It started with an email.
The electronic missive was from someone claiming he was owed money by a Lancaster company where he had lost his job. The recipient, attorney Paul Adams, invited the purported client to a meeting at his firm, Shumaker Williams in Camp Hill.
The client never came into the office, but a check for $350,000 did. The anonymous voice behind the email told Adams to deposit it into the firm’s trust fund, deduct the firm’s fees and wire him the difference.
The check looked legitimate, and the company in Lancaster was real. But Adams, who also teaches banking regulation, knew something didn’t smell right. He alerted authorities instead of wiring the funds.
Adams escaped a complicated scam targeting hundreds of law firms across the country.
He was one of the lucky ones. Firms that fell victim to the scam, including at least one in the midstate, collectively lost tens of millions of dollars. And although authorities have already charged several of the scammers, they believe others connected to them are still shooting out their fake emails and fake checks, waiting for other firms to take the bait.
Consumer advocates often advertise the risks fraudsters pose to populations considered less internet-savvy, like the elderly. Well-educated professionals, like attorneys, might seem like they should know better.
But today’s fraudsters are more sophisticated. Even as the public better learns to spot red flags online, scammers are just as quickly learning how to break the protections they put in place.
And when that happens, just about anyone — even a lawyer or a CEO — is little more than one misstep away from becoming the next victim.
Scammers getting smarter
Adams guesses he sees probably 10 cyberscams of some sort every week. These frauds don’t usually target him as a lawyer in the way the fake check scheme did; rather, they target just about anyone using the internet.
There’s lottery scams, IRS scams and the infamous “Nigerian prince” scam in which the fraudster claims to be some sort of royalty temporarily in need of a few bucks.
Most of these schemes are run through some sort of well-organized enterprise, often overseas, said Adams, who received training on the topic from the American Bar Association. Networks of criminals send out huge numbers of feelers, knowing that although most people are unlikely to fall for the trick, someone eventually will.
And these scammers are getting smarter than they were in the days when dial-up internet was in vogue.
“All these products we’re using to keep this stuff from getting in, these people are finding products to break it,” said Pamela Mahoney, director of information technology for RKL LLP, a Manheim Township-based accounting and consulting firm.
These criminal innovations go beyond the high-tech software today’s criminals create to bypass anti-virus shields and install malicious software on victims’ computers. In some more sophisticated cases, fraudsters might go as far as to mimic a friend or co-worker’s way of signing off on an email to make it seem more authentic, said Bethany Novis, who works with clients to resolve fraud issues as leader of RKL’s business consulting services group.
Scammers also prey on the psychology of the internet age. Almost everybody communicates by email, but few people want to bother a co-worker or sound incompetent by making a call to verify an email’s authenticity.
“These scams prey on the fact that you’re going to be a little timid,” Novis said.
Smaller firms can especially fall prey to fraudsters. Without the benefit of an IT department or technology to screen emails for malicious links, small-business owners might just be too busy to keep track of the latest security threats.
Foreign criminal enterprises are not the only scammers taking advantage of the anonymity of email. Employees also sometimes swindle companies’ resources by pretending to be somebody they are not, as evidenced by a fake-vendor scheme Novis once saw.
It worked like this: The employee created a fake company and told the boss that it was someone from whom the business was buying supplies. In the past, the boss might have met the vendor face-to-face, but because this fake company was purportedly headquartered overseas, all of the transactions happened online.
The employee ultimately got away with $100,000 before somebody started asking questions.
Preventing human error
F&M Trust periodically sends its employees fake emails or introduces them to fake vendors as part of its fraud-training program, said Tim Henry, CEO of the Chambersburg-based bank.
It’s one of the many steps the bank and others like it are taking to prevent the kinds of human error-based security risks that no anti-virus or IT department can protect against.
The fear of a big scheme targeting financial institutions is maybe one of the most ubiquitous among bankers, coming up time and time again at industry panel discussions and gatherings.
Nothing like the law firm fake-check scam has hit the banking industry — at least not yet, said Robert Kafafian, president and CEO of The Kafafian Group. That likely has much to do with the fact that regulators’ tight hold on the industry forces financial institutions to invest heavily in cybersecurity.
