Business acquisition, Escrow Attorney email account hacked, fraudulent info.

[apat0258]

What is the name of your state (only U.S. law)? FL

Hi - We are at the Closing stage of a business acquisition and the Closing Attorney's email was hacked. The scammer sent what looked to be a legitimate email from the Closing Attorney's email account and sent fraudulent wire instructions.

A wire was sent by my lender's bank to the fraudulent wire instructions and those funds are now gone. The Seller and I want to put in a claim to the Closing Agent's malpractice insurer. Do we have legal recourse since the Closing Attorney's email was hacked and fraudulent information was sent? What recourse do we have and what is the best way to proceed?

Thank you

 

[quincy]

What is the name of your state (only U.S. law)? FL

Hi - We are at the Closing stage of a business acquisition and the Closing Attorney's email was hacked. The scammer sent what looked to be a legitimate email from the Closing Attorney's email account and sent fraudulent wire instructions.

A wire was sent by my lender's bank to the fraudulent wire instructions and those funds are now gone. The Seller and I want to put in a claim to the Closing Agent's malpractice insurer. Do we have legal recourse since the Closing Attorney's email was hacked and fraudulent information was sent? What recourse do we have and what is the best way to proceed?

Thank you

Unless the Closing Attorney hacked his own email account, there is no malpractice. Your bank, however, should be insured for the fraudulent transfer.

Ultimately, though, it is the hacker from whom you will need to seek legal relief.

 

[apat0258]

Isn't the sending of the fraudulent information from his account negligent? Especially, if it comes to light that he did not have necessary safety precautions in place to prevent this?

 

[quincy]

Isn't the sending of the fraudulent information from his account negligent? Especially, if it comes to light that he did not have necessary safety precautions in place to prevent this?

Are you thinking that there should have been a policy in place with the bank so that transfers of a certain dollar amount would require confirmation or possibly a two-person sign-off on the transfer? If there wasn't a policy in place, one certainly could have been smart.

But it is hard to protect against devious hackers. Usually the fraudulent wire transfers will start with a simple phishing scam (originating overseas) and it takes off from there.

Many companies are insured for large losses but, even with widely publicized cases like Ubiquiti Networks (which had $46.5 million stolen in a fraudulent wire transfer), companies still may not have taken the steps necessary to become adequately insured against all cyber-crooks. If the company has a cyber-insurance policy, it could cover the funds that were lost in the transfer. If the transfer was authorized in-house by an employee (intentionally or otherwise), however, the insurance may not pay out.

If your situation involves a lot of money, you would be smart to discuss the matter with the attorney involved to see if the losses are covered (perhaps by a "fraudulent instruction insurance" policy, although these policies are not yet common). You can then, depending on what is discovered, consult with your own attorney for a personal review.

 

[apat0258]

Are you thinking that there should have been a policy in place with the bank so that transfers of a certain dollar amount would require confirmation or possibly a two-person sign-off on the transfer? If there wasn't a policy in place, one certainly could have been smart.

But it is hard to protect against devious hackers. Usually the fraudulent wire transfers will start with a simple phishing scam (originating overseas) and it takes off from there.

Many companies are insured for large losses but, even with widely publicized cases like Ubiquiti Networks (which had $46.5 million stolen in a fraudulent wire transfer), companies still may not have taken the steps necessary to become adequately insured against all cyber-crooks. If the company has a cyber-insurance policy, it could cover the funds that were lost in the transfer. If the transfer was authorized in-house by an employee (intentionally or otherwise), however, the insurance may not pay out.

If your situation involves a lot of money, you would be smart to discuss the matter with the attorney involved to see if the losses are covered (perhaps by a "fraudulent instruction insurance" policy, although these policies are not yet common). You can then, depending on what is discovered, consult with your own attorney for a personal review.

I'm thinking more in terms of the responsibility of the Escrow Agent to ensure, as a trusted agent, he would take the utmost precaution to ensure his "MSN" email account isn't hacked. The agent is still refusing to accept responsibility.

The good thing was that the wire was split into two by my lender's bank and that the lost amount was small. There is still a loss of money. Instead of the bank, who was following instructions which were legitimate in their eyes since the account numbers were verifiable and the account was not a known fraud account at the time of the transfer initiation instruction from my lender, it should be the party that sent the instructions. In that chain, the bank would look at me, and I would point to the Escrow Agent that sent the instructions. To me, who is going to be responsible for the money, regardless of loss or not, the Escrow Agent is the one who sent the instructions and is at fault. There is an assumption that the Escrow Agent's account was hacked. He has submitted no proof of being hacked.

