and real people with LinkedIn profiles. They use “firstname.lastname” instead of “PrinceScammer57573695269726” as their email address, and have a U.S. phone number and a plausible reason they can’t meet in person (I’m sure the pandemic has only exacerbated this). Their stories, told over the phone or over videoconferencing are compelling—”I was fired after my boss hit on me and I refused to reciprocate.” They sign a contingency fee agreement, give you the opposing party’s contact information, you reach out and negotiate a swift settlement, all seems well.

Did you know that the term “con” (i.e. “con artist”) comes from “confidence,” as in, an attempt to rip someone off after first gaining their confidence?

Yes, sadly, I am speaking from personal experience here.

And I’m sure some of you are reading this are going, “oh, I would have seen through this right away, I mean he GAVE you contact information instead of you getting it yourself?” You’re on your high horse because I told you right at the beginning that I was going to be talking about scams. But if it was actually happening to you in real time, you may not have seen it coming, either.

Spoiler alert: The scam fell apart when the allegedly Fortune 500 company lawyer with whom I was dealing didn’t know what a W-9 was, which prompted me to do some more digging. I learned that I was interacting with spoofed corporate email addresses, and a made-up client with a made-up LinkedIn page and a U.S. burner phone.

We then got a cashier’s check (from a Fortune 500 company? really?) that was obviously fake—missing digits from the routing number, mismatched fonts, no contact information from the issuing bank. The cover letter contained a blurry corporate logo and nonstandard English that was likely machine translated.

After that, my “client” asked after the check, and then asked if I could email him when it came in, because he was going to visit family overseas soon and we may need to make additional arrangements to wire him the proceeds. (That’s a tell right there as well.) I didn’t respond, and that was the last I’d heard from him.

Yep, scam.

What would have happened if we had kept going? I would have notified my “client” that the check had been received, and that when it had cleared the bank, we would disburse his funds. Chances are, the “client” would have then messaged from overseas, claiming some illness or funeral or other calamity necessitating funds and begging me to please, just this once, wire some money to him? It could have gotten worse from there -- if we had disbursed funds to the “client” that we didn’t have (or that we did have but were later discovered as fraudulent and reversed), we would have lost other client funds kept in trust and set into motion a cascade of notifications and potential rule violations.

We caught the scam before any money changed hands, so the only damage was to my ego. A better practice, of course, would have been catching it before signing up the “client” in the first place, but that’s not as easy as it used to be. Some of the hallmarks of fraud simply aren’t hallmarks anymore—years ago, we were told to be wary of cold contacts via the Web, out-of-state cell phones, and free email addresses, but that’s how many of us get the bulk of our business.  Googling someone who has either created or stolen a robust identity (including, in some cases, that of another lawyer) will not get you very far.

Still, with the particular scam I dealt with, the sophistication seems to be in the setup—the “con” part of the confidence scheme. Once the fraudster gains the mark’s trust, the whole thing turns into a fairly pedestrian trust account scam and falls apart. And at the very least, that’s where it’s especially important to be vigilant—know how to spot a bogus check (or enlist your bank to help). Don’t disburse funds that are not available, no matter what sort of sob story you’re given.

And even that might not be enough. Scammers are getting smarter.

Stay vigilant, sure. And ask your malpractice or commercial insurance carrier about crime/fraud insurance and whether it would cover losses occasioned by fraud, because even though you’re smart and you have a good B.S. detector and “this could never happen to you,” the scammer counts on you believing that, too.