Fraud on Lawyers – A Small Measure of Satisfaction

I’ve written numerous warning posts about the email scams which have left lawyers throughout the U.S. and Canada out millions from their trust accounts.  See, for example,

Another Attorney Trust Account Hit By Online Fraud

It’s so hard to believe that lawyers — smart people all — continue to fall victim to this scam.  But the glamour of fast and easy money is too much and overrides the common sense of many.

When my latest issue of my ABA electronic news arrived, I was delighted to find a headline entitled “Nigeria Extradites Man Accused of Scamming Firms Out of 31M” — yes, folks, he’s on his way to the U.S. to face many counts of fraud.  Get out the pitchforks and torches, folks, this is going to be interesting.

Unfortunately, this is just scratching the surface of rounding up the evil-doers who have recently targeted law firms — particularly smaller firms.  Remember, it’s a dangerous world out there.  If it seems too good to be true, it probably isn’t!  Keep your guard up, and your trust account funds safe.

Process Credit Card Payments from Clients on Your Smart Phone or iPad

My colleague at the Law Society of British Columbia, David Bilinsky, has a much better title on his Thoughtful Legal Management blog post about a new phone app: “It’s Cool to Be Square“.  In it he describes a new application called Square.  He describes Square as “a revolutionary service and device that turns a smart phone or iPad into a credit card point-of-sale terminal.” (It works on Android OS in addition to the Apple iOS.)  David encourages us to imagine the possibilities of being able to take credit card payments – anywhere, anytime – such as at the courthouse, at the client’s home, or at the client’s office.   

“Launched by Twitter founder Jack Dorsey and Jim McKelvey, this little device stands to change how lawyers get paid.”  I couldn’t agree more, David.  In fact, after reading David’s post, I followed the provided link to Square’s security policy.  I was delighted to find they are fully PCI Compliant.  Some of you may recall my post this past July entitled “PCI Compliance for Firms Which Accept Credit Card Payments” which detailed the requirements created by recent federal legislation regarding credit card companies.  The new standards apply to anyone who accepts credit cards, including lawyers and law firms. 

The fees for processing payments through Square are incredibly reasonable.  The app is free.  Check it out for yourself.  Unfortunately for David and most of his subscribers, the service is not yet available in Canada, which makes me even more grateful that he shared the information on his blog.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

More on Bad Check Frauds

I read a blog post today written by one of my peers.  Sheila M. Blackford, the author,  is an attorney and Practice Management Advisor for the Oregon State Bar Professional Liability Fund.  So here I come to post a link to it, and find that the last thing I wrote about on this blog was exactly the same topic.   Yes, it’s that important, or we wouldn’t keep repeating it.

I’ve been absent from the blog for a while.  A sudden need to provide care for a loved family member, on top of everything else, changed a few priorities in the interim.  Sadly, this blog had to wait for some semblance of normalcy to return; achieved by hiring 24-hour at-home caregiver service.  I make no apologies — I did what I had to do.

I will be blogging more about contingency plans, disaster prevention and recovery, and overload issues in upcoming posts.  The recent experiences have reminded me that there are certain areas which need to be talked about repeatedly, in order not to lose our vigilance and preparedness.  (And that means having ”Plan B” is not optional!)

Returning to the topic of this post, I suggest you take a moment to read Sheila Scanlon’s post entitled “Bad Check Frauds: ‘Tis the Season for Lawyers to Be Wary” because it’s loaded with very practical information and suggestions on protecting your practice.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

SC Law Firm Loses $390k in Bogus Check Scam

Lawyers continue to fall victim to check fraud.  Smart lawyers.  Don’t be one of them.   My peers from various U.S. state bars and Canadian provinces are reporting that their members are regularly receiving invitations to become the next victim.  Right now collaborative law attorneys are targeted.  But that can change in a heartbeat to virtually any practice area.  These are well-designed socially engineered schemes with fake bank cashier checks which are of very high quality.  Read more about it in a recent post on the “Avoid a Claim” Blog of PracticePro, the professional liability insurer for  Ontario Canada.

Remember, if the deal seems too good to be true, e.g. you’re about to earn a huge fee for virtually no work from an unknown client, step back, take a deep breath, and check very carefully before disbursing any money from your trust account. 

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

PCI Compliance for Firms Which Accept Credit Card Payments

Does your firm allow or require clients to pay by credit card?  If so, you want to make sure you’re meeting the requirements created by recent federal legislation regarding credit card companies.  The new standards apply to anyone who accepts credit cards, including lawyers and law firms.  Montgomery County attorney Deborah Zitomer has generously allowed me to share her explanation regarding this topic, which is as follows:

 The person who manages my credit card payments told me that the compliance is a new requirement under the recently passed federal legislation regarding credit card companies.  If you take credit cards, you need to be in compliance with the credit card company’s standards and regulations or they can refuse to process payments for you, or can fine you. The standards apply to anyone who accepts credit cards for payments, so lawyers and firms need to be compliant!

Below is an excerpt about compliance and standards for those who accept credit cards as part of their practice.  You can also take a look at the website for PCI.

