Law Firms Vulnerable to Social Engineering Loss

​Social Engineering is an ongoing issue. Sometimes called Cyber Crime, Impersonation Fraud, or Cyber Deception, the concept of Social Engineering is manipulation of an employee to voluntarily part with money.  Think of it as a con man getting you to hand over your wallet.
 
Wikipedia defines Social Engineering:

• Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

https://en.wikipedia.org/wiki/Social_engineering_(security)
 

Recently, I saw a claim from a law firm (names have been changed to protect the innocent.  In August, The Firm had been 'engaged' by a Client (we'll call it Bob's Waffles) to collect a debt from another company (Jim's Syrup).  The Firm sent an engagement letter to Bob's Waffles, which they signed.  They accepted the case on contingency.  The Firm then engaged in the debt collection process.  On August 31, the Firm received a check from Jim's Syrup for $105,000 to settle the debt.  On September 1, the Firm wired $101,000 to Bob's Waffles (the $105,000 less the $4,000 contingency that the Firm collected).  
 
As I am sure you could have predicted, the check that was purported to be from Jim's Syrup has bounced.  (They really should have waited for the check to clear the origin bank.)  The Firm has paid out $101,000 to Bob's Waffles, who of course has stopped responding to any request for communication.  This entire fraud took a very short time (total timeline is less than two weeks).
 
The items that are still unclear to me:  Was Bob's Waffles a client before all this happened and was there any other relationship?  (My guess is no.)  Was Jim's Syrup a real company or one made up for the purpose of committing this fraud?  (My guess is not a real company.)  It sounds to me like someone duped the law firm into believing they were a real client and a real debtor when both were fake (and probably Nigerian princes).
 
Thankfully, through the wise and persistent efforts of our amazing production and service teams, the client has a high quality Cyber policy with Social Engineering including the Enhanced Cyber Crime coverage features.  Policy has a $125,000 limit for Social Engineering loss subject to a $5,000 retention.
 
We reported the claim.
 
And it looks like the loss will be covered.  We triggered the "Claim" and "Financial Fraud" sections of the policy.  
 
So, message to all of us:  
1. Cyber Crime or Social Engineering in the Cyber policy may be very broad and may pick up losses that other policies will decline.  And, 2, Law firms are probably being targeted for this kind of scam and very vulnerable.  
 
Moral of the story:  Don't buy a Cyber policy (or Crime policy) without this coverage. 
 
And know what you are getting because policy language matters, a lot.