Hackers loot lawyer’s trust account
‘Trust no one; maintain a high degree of skepticism; and review your bank accounts daily’
It was a typical Monday at the office for Kimberly Graus, until she made a chilling discovery. Someone hacked her computer, gained control of her passwords, and emptied $35,000 out of her trust account.
“It is horrible,” said Graus, a sole practitioner in Bradenton who has been working feverishly since the May 10 heist to mitigate the damage.
“These unauthorized wires were sent from my bank account through my bank’s online system, which has three layers of password logins that must be made before a wire can be sent,” Graus said.
“The bank says my IP address was the source of the wire order, but since I did not do it, it is likely that someone hacked my system and stole my passwords as I logged them in.”
In all, the hackers made four wire transfers out of Graus’ trust account. Quick work by Graus and the security team at Superior Bank in Bradenton were able to pull back three of the four electronic transfers — which will eventually be returned to Graus — but were too late to intercept a $9,500 transfer to somewhere in Ukraine.
It took Graus 10 days to secure loans to cover the trust account thefts. She also quickly notified her clients, creditors, malpractice insurance carrier, title insurance underwriter, and the Bar about the security breach. Graus also hired computer forensic experts to determine what went wrong.
Yet, she still considers herself somewhat fortunate in that she was hacked in the afternoon instead of that morning, when she had successfully wired out more than $400,000 from her trust account to pay off two mortgages for clients.
If the criminals had acted before that money had been dispersed, it probably would have bankrupted her practice, she said.
Could Have Been Worse
“If someone hadn’t been watching over me, it could have been $450,000,” Graus said. “As it stands now, in all I will have lost $10,000 for the one that got away, the $1,000 or so it will cost me for the computer forensic analysis, and the cost of a new laptop I have to buy to solely handle my banking.”
She also had numerous checks returned while she scrambled to re-fund her accounts and lost weeks of productivity dealing with the aftermath of the crime.
“I had to shut down all my accounts and open new ones, order new bank cards, stop automatic payments that are set to those old accounts, and order new checks,” said Graus.
Now she fears losing the trust of her clients and others she does business with.
And to top it off, Superior Bank is adamant it bears no responsibility for the theft.
“They have not given me a specific legal position, but I did a little bit of basic research, and the case law seems to be coming down that if the bank has sufficient security measures in their systems. . . and the [wire transfer authorization] comes from the customer’s computer, the bank is not liable for the loss.”
Regardless of the source of the loss, Bar rules are clear that attorneys must cover all stolen trust money, said Clem Johnson, an auditor for the Bar’s lawyer regulation office in Tampa.
“When a client hires an attorney and hands money over, the attorney is responsible for that money until it is put to the use the client intended,” said Johnson, a CPA. “So as long as the attorney is the custodian — no matter what happens to the money — the client looks to the attorney for those funds. And if anything happens to the money, the attorney still has to replace those funds and do what the client instructed.”
Johnson said Graus did everything right after noticing the money was missing by immediately contacting her bank and law enforcement while the scammer’s trail was still hot.
“We all thought online banking was safe, with all the multiple levels of log-ins and passwords,” Graus said. “Most of us also believed that banks cover theft such as this. But none of that turns out to be true.”
Johnson said any lawyers who use online banking should review every transaction that goes through their account every day.
“It is scary out there, is what it comes down to,” Johnson said. “Trust no one; maintain a high degree of skepticism; and review your bank accounts daily.”
Judith Equels, director of The Florida Bar’s Law Office Management Assistance Service, said Graus’ experience is the first she’s heard of an outside hack into a firm’s computers. But, she said, there have been plenty of instances of internal “hacking,” whereby a lawyer or staffer gains online access to the firm’s accounts and embezzles funds.
Equels said she takes an “old-fashioned” approach to law firm internal controls for banking procedures: Don’t do it online.
“A person can handle his or her personal account via online banking — after all, it’s their money,” Equels said. “However, I do not believe in online banking for the law firm’s accounts, especially the trust account.”