The major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card.   All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they want to accept credit cards.  Failure to meet compliance standards can result in fines from credit card companies and banks, and even the loss of the ability to process credit cards.

There are six categories of PCI standards that must be met in order for a retailer to be deemed compliant.

1.   Maintain a secure network

This standard refers to the actual network that cardholder data resides upon. In the case of an online business, the most obvious vulnerability for this standard is the web server. Luckily, most hosting companies take responsibility for ensuring the security of their networks. However, there is more to this standard than meets the eye.  Do you keep cardholder data (even just names) on a laptop that you use on public networks?  Does your office network have a firewall installed and reasonable security measures in place?

In short, whenever any personal information about a cardholder is stored on a computer (which is also connected to a network), that computer should be behind a firewall and all reasonable measures should be taken to protect that particular network.

2.    Protect Cardholder Data

This category focuses on how cardholder data is stored and transmitted. Business owners that choose to store cardholder information have an obligation to protect that data. Protecting information means that not everyone can have access that it. Businesses that store actual credit card numbers will often store them as encrypted data, so that even if someone got access to the database they still could not decipher the information in it.

E-commerce businesses need to be especially attentive to the way that cardholder data is transmitted. When a customer makes a purchase on a website, his/her cardholder information is sent across the Internet. During that transmission, cardholder data must be encrypted with at least a 128 bit SSL certificate in order to meet this standard.

3.   Maintain a Vulnerability Management Program

This one is relatively simple, and translates to keeping up-to-date with your protection systems. Vulnerability exposure can be minimized by regularly updating computer hardware, operating systems and software. Keeping up-to-date anti-virus software, as well as running regular virus scans, is another requirement to meet this standard if your systems are susceptible to such vulnerabilities.

4.  Implement Strong Access Control Measures

The most exploited breach in security is the human element, which is harder to protect. Part of meeting PCI compliance means limiting access to cardholder data to only those persons that need to use it. In addition to restricting physical access to cardholder information, business owners are also responsible for assigning a unique identification to each person that does have access.

5.  Regularly Monitor and Test Networks

Networks that store cardholder data must be monitored and tested regularly. Regular scans of security measures and processes, and  monitoring and tracking of network access to cardholder data are required to satisfy this standard. Consider signing up for a security testing and auditing service, such as ScanAlert’s Hacker Safe program, which can help you to identify and fix potential security problems as they arise.

6.  Maintain an Information Security Policy

Considering that humans are generally the easiest part of a system to hack, and also that ignorance does not relieve liability, it’s important to draft and implement a company-wide information security policy. Make sure that your employees know and understand their responsibilities with regards to cardholder data before it becomes an issue.

The first step in PCI compliance is to meet the above standards.  Credit card companies and financial institutions validate that vendors are abiding by the regulations, giving them ratings based on their volume of transactions. The rating that a company receives determines the process that they must go through in order to be validated.

Deborah promises to take a closer look at the four validation ratings in the future, and when she does, she will hopefully allow me to share them as well.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Another Attorney Trust Account Hit By Online Fraud

Wow, I can’t believe it’s been more than two months since I’ve had a chance to post to the blog.  I want to thank those subscribers who wrote to me to inquire whether I was still alive and well, given my online absence.  Yes, I’m fine.  I’ve just been on the road a lot more than usual.

Is it coincidence that the last post concerned a fraud attempt upon an Oregon attorney, and I’m following up with another?  I don’t think so. 

The Florida attorney had her trust account hit for a significant sum.  She was willing to engage in online banking thinking that the several layers of security provided by the bank itself would be sufficient to protect her accounts.  What she did not take into consideration was the very real possibility and threat of scumware (a/k/a spyware) being installed on her computer — coming in hidden in an email — capturing her logon ID and passwords, which the criminals then used to access and make wire transfers out of her trust account.  The actual implementation of the transactions were done surreptitiously through her computer, so that the computer’s ID identification (e.g. IP address) would match that which the bank’s system recognized as legitimate. 

You should read this story which appeared in the June 15, 2010 edition of The Florida Bar News.  If you’re presently doing online banking, it will certainly give you pause.  It will also give  you some food for thought about how to tighten security.  I noticed that the victimized attorney stated she had anti-virus software, but did not acknowledge having anti-spyware software.  And that’s the culprit that breached her security. 

Anti-virus software alone isn’t sufficient protection.  It’s like brushing your teeth but never using dental floss or mouth wash.  Your dentist will tell you that the combination is what provides maximum protection.  Similarly, your firm should utilize a firewall, anti-virus and anti-spyware software, and should keep all up to date.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

More on Lawyers as Fraud Victims . . . With a Twist

It’s getting harder to keep track of the many frauds which are impacting lawyer practices.   You certainly have to remain vigilant.  I’ve just been informed of a new scheme.

 This fraud alert is just in from Oregon. It seems a fraudster has appropriated an attorney’s name, firm name, phone number, and address and then has debited 3 different bank accounts of individuals in different states with $10 debits purportedly from her.

