Your Settlement Is Public Record. So Is the Scam | McDade
Your settlement is public record. So is the scam that follows it.
- By Dallas Downey, CLCS
Published July 2, 2026 - Business Insurance
The most damaging scam hitting law firms right now does not start at your firewall. It starts at the courthouse, in records anyone can read. Here is how it runs, the one word that decides whether you were insured, and the habit that beats it.

The answer
Settlement wire fraud works because litigation is public. The criminal learns the case, the parties, and the funding window from open dockets, then impersonates a bank or a party at exactly the right moment. Coverage turns on one word, authorized, and prevention takes one phone call to a number already in your file.
The call that knows too much
It is worth walking through the pattern the way it actually arrives. What follows is assembled from state bar fraud alerts and federal reporting, and it will feel uncomfortably specific, because the scam is.
The call comes on a Thursday afternoon, a week before a settlement funds. The voice says it is the bank. It knows the case name. It knows the amount. It knows the funding date, and it is calling because the receiving account details changed and someone needs to confirm the updated wire instructions before the deadline slips.
Nothing about the call sounds like a scam. It sounds like the last administrative step of a matter your firm already won. The caller is patient, professional, and slightly hurried, exactly the way a real bank officer sounds on a Thursday.
The details are what disarm you. And every one of those details was free.
The courthouse did the reconnaissance
Dockets, filings, party names, and case milestones sit in county and federal court systems anyone can search. State bar associations have published standing alerts on schemes built from exactly this material, including the fake bank call, the altered wire instruction, and the counterfeit settlement check that clears just long enough to be wired back out.
Add your firm's own website, a bar directory listing, and a staff page, and the criminal knows who runs the office, who touches the money, and what your email addresses look like. A domain one character off from opposing counsel's finishes the costume. Nothing was breached. Nobody hacked anything. The reconnaissance was reading.
We have walked a Houston area commercial client through the aftermath of this exact pattern. The particulars stay private. The lesson is this page.
One word decides whether you were insured
Here is where the story turns from security into insurance. When an employee is deceived into sending a wire, the transfer was authorized. That word matters enormously, because some crime and cyber forms respond to intrusions, money taken by breaking in, and read a deceived transfer as a voluntary payment instead. Federal appeals courts, including the Fifth Circuit that covers Texas, have upheld coverage denials on that reasoning, and the State Bar of Texas has published analysis walking firms through those cases.
The coverage built for this loss is a social engineering fraud or fraudulent instruction endorsement, attached to a cyber or crime policy. It carries its own sublimit, which was sized to the wires the firm sent when the policy was placed, and carriers often require verification procedures as a condition. Whether your firm is protected is not a feeling. It is a paragraph, and it can be read this week.
The scale is not small. The FBI logged nearly $2.8 billion in business email compromise losses in 2024, and its rapid response process froze funds in about 66 percent of the cases reported to it quickly. The freeze rate collapses when reporting is slow, which is why the first hours matter as much as the endorsement.
The two minute defense
Everything above dies against three habits. They cost nothing, they take minutes, and carriers increasingly expect them.
The verification protocol
- Call back on a number already in your file. Never the number in the email, and never the number the caller offers.
- Two people approve every trust account wire. Dual authorization turns one deceived employee into a failed scam instead of a loss.
- Payment instructions never change by email alone. A standing rule the whole firm knows, no matter how urgent the request sounds.
And if a wire has already gone out, the order of operations is the recovery. Call your bank first and request a recall, file at ic3.gov the same day, notify your carrier inside the policy's reporting window, and preserve every email, number, and confirmation. Speed is the single biggest factor in whether the money comes back.
The full coverage anatomy, including how the endorsement and sublimit get sized, lives at social engineering fraud for law firms, and the wider boundary between your malpractice policy and your cyber policy is mapped at law firm cyber insurance. Your whole team can rehearse the recognition half with seven checks before you click.
The con does not need your password. It needs your Thursday afternoon.
Dallas Downey, CLCS, Commercial Lines and Workers Compensation Specialist
Sources worth opening before you decide.
This article uses public source material from the State Bar of Texas and the FBI Internet Crime Complaint Center.
The purpose is to help you ask better questions before a wire moves. The statistics describe the threat. Whether your firm is protected is answered by the endorsement, the sublimit, and the procedure, which is exactly what the review reads.
Keep reading, then read your policy.
Questions firm owners ask.
Is a fraudulent wire covered by our malpractice policy?
Generally no. Legal professional liability responds to claims that your legal work harmed a client, and a stolen wire is not that claim. The coverage built for a deceived transfer is a social engineering fraud or fraudulent instruction endorsement attached to a cyber or crime policy, with its own sublimit and often its own verification conditions.
What should we do in the first hour after discovering a fraudulent wire?
Call your bank and request a recall of the funds, then file a complaint at ic3.gov the same day so the FBI's recovery process can attempt a freeze. Notify your insurance carrier inside the policy's reporting window, which is often measured in hours or days, and preserve every email, phone number, and confirmation. Speed decides what comes back.
What if the request came from opposing counsel's real email address?
It happens, because accounts get compromised and criminals send instructions from inside them. That is why the defense targets the instruction, not the address. A callback to a number already in your file, never one supplied in the message, defeats the compromised account version of the scam just as reliably as the spoofed domain version.
Can McDade help us set up a wire verification procedure?
Yes. The procedure is part of the commercial review, alongside the endorsement and sublimit check, because carriers increasingly price or condition coverage on it. And about 40 percent of the time we tell clients to stay with their current carrier because that is the right answer. The review exists to know, not to churn.
What Houston clients say.
Find out if your policy would have paid.
Send us the cyber and crime policies you carry today. We will find the endorsement or the absence of it, read the sublimit against your real wires, and walk you through the procedure your team can run before the next Thursday afternoon call.
Commercial reviews route to our commercial desk and follow your calendar, not ours. Local broker. National infrastructure.
By