Skip to content

Law Firm Risk, Explained

The Fake Bank Already Knew the Settlement

Nothing was hacked. Someone was convinced. This is how criminals use public court records to steal settlement wires from Texas law firms, and how the right endorsement and a two minute phone call stop them.

Independent Texas brokerage serving Houston, Spring, The Woodlands, and the greater Houston metro. Local broker. National infrastructure.

The Con That Does Not Need a Hacker

Your Practice Is Built on Public Records. So Is This Scam.

Social engineering fraud is the industry's name for a con. A criminal poses as someone your firm trusts, a bank, a client, opposing counsel, a vendor with an invoice, and talks an employee into sending money voluntarily. The email version is called business email compromise. The result is the same. The wire is authorized, and it is gone.

Law firms are a favorite target for a simple reason. The work is public. Dockets, filings, party names, and case milestones sit in courthouse records and online court systems anyone can search. A criminal does not need to breach your network to know a settlement is coming. The courthouse already told them.

The most expensive call your firm will ever take sounds exactly like your bank.

We have handled the aftermath of this exact scam with a Houston area commercial client. The details stay private. The lesson does not, and it is the reason this page exists. The full narrative of how the scam unfolds, from the courthouse to the callback, is at your settlement is public record.

The Pattern, Step by Step

Anatomy of a Settlement Wire Theft

The scheme runs on research, timing, and trust. Here is the full pattern, from the docket to the disappearing wire.

  1. The docket announces the money

    The case, the parties, and the settlement milestones are public record. Court systems publish them, and legal press sometimes amplifies them. The criminal's research starts at the courthouse, not at your firewall.

  2. The firm is profiled

    Your website, your bar directory listing, and your staff pages fill in the rest. Who runs the office. Who touches the money. Which email pattern the firm uses. All of it is freely available.

  3. The disguise is chosen

    Sometimes it is a caller claiming to be the bank, verifying updated wire instructions. Sometimes it is an email from a domain one character off from opposing counsel's. Sometimes it is a vendor invoice that looks exactly like the last real one. Each version carries details only an insider should know.

  4. Urgency does the closing

    The funding deadline is today. The account had to change at the last minute. The client is waiting. Pressure is the point, because pressure is what keeps your bookkeeper from making one verifying phone call.

  5. The wire is authorized

    An employee sends the money in good faith. Nothing was breached. That word, authorized, is where insurance coverage is won or lost, because some policies read a deceived transfer as a voluntary payment rather than a covered intrusion.

  6. The recovery clock starts

    Banks and the FBI can sometimes claw a wire back, but the odds collapse by the hour. The firms that recover are the firms that notice fast, call the bank first, and report to ic3.gov the same day.

State bar associations in Texas and across the country have published standing alerts on these schemes, including the fake bank call, the altered wire instruction, and the counterfeit settlement check that clears before it bounces. The pattern is documented. The defense is procedural, and it is insurable.

Wire Fraud, The McDade Way

Direct Answers for Firm Owners

What is social engineering fraud?

Social engineering fraud is a scam where a criminal poses as a trusted party, often a bank, a client, or opposing counsel, and tricks an employee into voluntarily wiring money or paying a fake invoice. Because the employee authorized the transfer, standard crime and cyber forms may not respond without a specific endorsement.

Why are law firm settlements a target for wire fraud?

Settlements are announced by public court records, they move on predictable timelines, and they flow through trust accounts in large amounts. A criminal can learn the case, the parties, and the likely wire window from the courthouse alone, then impersonate a bank or a party with convincing detail.

What insurance covers a fraudulent wire transfer?

A social engineering fraud or fraudulent instruction endorsement, attached to a cyber or crime policy, is the coverage built for a deceived transfer. It carries its own sublimit and often requires verification procedures as a condition. A standard cyber policy without the endorsement may not respond.

Where Coverage Is Won or Lost

Having Cyber Is Not the Same as Being Covered for This

Courts have drawn a hard line between money stolen by intrusion and money handed over by deception. Federal appeals courts, including the Fifth Circuit that covers Texas, have upheld denials where an employee was tricked but no system was compromised. The difference between the two outcomes below is one endorsement and one procedure.

The uninsured version

A Policy Without the Endorsement

The firm carries cyber insurance and assumes a stolen wire is covered. At claim time the carrier points to the voluntary transfer. The employee authorized it, no computer was breached, and the computer fraud language does not reach it. The loss lands on the firm's own balance sheet, and litigation against the bank rarely changes that.

The insured version

The Endorsement, Sized and Conditioned

The policy carries a social engineering fraud or fraudulent instruction endorsement. The sublimit reflects the firm's largest realistic single wire, not a default number. The verification procedure the carrier requires is written down and actually followed. When the call comes, the procedure catches it, and if it ever does not, the contract responds.

This is a document question, and it is exactly what a commercial review reads for. The endorsement, the sublimit, the conditions, and the seams between your cyber policy, your crime coverage, and your professional liability. The full law firm program lives at our Houston law firm insurance hub.

The Evidence

The Numbers Behind the Pattern

$2.8 Billion

Reported business email compromise losses in 2024 across 21,442 complaints, the second costliest crime category the FBI tracks.