 The FTC advised the attorney that the $10 charges are test charges to see if the bank account holder is alert. The fraudster then would clean out the bank account of anyone not paying attention. The attorney found out about the charges when she was called by the individuals wanting to know what her debit was for. 

 Since the attorney is not herself a victim of theft, she was told nothing can be done on an official basis to protect herself.  Likewise, the local police cannot assist because the financial victims are out of state.   Of course, the attorney is concerned about damage to her reputation, and the time and expense of dealing with all the issues which may crop up until her identity can be secured once again.

 It seems that taking all the necessary steps to further protect herself from this identity theft is about the only avenue to pursue for this lawyer.  At least thus far.  For some excellent information on how to deal with identity theft, check out the information on the web site of the FTC.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Did Michigan Attorney Watch One Too Many Episodes of LA Law?

In a disciplinary case which could have been ripped right out of an episode of  the old TV sitcom “LA Law,”  a Michigan attorney was suspended from practice for 180 days after a string of sensational allegations, including that he offered clients a “couch of restitution” to pay off their legal fees.

On Nov. 23, the Michigan Attorney Discipline Board affirmed findings of misconduct and imposed the 180-day sanction, which the Board feels ensures sufficient time so that the lawyer being sanctioned will have to undergo fitness proceedings before being reinstated.

“Taking into consideration the range of professional misconduct in this case, we conclude that protection of the public, the courts and the profession requires that respondent be suspended for a sufficient period of time to ensure that he is not permitted to resume his standing as a member of the profession unless he is able to establish his fitness by clear and convincing evidence,” the opinion states.

It seems the attorney’s secretary was oblivious to his actions, according to her testimony.  But I rather doubt it.  As I think back on some of the more sensational headlines of the past few decades regarding cases of sexual misconduct, harassment, and so forth, what we usually find is a rather blatant pattern of behavior which is routinely ignored or even covered up by the offending party’s partners or coworkers. 

The time has come for firms to up their vigilance and work doubly hard to restore the ethical image of the profession.  See the article I wrote in June, 2007 entitled “Living With Integrity” in which I discuss this very issue.  Then ask what steps your firm has taken in the past few years to ensure it is doing all it can to practice with the highest level of integrity. 

It’s particularly important to revisit this now.  Why?  History tells us that when the economy is troubled and law firms are struggling for survival, short term profit improvement often outweighs ethical considerations.  It’s just so easy to justify a ride down the slippery slope when the firm’s very survival seems to be at stake.  Unfortunately, integrity is not something we can incorporate into our lives only when the bottom line is healthy and the economy is strong.  In fact, it’s the very manner in which one chooses to deal with difficult times that determines strength of character and organizational integrity.

Think about it.  It won’t make you rich.  But you will be a better person for it.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Planning Your 2010 Budget for Postage

During these tight economic times, it seems everyone is going over their budget for 2010 with a magnifying glass.  What should you plan for in postage increases?

Many of you will be relieved to know that Postmaster General John E. (Jack) Potter made a definitive announcement regarding 2010 rates for First Class Mail, Periodicals, Standard Mail and Parcel Post.  There will be no increase for these services in 2010.

Competitive products, such as Priority Mail, Express Mail, Parcel Select, and most international products – are under consideration for an increase.  An announcement is anticipated in November.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Online Banking and the Next Generation of Trojans

A news report which posted on September 29, 2009 on CNet News revealed what security experts referred to as the “next generation” of banking Trojan.  The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions. 

The software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.   While the computer user goes about his or her business on the banking site, the Trojan looks at the available balance and figures out how much money to steal. The Trojan is given a minimum and a maximum range that is below the amount that triggers antifraud systems, and to leave a certain percentage in the account.

After performing the calculation, the Trojan then makes the transaction, communicating with the bank site through the browser without the computer user knowing.  the Trojan hides the theft by erasing it from the report of account activity displayed to the computer user and shows a fake balance–what the amount would be if not for the theft. The victim will not notice something is wrong until a different, uncompromised computer is used to access the account, an ATM is used, or a transaction is denied because of insufficient funds.

Think you’re safe if you use a browser other than Internet Explorer?  Think again.  It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera.  The Trojan can come via a number of avenues, including malicious JavaScript or an Adobe PDF, or visiting an infected site.  About 90,000 computers visited the sites housing the malware and 6,400 of them were infected: a 7.5 percent success rate. Of those whose computers installed the Trojan, a few hundred had money stolen from their bank accounts.

The good news — for now — is that the Trojan was designed to target customers of unnamed German banks.  But this new level of sophistication will definitely be showing up again.  This is the first reported Trojan that hijacks a victim’s browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time.  The Trojan also keeps a log of the victim’s bank account log in credentials, takes screenshots, and snoops on the user’s other Web accounts, such as PayPal, Facebook, and Gmail.

What defense do you have?  Keep your antivirus, operating system, browser and other software up to date, meaning be sure to install all security patches.  Be careful about visiting unknown web sites, which are sometimes designed to infect visitors.  Even legitimate sites might be an unknowing host to a nasty payload.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.