Reprinted and syndicated by Lawyers Journal, May 1, 2015.
In managing my law firm for more than 25 years, I have received my share of high-risk client engagement attempts. But now, with the integration of the Internet and less “personal” engagements, these attempts are getting even more clever. Sure, we will probably always have the call from a potential client, professing a huge opportunity in a case, only to determine—for the lucky or prudent ones, as the case may be—that a hearing is the next day. (I call this the “Dropping a Bomb on Me” engagement attempt.) But, the international identity theft engagement attempt that happened to my firm recently, was quite sublime. I almost respect it, like a scientist might almost respect the “cleverness” of a virus.
There are many well-known engagement scams directed toward attorneys. One paradigm is to engage your law firm to collect a debt. The communication is by electronic mail, sometimes because of international time differences. The new client provides a retainer by check. Then the client informs you that the case independently settled. The client gladly (and possibly generously) pays you from the retainer for your work during case assessment, and requests a return of the balance. The firm returns the balance of funds, only to find out later that the original funds were never finally paid and cleared by the bank; therefore, the returned funds were paid from other client IOLTA funds. Not good. Another paradigm uses the attorney’s IOLTA account to launder money. Not good either.
I once taught a continuing legal education course professing the benefits of electronic client engagement/signature systems. An “old-school” senior lawyer retorted from the audience that electronic engagement procedures are dangerous because of fraud attempts and not personally “knowing” your client. My response was simply that it is a judgment call for each law practice in its own operational context, but the efficiency of new technologies is not intended to replace prudent client engagement scrutiny by the firm. However, his point is particularly well-taken in light of this most recent “identity-theft” engagement attempt. I share this paradigm as a type of preventative warning, because I do think some excellent attorneys will become victims, such as even the best scientists, I suppose, will sometimes simply forget to wash their hands. I will summarize and paraphrase for convenience.
The first contact is an email. (To protect the yet unauthenticated actors, we will change the names.) The email is from Rolf Doe at SolidIntlCorpAG, apparently in Germany. Rolf writes, “Mr. Zegarelli. Can you help us collect an overdue debt against BigUSAHealthCo, Inc.?”
My office gets its fair share of these types of email inquiries, and I will normally ignore the email or respond with a rote pushback. Something like, “Thank you for your interest. My firm is a quality firm and will require authentication of your identity prior to any engagement. We apologize for the formality.” Now, I must tell you that, in responding, I have confirmed my email address, but I take that risk; in this case, my name was used, there were no typographical errors in the request, and my firm has spam technologies to stop lesser fraud attempts. In any case, this has stopped the conversation in the past; many defrauders will simply divert to someone who would not try to authenticate them. But not this time.
A few days later, behold, I have a response, “Mr. Zegarelli, how will we proceed with that?” This is what got me to bite, just a nibble. I never had a would-be defrauder inquire about the process of authentication. In my mind, the probability for this being a real engagement significantly increased. So, now, I invest some time into “kicking the tires” of the apparent opportunity. First, I notice that he is using rolf.doe@SolidIntlCorpAG.com. (Good factor. If he were using, e.g., gmail or hotmail, it would have been a negative flag.) Second, I do some cross-checking. I check to see if www.SolidIntlCorpAG.com is a live website, which it is (good factor). Then, I check httpS://who.godaddy.com to see when the domain name was purchased, which was within one year (bad factor), although not marked “private” ownership (good factor); also, the www.SolidIntlCorp.com (no “AG” suffix) was live with a matching website (good factor). Then, I go onto LinkedIn.com to see if Rolf Doe exists as a professional, and he does, and with the stated officer position at SolidIntlCorp! He even has long-term connections and personal recommendations.
But, all that is just high-level circumstantial. So, now I bait him with a hedge: I neither want to insult him with too much distrustful authentication overhead (he’s real, after all…maybe), nor am I yet comfortable that his identity is properly authenticated and legitimate. “Hi Rolf. We can finalize authentication at or prior to the point of engagement, if we decide to move forward with representation. However, so that I can assess your question, please provide me with a copy of the basic evidence for an overview of what is going on. Also, I will need the contact information of the involved persons and the address of BigUSAHealthCo, Inc. in my location.” If he is a defrauder, producing some evidence and details will certainly make him go away, right?
Well, the next day, “he” actually complies. I receive a purchase order with terms, and pdf of an email thread involving a variety of people addressing the dispute. As to the purchase order, I do some math and determine that the total of $1.5M is correct, but there is a subtotal error; BigUSAHealthCo would probably not make a subtotal error (bad factor). I check the date of the purchase order that does not seem to be correct for the dispute (bad). I check the address of BigUSAHealthCo and it checks out (good). There is a 866 number on the purchase order, so I call (simply using my office caller ID) and it answers (good); it is an automated digital voice (bad) with a list of relevant names to deposit voicemail (good), but the personnel list is finite (bad). The voicemail attendant offers me to dial 0 for the operator (good). I dial the 0, and it immediately disconnects; I tried a few times, with the same result (bad). It is not necessarily intuitive, but authenticating the would-be defendant provides an important clue to the legitimacy of the client request. Some defrauders do not use real defendant entities.