Equels says banks encourage online processing of banking tasks — such as checking balances, seeing if a deposit or check has cleared, making deposits through a bank’s online scanning system, internal bank transfers, and wire transfers — because it makes the bank’s operations more efficient in that there is no human involvement on their side of the activity.
“Unfortunately, the account logon and password is, in effect, a signature,” Equels said. “Very few people memorize log-on names and passwords; they write them down somewhere. Once a method for moving money has been activated that does not require the original signature of an authorized signatory on the account, a breach in security has been set in place; the breach lies fallow until a fraudster finds it and takes the advantage.”
Equels said LOMAS recommends that if online bank account access is used by the firm, that it be restricted to “view only” and that the ability to conduct live transactions should be disabled.
“In this way, an attorney or employee may see the balance, check to see if a check or deposit has cleared, etc., but no one is authorized to process transactions — moving money in or out of the account — online,” Equels said.
“When configuring online bank account access, the firm can ‘hide’ the ability to access the ‘cash manager’ feature, thereby restricting access to just viewing the account history but restricting access to making any transactions.”
Jerry Sullenberger, a LOMAS practice management advisor, added that in addition to the internal limitations a firm establishes, the firm can also instruct the bank in writing that no transfers — wire or otherwise — be made without the bank having hard-copy written authorization signed by an account signatory for any transfer request.
“This might serve to put responsibility for ‘hacked’ wire transfers back onto the bank,” Sullenberger said.
Equels admits her low-tech safeguards “are not always well-received, especially by younger attorneys who are accustomed to conducting business over the Internet.”
No security protocol is complete without addressing human resources and technology internal controls, Equels said.
“A theft of the firm’s data or funds, or clients’ funds, may happen from within the firm or from an outside hack,” Equels said. “Law firms and solo practitioners should have a policy in place that requires background checks on potential employees and agents.”
Equels said the FDLE can perform a criminal background check, and many payroll service companies offer this service to their customers.
A “clean desk” policy also is a smart addition to a firm’s security protocol, Equels said, meaning that each evening every employee locks up all sensitive papers and turns computers off.
Graus said her computer consultants told her the malware on her system most likely came in the form of a benign email and captured her passwords as she logged in to her trust account, despite the presence of standard anti-virus software.
She was also told it would be cheaper to buy new computers than to try to scrub the infected machines. The bank’s security team said another way to minimize risk is to have one computer solely dedicated to online banking. That means not using that computer to send or receive emails or access the Internet for any purpose other than online banking.
“While it might seem expensive, I can tell you that one loss like the one I’m suffering puts it all in perspective,” she said.
About that $10,000
Graus said she contacted her local sheriff’s department about the theft, which put her in touch with the FBI.
But, Graus said, the feds “gave her the runaround” because the pilfering wasn’t big enough to gain their interest, which she was told needed to reach a threshold of $70,000.
“If they had managed to steal the $400,000 that morning, that might have gotten their attention,” Graus said.
Superior Bank’s security team was able to track down a woman in Mississippi who facilitated the $10,000 transfer to Ukraine. She runs a business that acts as an online money manager. She receives transfers, takes out a fee, and then wires the money on. The woman claims she did not know it was not a legitimate transaction, Graus said.
The Mississippi Attorney General’s Office tried to talk Graus out of prosecuting the woman, saying she too was probably duped, and, in any case, didn’t have the money anymore. The best Graus could hope for was something like $20 a month in restitution.
“I told them I frankly don’t care,” Graus said. “Whether they were duped or not, I can’t believe they are that stupid. And if they are that stupid, then there ought to be some example made of people so they stop being so stupid.”
Graus said lawyers are great targets for these types of scams because they do hold large sums of money for clients. Johnson agrees, saying crooks intent on pilfering online accounts act fast.
“They don’t take $10 a day for 1,000 days,” Johnson said. “They take all the money at once.”
Graus said she was blindsided because she didn’t realize the dangers involved in online banking.
“I thought with all the bank levels of security it was a perfectly reasonable way to maintain my trust account,” Graus said.
“I no longer believe that. Now, whether I keep my operating accounts where I can see them online is one thing, but my trust accounts will never be online again.”