How a Law Firm Learned a Million-Dollar Lesson
One Debt, Twice Paid.
We warn. We train. We checklist our people to death. Still, most don’t act—until they’ve been hit. Stories change that. They touch our emotions, bringing the breach to life. They create urgency. I write Stan’s Corner to do what PowerPoints and policies can’t; to move people to take security seriously now.
The Cost of a Simple Mistake
Kirk was justifiably upset. As managing partner, he stood to personally lose more than $100,000 of his own money. The firm’s total hit $475,000 in losses, plus another $500,000 fighting a lawsuit and an appeal they had no shot at winning. Add an incalculable hit to their reputation.
How It Happened
Kirk’s firm defended a restaurant in a personal injury case. They settled for $475,000. Payment details flew back and forth over email—routine stuff. But buried in that thread was a fake email. Just a few letters off. No one caught it.
The imposter watched. Then, posing as plaintiff’s lawyer, sent new wire instructions. Kirk’s team wired the money—straight to the thief’s account. Gone.
When the real plaintiff’s lawyer called asking where the money was, panic set in. By then, the scammers had vanished.
Who Pays for the Scam?
The plaintiff sued to get paid—again. The court sided with him: you promised him money, you pay him money. The appeals court agreed.
They looked at who dropped the ball. Kirk’s firm did. They missed the red flags: the email address was slightly off, the wire instructions didn’t match the settlement terms, and worst of all—there was no phone verification. They wired the money anyway.
The California court was clear: if you don’t use basic caution with wire transfers, you eat the loss.
Build a Discipline of Cybersecurity
It’s not that the firm didn’t have an information security awareness program. They did. It was perfunctory. It took time away from people’s “real job.” Partners were too busy to participate.
Everything was fine until it wasn’t. There was no discipline of cybersecurity; no habits, checks, and clear rules everyone follows every time.
Lesson for law firms—and everyone wiring money. Build a discipline. Have a strict wire process and stick to it. Confirm instructions with a trusted contact at a verified phone number—never rely on email alone. For big payments, consider overnight courier with tracking. And carry cyber insurance—because no matter how sharp you think you are, you’re not sharper than a patient scammer.
One sloppy wire cost Kirk’s firm nearly a million dollars. Don’t be next.
If this story motivates you to want to do better, please reach out. I’m the founder / president of SecureTheVillage, a nonprofit making a difference. We work with smaller businesses, nonprofits, and the MSPs who serve them. Email me now to protect your assets and minimize the impact of inevitable disruption. StanStahl@Substack.com.