Yes, in theory, the ultimate fault lies with the scammer. However, the chain has to end somewhere palpable for me and the Seller, and that is the Escrow Agent. Now, the Escrow Agent can point to the hacker, and that would be between his insurance and him to find / prosecute.

 

[quincy]

I'm thinking more in terms of the responsibility of the Escrow Agent to ensure, as a trusted agent, he would take the utmost precaution to ensure his "MSN" email account isn't hacked. The agent is still refusing to accept responsibility.

The good thing was that the wire was split into two by my lender's bank and that the lost amount was small. There is still a loss of money. Instead of the bank, who was following instructions which were legitimate in their eyes since the account numbers were verifiable and the account was not a known fraud account at the time of the transfer initiation instruction from my lender, it should be the party that sent the instructions. In that chain, the bank would look at me, and I would point to the Escrow Agent that sent the instructions. To me, who is going to be responsible for the money, regardless of loss or not, the Escrow Agent is the one who sent the instructions and is at fault. There is an assumption that the Escrow Agent's account was hacked. He has submitted no proof of being hacked.

Yes, in theory, the ultimate fault lies with the scammer. However, the chain has to end somewhere palpable for me and the Seller, and that is the Escrow Agent. Now, the Escrow Agent can point to the hacker, and that would be between his insurance and him to find / prosecute.

Although there are precautions that should be taken by all companies so that hacking is made more difficult, it is not always so easy to point fingers at anyone but the hacker. Here, from last year, is an FBI Alert that was issued on business email being compromised - https://www.ic3.gov/media/2015/150122.aspx - so the problem has been recognized for some time. Many companies have responded to this widely issued alert by tightening up security and getting more insurance to cover any losses that might occur.

Insurance companies may refuse to cover these losses if an employee is "involved" in the transaction - but here is a link to State Bank of Bellingham v. BancInsure, Inc, filed in May of this year over an unauthorized wire transfer. The Court Opinion may be interesting for you to read: http://media.ca8.uscourts.gov/opndir/16/05/143432P.pdf

From the Court in Bank of Bellingham: " ... an illegal wire transfer is not a 'foreseeable and natural consequence' of the bank employees' failure to follow proper computer security policies, procedures, and protocols ... The 'overriding cause' of the loss Bellingham suffered remains the criminal activity of a third party."

The funds that have been fraudulently transferred, if the losses cannot be recovered through insurance, then must be recovered from the person(s) in whose account the money now sits (i.e., the hacker). This proves difficult if not impossible in most cases.

 

[Zigner]

On the wire transfer web page, my bank CLEARLY warns me to actually SPEAK to the person I am wiring funds to because emails can be hacked.

 

[quincy]

On the wire transfer web page, my bank CLEARLY warns me to actually SPEAK to the person I am wiring funds to because emails can be hacked.

I think that there have been enough publicized cases of fraudulent wire transfers leading to major losses for companies that businesses that do frequent wire transfers should now be aware of them and act cautiously and be adequately insured. The insurance policies should be carefully looked at and then tailored specifically to make sure the type of losses suffered by fraudulent transfers will be covered.

But regardless of any precautions taken, hacking happens.

The hackers involved tend to be clever. And they are getting awfully rich with their cleverness.

Reports on fraudulent wire transfers can be made to the Internet Crime Complaint Center and the FBI will investigate: https://www.IC3.gov

 

[apat0258]

I think that there have been enough publicized cases of fraudulent wire transfers leading to major losses for companies that businesses that do frequent wire transfers should now be aware of them and act cautiously and be adequately insured. The insurance policies should be carefully looked at and then tailored specifically to make sure the type of losses suffered by fraudulent transfers will be covered.

But regardless of any precautions taken, hacking happens.

The hackers involved tend to be clever. And they are getting awfully rich with their cleverness.

Reports on fraudulent wire transfers can be made to the Internet Crime Complaint Center and the FBI will investigate: https://www.IC3.gov

Thank you for the IC3 website. That is very helpful.

 

[quincy]

Thank you for the IC3 website. That is very helpful.

You're welcome, apat0258. I hope that the neer-do-wells are located and you are able to recover your funds. Good luck.