Source: FBI IC3 2024 Internet Crime Report
$8.5 Billion

Business email compromise losses reported to the FBI across the three years from 2022 through 2024. These scams rely on deception, not malware.

Source: FBI IC3 annual Internet Crime Reports
$561 Million

Fraudulent transfers frozen by the FBI's rapid response process in 2024, a 66 percent success rate that applies only when the loss is reported quickly.

Source: FBI IC3 2024 Internet Crime Report

Forget the survival statistics that float around the internet. The honest measure is reserve math. Take your firm's largest routine wire, add the forensic and legal costs of the response, add the billable hours it consumes, and hold that number against the cash the firm keeps on hand. That is the exposure, and it is insurable.

If It Has Already Happened

The First Hours Decide What Comes Back

Recovery is a race. The FBI's freeze process succeeded about two thirds of the time in 2024, and nearly every success shared one trait. The victim moved the same day.

  • Call your bank first

    Ask for an immediate recall of the wire and the fraud department, not the branch line. The receiving bank can sometimes freeze funds that have not yet moved on.

  • File at ic3.gov the same day

    The FBI's Internet Crime Complaint Center routes fast reports into its recovery process. The freeze odds collapse once the money hops to a second account.

  • Notify your carrier inside the window

    Many policies require notice within a stated period and may direct the response. Late notice is one of the most common reasons an otherwise valid claim struggles.

  • Preserve everything

    The emails, the phone numbers, the wire confirmations, and the timeline. The claim, the bank recall, and any investigation will all ask for the same record.

The Two Minute Defense

The Protocol That Beats the Con

Every scheme on this page dies against the same three habits. They cost nothing, they take minutes, and carriers increasingly expect them.

Call Back, Your Number

Every new or changed payment instruction gets verified by a call to a number already in your file. Never the number in the email. Never the number the caller offers.

Two People, Every Wire

Trust account wires require a second set of eyes before release. Dual authorization turns one deceived employee into a failed scam instead of a loss.

No Changes by Email Alone

A standing rule the whole firm knows. Wire instructions never change on the strength of an email, an invoice, or an urgent call, no matter how right it sounds.

Write the protocol down, train it once a year, and tell your carrier you follow it. Some markets improve pricing or terms for documented verification procedures, and some condition the endorsement on them. Your team can pressure test itself with seven checks before you click and six signs your team has been phished.

Questions Firm Owners Ask

Wire Fraud Coverage Questions, Answered Plainly

What is the difference between social engineering fraud and a data breach?

A data breach is an intrusion. Someone breaks into a system and takes data. Social engineering fraud is a deception. Someone convinces an employee to send money or information voluntarily. The distinction matters because many policies were written around intrusions, and a voluntary transfer can fall outside them without the right endorsement.

Does cyber insurance cover wire transfer fraud automatically?

Not automatically. When an employee authorizes the wire, even under deception, some forms read the loss as a voluntary payment rather than a covered computer intrusion, and federal appeals courts, including the Fifth Circuit that covers Texas, have upheld coverage denials on that reasoning. Coverage usually requires a social engineering fraud or fraudulent instruction endorsement with its own sublimit.

How do criminals learn about our settlements?

Much of it is public record. Dockets, party names, and case milestones sit in courthouse files and online court systems that anyone can search. Add a firm website, a bar directory listing, and a few press mentions, and a criminal can assemble the client, the amount in play, and the likely timing of the wire without ever touching your network.

What is a fraudulent instruction endorsement?

It is policy language, usually added by endorsement to a cyber or crime policy, that responds when an employee acts on payment instructions that turn out to be fraudulent. The endorsement typically carries a sublimit lower than the full policy limit, and carriers often require verification procedures as a condition of coverage. Both details belong in the review before a wire ever moves.

What should we do in the first hours after a fraudulent wire?

Call your bank immediately and request a recall of the funds, then file a complaint at ic3.gov so the FBI's recovery process can attempt a freeze. Notify your insurance carrier within the policy's reporting window, which is often measured in hours or days, not weeks. Speed is the single biggest factor in whether the money comes back.

Can a verification procedure really stop these scams?

It is the strongest control available. A callback to a known number from your own file, never a number provided in the email or the call itself, defeats most of these schemes. Pair it with dual authorization on trust account wires and a rule that payment instruction changes are never accepted by email alone. Carriers increasingly expect these controls and may condition coverage on them.

How big should our social engineering fraud sublimit be?

Size it against the wires the firm actually sends, not against a default. A firm that moves six figure settlements through its trust account needs a sublimit that reflects a worst case single transfer. We review your actual transfer patterns and match the number to the exposure.

Will McDade replace our current broker or just review what we have?

We start with a review, not a replacement. About 40 percent of the time we tell clients to stay with their current carrier because that is the right answer. If your endorsement, sublimit, and verification requirements line up, you will hear exactly that. If they do not, you will see it in the documents before a wire tests it.

Proof From the People We Serve

What Houston Clients Say

 
Panel only seen by widget owner

The Next Step

Find Out If Your Policy Would Have Paid

Send us the cyber and crime policies you carry today. We will find the endorsement or the absence of it, read the sublimit against your real wires, and walk you through the seams in plain English before a criminal tests them for you.

Commercial reviews route to our commercial desk and follow your calendar, not ours.