Hacked Law Firm Can’t Get Back $580,000 After CEO Fraud Attack

Image is an illustration. It shows a silhouette of a hacker at a computer. It looks very sinister. The image accompanies a story on CEO fraud attacks.

Max Mitchell at Law.com has an interesting and rather painful story. It involves a hacker, a law firm CEO who fell for a very good fake email, a giant bank transfer, and a failed lawsuit against that bank. Don’t let a CEO fraud attack happen to your law firm. Read this cautionary tale and learn how Savvy can help at the bottom of this story.

A federal judge has dismissed the lawsuit that a Bucks County law firm brought against Bank of America for failing to stop a more than $500,000 wire transfer that happened after one of the firm’s principals was hacked. It involved a sophisticated CEO fraud attack phishing email.

Law Firm Failed to Show That the Bank Breached Agreement

U.S. District Judge Harvey Bartle of the Eastern District of Pennsylvania dismissed the lawsuit that O’Neill, Bragg & Staffin brought against Bank of America, finding that the firm failed to show that the banking institution breached any agreement, violated federal regulations, or breached the Pennsylvania Commercial Code.

“What is alleged to have happened to the law firm here is indeed unfortunate. The computer hacker, of course, is the real culprit, but is not a party to this lawsuit,” Bartle said. “For the reasons stated above, as between the law firm and the bank, the law firm must bear the loss on the facts set forth in the amended complaint.”

O’Neill, Bragg and its principals filed a lawsuit in federal court in Philadelphia against Bank of America, claiming the bank was responsible for the damage done after hackers used deceptive emails to dupe a member of the firm into transferring more than a half-million dollars to the Bank of China.

Cautionary Tale of CEO Fraud Attack

The hacker posed as a partner of the firm, Gary Bragg, according to the complaint, and emails involved a loan transaction of which the hacker seemed to have intimate knowledge.

In the correspondence, the hacker addressed partner Alvin Staffin by his nickname, Mel, making the ruse even more convincing, and asked for a $580,000 transfer from the firm’s IOLTA sub-account to the Bank of China. This is how sophisticated hackers are getting in their CEO fraud attacks!

Bank of America made the transfer at Staffin’s request. After the transfer was made, Staffin called Bragg to discuss it, finding out only then that Bragg had no knowledge of the $580,000 request.

“Staffin realized [the firm] had been victimized by a computer hacker, and immediately notified [Bank of America] of the fraud,” the complaint said. Judge Bartle, however, determined that the request to cancel the transfer, which came just over an hour after the transfer was confirmed, did not qualify as a “valid and timely stop payment order.” 

You can read the full story here

This is another painful example of CEO Fraud attack (aka Business Email Compromise) that could have easily been prevented by some new-school security awareness training.

Savvy and KnowBe4

If you are looking for a turn-key way to train your law firm’s employees to recognize and report phishing attempts, contact Savvy today. We are a preferred provider of all KnowBe4 training products and services. And we are the number-one certified partner for the legal industry.

And if you’ve been struggling to get upper management to commit themselves to security awareness training, forward this story to them!


Leave a Reply