Is this an incident we have to notify the client about?

Yes. Under ABA Model Rule 1.4 and Formal Opinion 483, the client must be kept reasonably informed — and almost always told — when client funds or confidential information are affected.

Is the loss covered by our cyber policy?

Often no. Many cyber and crime policies exclude funds held on behalf of others (escrow / IOLTA). Check the policy language and the LPL policy in parallel before relying on coverage.

Should we call law enforcement?

Yes — IC3 first because it triggers the kill-chain mechanism. Local FBI field office and state AG follow.

← Playbooks · Money

Trust-account / IOLTA wire fraud

A spoofed email changed the wire instructions on a settlement or closing. Money has moved. The next 72 hours are the whole game.

The signature law-firm playbook. A spoofed email changes wire instructions on a settlement disbursement or a real-estate closing; the firm wires client money to the attacker. The first-24-hours wire-recall path is the whole game — and many cyber policies don't cover funds held for others.

The first hour

What to do, in order.

01
Call the originating bank's fraud line immediately and request a SWIFT recall or hold. Use the number on the back of the card or from the bank's published fraud line — not the number in any recent email.
02
File at the FBI IC3 (ic3.gov) within hours, citing the Financial Fraud Kill Chain. The recall mechanism works best inside 72 hours.
03
Notify the receiving bank in writing of suspected fraud on the receiving account.
04
Preserve the spoofed email, full headers, and any related mailbox-rule changes — do not delete or forward.
05
Notify the client, in writing, the same day. Document the call and the written notice.
06
Open the cyber-insurance and LPL claim within the carrier's notification window; check whether funds-held-for-others is covered before assuming the loss is insured.

Key decisions

The questions you'll be asked.

Is this an incident we have to notify the client about?: Yes. Under ABA Model Rule 1.4 and Formal Opinion 483, the client must be kept reasonably informed — and almost always told — when client funds or confidential information are affected.
Is the loss covered by our cyber policy?: Often no. Many cyber and crime policies exclude funds held on behalf of others (escrow / IOLTA). Check the policy language and the LPL policy in parallel before relying on coverage.
Should we call law enforcement?: Yes — IC3 first because it triggers the kill-chain mechanism. Local FBI field office and state AG follow.

Regulatory & ethical hooks

What the rules say.

ABA Model Rule 1.4 — Communication with the client
ABA Model Rule 1.15 / state trust-accounting rules — Safeguarding client funds
ABA Formal Opinion 483 — Lawyers' obligations after an electronic data breach
FinCEN advisory FIN-2016-A003 — BEC fraud schemes
FBI IC3 / Financial Fraud Kill Chain

Cited for orientation, not as legal advice. Your firm's ethics counsel and LPL carrier should be consulted on every specific incident.

Related playbooks

Trust-account / IOLTA wire fraud

What to do, in order.

The questions you'll be asked.

What the rules say.

Business email compromise — impersonation

Cyber insurance, LPL, and bar-counsel response

Outside Counsel Guidelines / client security-audit failure