Hacker steals $600K from Connecticut homebuyer

A Connecticut law firm may be on the hook for malpractice by not having enough cyber security to protect its clients from scams.

Homebuyer Richard Bates filed a lawsuit against his attorney Patrick Walsh and Hastings, Cohan & Walsh, LLP, in Ridgefield, Connecticut in federal court last week, blaming the attorneys for a loss of almost $600,000.

Bates, a resident of Palm Beach Gardens, Florida, hired the firm to represent him in the purchase of a Connecticut home for more than $800,000, according to the complaint. The hackers walked off with $726,000, of which the banks were only able to recover $129,000.

The hacker accessed the firm’s private emails to obtain key information about the transaction, including the buyer’s contact information, the purchase price and timing.

Bates received an email from the law firm with wire instructions. He wired the funds and only later discovered that the email was fraudulent. 

Now he blames his attorney for having weak cyber security. His complaint argues that they had “virtually no protocol” to prevent fraud and that their computer network only consists of “archaic email and data-storage systems,” which created the perfect opportunity for a hacker.

Bates said that if the firm had “any of the reasonable safeguards and controls used for over a decade by ordinary consumer businesses,” like two-factor authentication, the fraud would not have occurred. He also claims they did “virtually nothing” to rectify the situation.

This is not a new problem in real estate.

Professionals in real estate transactions have been on alert for years about the prevalence of fraudsters hacking emails and sending fake wire instructions. Despite these warnings, hackers have gotten better at what they do. Cyber scam losses rose from less than $9 million in 2015 to more than $446 million by 2022, according to FBI data.

Attorneys are also victims of the scams.

Stephen Conover, a Connecticut attorney specializing in legal ethics matters, said attorneys are not responsible for crimes committed against clients unless they have breached a fiduciary duty or “a reasonable standard of care” in providing services.  

Conover said he has seen clients sue lawyers for this before, but he’s never seen one prevail at trial. Once a suit is filed, it becomes an issue for the insurance carrier and typically settles out of court.

He said having two-factor authentication or other safeguards has more to do with satisfying insurance carriers who give breaks on premiums. “An attorney isn’t responsible just because someone broke in,” he said.

Many attorneys have upped their security measures over the years. Katie Carey, a Connecticut real estate attorney, said “two-factor authentication as a security measure is just a start.”

She uses a cloud-based software product with a client portal that has multiple built-in mechanisms to ward off cyber scams. It begins before a client even retains the firm, including a video presentation, and has alerts anytime there is a login to the portal.

Carey also instructs clients to call the office and confirm anytime they receive wire instructions. Her email signature contains the following in red, bold, underlined and sections in all caps:

WIRE FRAUD IS REAL! Attention Clients: we will NEVER email you and ask you to wire funds!  If you receive an email asking you to wire funds call the office immediately.

Bates likely could have avoided the scam if he had just called his attorney to confirm the authenticity of the wire instructions.

Whether Walsh, the attorney who handled the real estate transaction for Bates, has a similar warning in his email signature remains to be seen. Walsh did not respond to an email request for an interview.

 — Christina Previte

Read more

Residential

New York

Real estate at risk: Industry vulnerable to data breaches

Residential

Los Angeles

Hackers post bogus listing for Britney Spears’ $9M mansion

Residential

National

LoanDepot hackers stole data from more than 16M customers