Wire transfer fraud is on the rise, and attorneys are increasingly becoming prime targets for cybercriminals. With billions lost annually to fraudulent transactions, legal professionals who fail to implement robust cybersecurity measures can face negligence and legal malpractice claims from clients. At the same time, not all cyber insurance policies provide coverage for money held on behalf of others such as IOLTA escrow accounts used for transactional purposes, leaving law firms exposed to significant financial and legal repercussions. Even worse, when firms sue their insurers over denied claims, courts generally side with the insurer rather than the policyholder.
Wire Fraud and the Targeting of Attorneys
Wire fraud involves business email compromise (BEC), where cybercriminals use phishing tactics or infiltrate email systems to impersonate attorneys, clients, or third parties involved in financial transactions. According to the FBI’s 2023 Internet Crime Report, cybercriminals stole approximately $2.9 billion through BEC scams, with law firms among the most common targets.
A recent case, DeLuca et al. v. SutterWilliams LLC et al. (2025), illustrates how devastating wire fraud can be for attorneys. A cybercriminal impersonated attorneys via email and tricked a law firm into wiring $442,600 from a decedent’s estate to a fraudulent account. The firms much later discovered the deception when discussing (of all things) – not accepting wire transfers, but by then, the money was gone. The estate’s executor sued the attorneys for negligence, legal malpractice, breach of contract, and breach of fiduciary duty, claiming that their failure to verify transactions directly caused financial harm (Law360, 2025).
This case, while still pending, highlights how law firms, acting as fiduciaries, can face direct legal liability when failing to implement basic verification and cybersecurity protocols. Even if a firm is also a victim, clients can still hold attorneys accountable for failing to protect entrusted funds.
Legal Liability: Negligence and Legal Malpractice
Attorneys have a duty of care to safeguard client funds and confidential information. If attorneys fail to implement cybersecurity safeguards, it can result in disciplinary action, malpractice claims, and reputational damage.
- Negligence: Clients can claim that an attorney failed to implement reasonable cybersecurity measures, such as verifying wire instructions by phone, using multi-factor authentication, or securing email communications.
- Legal Malpractice: If an attorney's failure to implement adequate cybersecurity measures results in financial harm to the client, they may face malpractice claims. The ABA Model Rules of Professional Conduct, particularly Rule 1.1 (Competence) and Rule 1.6 (Confidentiality), require attorneys to take reasonable steps to protect sensitive client information.
Even if an attorney did not knowingly facilitate a fraudulent transaction, failing to take preventive measures can expose them to liability. To mitigate these risks, attorneys must adopt proactive cybersecurity governance, including client data protection strategies and thorough verification protocols.
Cyber Insurance Pitfalls: Why Many Claims Are Denied
Many law firms assume that cyber insurance will cover wire fraud losses, but policies often contain exclusions that leave firms without coverage. There are several common gaps in policies, including:
- Custodial or Escrow Accounts Are Often Not Covered: Cyber insurance often only covers first-party coverage, which are direct losses suffered by the insured firm, not funds held in trust or escrow for clients. This means that in the case of DeLuca et al. v. SutterWilliams LLC et al. (2025), since one firm’s account was spoofed and the attorney at the other firm paid an incorrect account without proper verification, the insurer may deny coverage, leaving the firm responsible for the loss.
- Social Engineering Exclusions: Some policies explicitly exclude losses from fraud resulting from voluntary transfers, meaning that if an attorney is tricked into authorizing a fraudulent wire, the claim may not be covered.
- Failure to Follow Policy Terms: Insurers often require policyholders to implement specific cybersecurity protocols. If a firm fails to follow these requirements—such as verifying wire instructions by phone—the insurer may deny coverage based on non-compliance.
Law Firms Struggle to Fight Denied Insurance Claims
Even when firms sue their cyber insurers over denied claims, courts often side with the insurer. According to Frederick Fisher in The Dangers of Late Notice under Professional Liability Policies and Claims-Made Insurance: The Policy that Changed the Industry, attorneys are the most common profession to have claims-made policy denials upheld in court (58 out of 224 cases). Courts consistently uphold denials based on:
- Late Reporting of Incidents: Reporting after the policy period expires can result in denial of coverage, as many cyber insurance policies are claims-made and time-sensitive.
- Failure to Disclose Known Risks: If a firm fails to disclose known risks or past incidents during policy renewal, it may jeopardize coverage or lead to claim denial.
- Misreporting or Noncompliance: Misreporting claims or failing to comply with precise policy language—such as procedural requirements or security obligations—can also result in coverage denial.
One common mistake is assuming a cyber event is not a claim-worthy incident and waiting too long to notify the insurer. Cyber policies generally require notice when an event is first discovered regardless of whether the insured decides of “claim worthiness.” A policy requires that the insured cooperate with the carrier to investigate any loss, and the carriers have the right to associate in an investigation to mitigate or recover a loss. Additionally, carriers have developed sophisticated relationships with law enforcement, including the FBI and Secret Service, to effectuate active recovery or “clawback” of misdirected funds. Delayed reporting significantly impairs the ability of carriers and their law enforcement partners to assist with active recovery. Given these requirements, law firms should immediately report suspected wire fraud, data breaches, or phishing incidents to preserve coverage.
How Attorneys Can Protect Themselves
Given these rising risks, law firms must take proactive measures to prevent cyber fraud and mitigate liability:
- Implement Strong Verification Protocols: Require multi-factor authentication (MFA) for financial transactions and verify all wire instructions by phone using a previously known number.
- Conduct Regular Cybersecurity Training: Ensure all attorneys and staff recognize phishing attempts, social engineering tactics, and best practices for secure communication.
- Secure Cyber Insurance with Explicit Wire Fraud Coverage: Firms should carefully review policy language and ensure that client-held funds and third-party losses are covered.
- Report Cyber Claims Immediately: If a cyber incident occurs, notify the insurer as soon as possible to avoid denial due to late reporting.
Wire fraud targeting attorneys is on the rise, and the legal and financial consequences of inadequate cybersecurity protections are severe. Law firms that fail to implement basic security measures may face negligence and legal malpractice lawsuits. At the same time, cyber insurance policies do not always provide coverage, and insurers often deny claims based on policy exclusions, reporting failures, or coverage gaps.
Attorneys cannot rely solely on insurance to mitigate these risks. Instead, they must proactively strengthen cybersecurity defenses, implement fraud prevention protocols, and ensure compliance with policy terms to protect both their clients and their firm’s financial stability.