As to the pdf evidence email thread, it appears to be a real conversational dispute (good), but it is a pdf and not the source emails (bad); therefore, I cannot check the source email meta-data to verify that the purported conversants were indeed the senders of the respective emails in the thread (more on meta-data in a moment). I check the human names in the thread by googling and LinkedIn, and they are living people with respected jobs (good); however, they do not necessarily disclose the correct relationship relevance with SolidIntlCorpAG (bad).
At this point, with so many good and bad factors, I consider the entire context a learning experience; after all, I will get either a good client or a good CLE war story for my courses, so I go with it. I send my standard engagement email that requires a click-through acceptance of my firm’s online terms and conditions, but with three modifications: 1) Without providing my wire information, I require a retainer; the retainer must be by a wire, instructions for which will be provided as a final step in the engagement process. Wiring funds provides immediately available funds and an important level of wiring bank authentication. 2) I require that Rolf link to me on LinkedIn. This connects the author of the emails with the “apparent” human listed on LinkedIn; the person on LinkedIn will not know to connect with me unless there is a connection with the author of the emails. 3) I caveat that I am still reviewing the evidence and reserve the right to require additional evidence before accepting the engagement. This is because I want to flush out the first factors, but I still have the reservation to be satisfied with why there are amount and date problems on the purchase orders, and I will want to see the source emails (through email forwarding) to authenticate the email conversants from the email meta-data.
I did not receive any response on that day, or the next. So, I send a follow-up email to Rolf and it gets returned to me “undeliverable.” Uh-oh. (I am not quite sure if I am happy or sad about it.) So, now, I log onto LinkedIn and send an “InMail” (LinkedIn’s internal email system) to Rolf, “Rolf, I sent you the engagement letter you requested to you at rolf.doe@SolidIntlCorpAG.com…” to which he immediately responded, “I don’t know what you’re talking about…”
What the would-be defrauder did was take the time that is not customary: 1) purchase a domain name with a reasonable extension, such as the “AG” or “Inc” and then point/forward that domain to the authentic site, so when you go to the AG site, you are viewing the authentic site; 2) establish a virtual 866 telephone number with some digital voicemail technologies; 3) spoof emails to appear from the official company site (with or without the AG suffix); 4) research some living human names in the authentic company or related industries; and 5) fabricate purchase orders, using logo graphics now obtainable online from the authentic websites. In my view, the ultimate failure of the scheme was because I required a wire transfer and the LinkedIn connection.
With the understanding that we still do not really know if LinkedIn Rolf is would-be client Rolf, this situation provides some important points to consider.
- Domestic contacts tend to be rather easily authenticated, because a telephone call is customary. It is the international opportunity that provides a variety of “legitimate excuses” for use of electronic communications. Therefore, potential international clients are inherently cause for higher engagement scrutiny.
- Review emailed engagement requests carefully. It may or may not be too good to be true; it may just be good enough to defraud you for a few thousand dollars. Look for typographical errors or unusual syntax; look for use of your personal name. Determine if the email matches the company domain. Determine if the email is from an informal consumer mail service (e.g., Hotmail, AOL, Gmail) and not a private domain source (e.g., @zegarelli.com). Check the email meta-data; there is hidden data in emails that provides evidence regarding senders and the sent pathway details. (Google something like, “how view headers [e.g., outlook 2010, gmail, hotmail]” to see how your own email package allows you to view the meta-data.)
- From unauthenticated sources, consider only wire transfers to ensure availability of funds and authentication record-keeping by the sender bank. Checks and credit cards have risks of finally-paid delays and chargebacks.
- Obtain definitive party contact information and google the identities. Ensure that the people and companies exist. Depending upon the context and applicable standards, perform due diligence on contact information.
- Consider requesting confirmation by social media links, which can assist with flushing out stolen or spoofed identities.
- Review the evidence carefully. Look for unusual flaws. Check for reconstituted emails.
There are also certainly less technical ways to authenticate a new international client request. For example, if the firm has access to a multi-lingual resource, an international telephone call would, of course, force a level of authentication. Also, consider asking for referrals or an international contact for existing legal counsel in the international venue.
In conclusion, this particular situation demonstrates the lengths to which a would-be defrauder will go to implement the fraud; that is, to manufacture evidence, spoof identities and to establish telephonic contact points. In the digital and virtual shrinking world, we increasingly do not personally know our clients in the same physical way that has been customary. Nevertheless, we remain professionally responsible for prudent engagement practices, and, hopefully, the above assists with exposing some of the latest schemes and risks, with technical guidance for your consideration.
___________________________
Gregg Zegarelli is Managing Shareholder of Technology & Entrepreneurial Ventures Law Group, PC. Gregg is nationally rated as “superb” and has more than 25 years of experience working with entrepreneurs and companies of all sizes, including startups, INC. 500, and publicly traded companies. He is Adjunct Professor in the Duquesne University Master of Leadership graduate degree program, currently teaching, Developing Leadership Character Through Adversity. He is author of One: The Unified Gospel of Jesus, and The Business of Aesop™ article series, and co-author with his father, Arnold Zegarelli, of The Essential Aesop: For Business, Managers, Writers and Professional Speakers. Gregg is a frequent lecturer, speaker and faculty for a variety of educational and other institutions. Copyright © 2015 Gregg Zegarelli. Gregg can be contacted through LinkedIn.
#GreggZegarelli #Aesop #AesopForBiz #AesopForBusiness #TwoTravelers #Zegarelli GRZ_2