Phishing Scheme Causes $440,000 Loss


A Cautionary Tale for South Carolina Closing Lawyers

phishing1An employee falls prey to a phishing scheme causing her computer to contract a virus that allows an unscrupulous third party access to her user name and password and allows the third party to mimic the computer’s IP address and other characteristics. The thief instructs the bank to wire $440,000 to a bank in Cypress, beyond the reach of U.S. authorities.

This story gives me cold chills and is the true account of Choice Escrow and Land Title, LLC v. BancorpSouth Bank, an Eight Circuit Court of Appeals case from June of 2014.

The victim of the scheme was a Missouri real estate escrow service company, a company that handles real estate closings. That company sued the bank but lost because it had not followed the bank’s security measures.

The bank used four security measures for wire transfers:

  1. Each employee had a unique user ID and password;domain security
  2. Bank software recorded the IP address and other information about each employee’s computer. If a user attempted to wire from an unrecognized computer, the user would be prompted to answer challenge questions.
  3. The bank allowed customers to place dollar limits on the daily volume of wire transfer activity.
  4. The bank offered “dual control” which required one user to initiate a wire and another user to approve the wire. The initiator and the approver had to have separate user IDs and passwords.

Choice Escrow had declined dual control twice mainly because of the inconvenience of it and the fact that an employee may need to wire funds when only one person is in the office.

This case is an example of a failure to comply with Pillar 2 of ATLA’s Best Practices which requires appropriate and effective escrow controls and staff training in order to safeguard client funds. As South Carolina attorneys, we already have the duty to protect client funds. Don’t let your office fall prey to this kind of scheme by failing to follow security measures in the interest of convenience.

I am the treasurer of a non-profit organization that has too few employees for normal safeguards. For that reason, the bank statements are mailed to my house, and I am a second signatory for checks. My point? Safeguards can be accomplished even in very small offices.

The CFPB and Best Practices are going to require these safeguards. Implement them now!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s