Wire transfers are routine in the practice of law, but they have become a prime target for fraud and cyberattacks. Settlement proceeds, business deals, and real estate closings are particularly vulnerable to criminals who exploit urgency and trust. When funds are diverted, the critical question is: Who bears the loss? Does it fall on the lawyer, the bank, or the client? The answer depends not only on ethics rules but also on statutory law, contractual terms, and evolving case law.

There have been many reports of Michigan lawyers falling for wire fraud scams. Consider the family law lawyer whose email account was compromised during a divorce settlement. The lawyer initially received legitimate wire transfer instructions from the opposing counsel, but before the transfer, a hacker infiltrated the lawyer’s email and sent new “updated” wire transfer instructions. Trusting the familiar address, the lawyer initiated the wire without confirming by phone. The funds disappeared into a fraudulent account overseas. In this scenario, the lawyer may have technically been a victim of crime, but ethical analysis asks a different question: Did the lawyer exercise reasonable care in safeguarding client funds? Under MRPC 1.15, fiduciary obligations do not vanish simply because a third party interferes. Failing to adopt verification protocols or secure email practices may convert the lawyer from victim to liable party, with both disciplinary and malpractice consequences.¹

THE LAWYER’S ETHICAL DUTIES

Safeguarding client funds is among the profession’s most fundamental obligations. MRPC 1.15 requires funds to be safeguarded and promptly delivered. But other rules are just as important:

• MRPC 1.1 (Competence): Competence today includes recognizing technological risks and adopting necessary safeguards.
• MRPC Rule 1.3 (Diligence): The duty of diligence encompasses not only moving cases forward but also diligently protecting client information and acting promptly when problems arise.
• MRPC 1.4 (Communication): Clients should be warned about the risks involved in the wiring of funds and told in advance how instructions will be verified.
• MRPC 1.6 (Confidentiality): Lawyers are required to keep client information confidential. This requirement is broader than attorney-client privilege and extends to client secrets. That means almost every piece of data you collect for a client is confidential and must be protected vigilantly when wiring funds.
• MRPC 5.1 and 5.3 (Supervision): Lawyers are responsible for ensuring that staff and vendors follow security protocols.²

MULTIPLE STAKEHOLDERS, OVERLAPPING OBLIGATIONS

The ABA’s recent article “Pass the Electronic Buck: Allocating the Risk of Unauthorized EFTs”³ underscores that liability for unauthorized transfers is rarely confined to one party. EFTs involve banks, clients, lawyers, and intermediaries, each governed by a patchwork of obligations, including contracts, Article 4A of the UCC, common law duties, and rules of professional responsibility.

This mix creates tension. Banks point to contracts, clients expect protection, and lawyers are caught in the middle. Courts have not settled on a uniform approach, often blending negligence, fiduciary duty, and statutory interpretation when fraud occurs.

One of the ABA article’s central lessons is that contracts matter. Engagement letters can clarify responsibilities and procedures:

• Requiring all wire instructions to be verified by phone using a known number.
• Advising clients in writing that instructions will not change by email.
• Placing the risk of unverified instructions on the party that failed to follow agreed protocols.

In all instances, courts often look to whether the lawyer acted reasonably under the circumstances.

REGULATION E AS A COMPARATIVE FRAMEWORK

Regulation E of the Electronic Fund Transfer Act⁴ governs consumer-bank relationships. While not directly on point, as it does not cover lawyer-client relationships, it offers a useful lens for comparison. Regulation E reflects a policy choice that losses from unauthorized electronic transfers should be allocated based primarily on prompt reporting. Once timely notice is given, however, the burden shifts to the bank to investigate and resolve the error.

Lawyers are not covered by Regulation E, but the structure is instructive. The rule emphasizes that responsibility depends less on who committed the fraud and more on whether the parties followed reasonable procedures and acted quickly. For law practice, the parallel is clear: A lawyer who verifies instructions, uses secure communication, and reports problems immediately may be seen as acting reasonably, while a lawyer who fails to adopt such safeguards risks being treated as the responsible party.

PRACTICAL RISK MANAGEMENT

No one can prevent cybercriminals from attempting fraud, but lawyers can control how they respond to the risk. First and foremost, proper cybersecurity protocols should be put in place.5 As it specifically relates to wire transfers, a plan should be established with at least the following:

Verification protocols
The simplest way to prevent wire fraud is to independently verify the wire transfer instructions. Every wire instruction should be confirmed verbally with the client or opposing counsel using a known, reliable phone number, not one supplied in the email containing the instructions. Law firms should adopt written protocols requiring this step so no staff member feels pressured to shortcut the process during a closing or settlement.

Client education
Clients are often unaware of how common wire fraud has become. From the engagement letter forward, clients should be warned in plain terms: “Wiring instructions will not change by email. If you receive revised instructions electronically, assume it is fraudulent and call us immediately.” Educating clients not only protects them but also demonstrates the lawyer’s compliance with MRPC 1.4’s duty to keep clients informed about significant risks.

Internal controls
Law firms should treat wire transfers with the same seriousness as banks treat large withdrawals. Controls may include dual authorization for any transfer, use of encrypted or secure portals instead of open email, and limits on access to client funds to only those trained in the protocol. Staff must also be trained to recognize phishing and spoofing attempts, with regular testing to ensure compliance.

Incident response
Even the best systems can be breached. Firms should prepare in advance by creating a response plan: Immediately notify the bank and attempt to reverse the wire, inform the client, document the events, and report as appropriate to insurers or disciplinary authorities. Quick action may make the difference between recovery and permanent loss.

Insurance and risk transfer
Standard malpractice policies often exclude or limit coverage for cyber fraud. Firms should carefully review their coverage and consider separate cyber liability policies. Many policies require the firm to have in place written security procedures, training programs, or specific verification steps. A lawyer who neglects these requirements may not only breach ethical duties but also lose the benefit of insurance coverage.

Documented procedures
Risk management is not only about doing the right thing but also about proving it afterward. Written protocols, client acknowledgments, and contemporaneous notes of verification calls can all serve as evidence that the lawyer met professional standards if a dispute arises.

CONCLUSION

Wire fraud has become part of everyday law practice. Lawyers must treat it as both an ethical duty and a risk management priority. The ABA’s analysis makes clear that responsibility is allocated through a combination of ethics, contracts, and statutory frameworks. In this environment, lawyers who proactively educate clients, implement safeguards, and document procedures are protecting client property and their firm.