Kafafian doubts anyone, even banks, can be completely bulletproof. The next financial crisis might very well result from someone figuring out how to crack that thick wall of security.
Companies in all industries, though, can take steps to protect themselves from attempted fraudsters.
The first step is usually training employees about the kinds of risks to watch out for, Novis said. But that in itself can prove difficult in an age when people, especially educated professionals, scoff at the idea that someone with a fake email could pull a fast one on them.
“It used to be that cybersecurity was really interesting to everybody because it was really new,” Novis said. “I do think it’s a bit saturated now.”
Law firms targeted
Between 2008 and 2010, an international network of sophisticated fraudsters stole tens of millions of dollars from hundreds of U.S. lawyers, including at least two in the midstate.
How did they trick so many trained professionals into believing they were real clients sending real checks?
Here’s how the scam played out, according to court documents and government news releases.
How it works
Scammers operating outside the U.S. would contact attorneys through fake email accounts claiming to need help collecting money from a person or business in the U.S. or Canada.
When the attorney agreed to represent them, they would send a fake check and instruct the attorneys to deposit the money into their firm’s trust funds, subtract their legal fees, then wire the difference to Asian bank accounts. Co-conspirators in Asia would then withdraw the money and distribute it to the criminals’ bank accounts before the checks were returned as fraudulent. The fake checks looked realistic, and phone numbers listed on them often went directly to people involved in the scheme if firms called to verify their authenticity.
• Henry Okpalefe, 49, of Canada. He was convicted in March of conspiracy to commit mail fraud, wire fraud and money laundering for stealing more than $23 million from hundreds of U.S. lawyers.
• Emmanuel Ekhator, also of Canada, was sentenced to 100 months in federal prison in 2013 for leading a related scheme that swindled $70 million from lawyers in the U.S. and Canada. He was 42 at the time of his sentencing.
• Several other people allegedly involved in the scam are awaiting trial.
The people behind the scam operated out of Canada, Nigeria, Japan and South Korea.
The U.S. Postal Inspection Service has reason to believe the scheme is ongoing, according to a news release regarding Okpalefe’s conviction. Officials recommend firms that receive checks in the mail work closely with their banks to understand the checks’ authenticity, even if the funds are made immediately available upon deposit.
Employees might feel like they know better than to respond to an email from foreign royalty claiming to have money for them, or to click on a link from an unknown address. They might, however, not realize that just hovering over a link could open their computer to a security risk, or that a well-designed check from a client is fake.
Novis recommends employers not hide attempted, or even successful, scams from their employees. Showing them that these things can actually happen can go a long way toward breaking people out of their feelings of immunity.
Even something as simple as calling the sender of an email to confirm it came from that person can go a long way.
“One of the biggest things I’ll tell staff here is, ‘If you’re not sure, pick up the phone,’” Mahoney said.
Cutting off a person’s access to company files after he or she leaves the business is also crucial to preventing internal threats. Novis has seen cases where former employees, whose bosses did not even know were disgruntled, stole proprietary information or corrupted data because the company took too long to cut off access.
When fraud hits
Few people would judge a relative or friend who loses money in a scam. But what if the victim is your banker, accountant or lawyer? Do you still feel comfortable entrusting that person with your most sensitive information?
The loss of trust that comes with fraud can sometimes be more costly to a brand than the money swindled by the scammer. One attorney who fell victim to the fake check scam, for example, emphatically declined to comment on the case, saying that more than 10 years after he fell victim, he is only just now starting to rebuild his credibility.
Still, being up front about a possible breach is often the best — and sometimes legally necessary — way to salvage that trust, Novis said.
The first step to addressing fraud is usually contacting an IT person or attorney for the company who can determine what happened. Even though seemingly common-sense, that step does not always come naturally for people who feel embarassed and would rather try to quickly address the issues themselves.
“Realize you kind of don’t know what you don’t know,” Novis said.
Professionals might need help determining their legal obligation to notify any customers or other parties who could have their information compromised. An insurance policy might also cover some monetary losses, although policies are not always able to keep up with the fast-moving world of cybercrime.
“Quick action and honesty is the best policy,” Novis said. “The best thing you can do is to move quickly to make sure the threat is shut down and isolated, and (tell customers) you’ve now put in practices to make sure it never happens again.”