Key Takeaways
- A Palm Beach real‑estate law firm, Rabideau Klein, lost $17.3 million from its escrow account in a single cyber‑attack in January.
- The firm recovered $10.7 million but is suing First Horizon Bank for the remaining $6.5 million plus interest, alleging negligence, breach of contract, and violations of state fund‑transfer law.
- The lawsuit claims that a “threat actor” gained unauthorized access to the firm’s online banking, reset passwords, created a new user ID, disabled legitimate accounts, and obtained a new RSA security token through social‑engineered phone calls.
- First Horizon allegedly ignored numerous red flags—such as mismatched pronouns during verification and sudden password changes—allowing 13 unauthorized wire transfers to proceed.
- The bank, which acquired the account through a series of mergers (Lydian Private Bank → Iberiabank → First Horizon), is among the 40 largest U.S. insured banks with over $80 billion in assets.
Background of the Firm and the Account
Rabideau Klein is a prominent Palm Beach real‑estate law practice that handles multimillion‑dollar transactions for some of the area’s wealthiest clients. The firm opened its escrow account with the bank when it was still a branch of Lydian Private Bank; after subsequent mergers, First Horizon assumed control in 2020 following its acquisition of Iberiabank. The account routinely held client funds awaiting closing, making it an attractive target for cyber‑criminals seeking large, quickly moveable sums.
The Cyber‑Attack Unfolds
In the early morning of a January Thursday, more than $17 million vanished from the escrow account. Investigators later determined that an unknown third‑party “threat actor” had infiltrated the firm’s online banking portal hosted by First Horizon. The actor changed passwords, created a new user ID tied to the account, disabled existing legitimate user accounts, and even persuaded a bank representative to issue a replacement RSA security token by impersonating attorney Guy Rabideau.
Social‑Engineering and Bank‑Provided Information
During the fraudulent password‑reset call, the threat actor claimed to be Rabideau and said he needed a new security token. When the bank employee asked for an account or card number, the impostor replied with “their” instead of “my,” a subtle linguistic cue that went unnoticed. Despite this red flag, the representative supplied the attacker with Guy Rabideau’s user ID, which the actor then used to reset the login credentials and gain full control of the account.
Unauthorized Wire Transfers and Ignored Alerts
With full access, the threat actor initiated 13 unauthorized wire transfers, moving the escrow funds out of the account in rapid succession. The lawsuit alleges that First Horizon failed to act on numerous glaring warning signs—such as sudden password changes, the creation of a new user ID, the disabling of legitimate accounts, and the odd phrasing during verification—that should have alerted even minimally attentive bank personnel to an ongoing attack. By ignoring these signals, the bank allegedly enabled the fraud to proceed unchecked.
Financial Impact and Recovery Efforts
Rabideau Klein managed to recover $10.7 million of the stolen sum through its own internal efforts and cooperation with law enforcement, but approximately $6.5 million remains outstanding. The firm is now seeking restitution from First Horizon, requesting the return of the missing funds plus accrued interest, arguing that the bank’s negligence directly caused the loss.
Legal Claims Against First Horizon
The lawsuit asserts three primary causes of action: violation of Florida statutes governing electronic fund transfers, breach of the banking services contract, and negligence in safeguarding the firm’s account. Rabideau Klein contends that the bank’s failures—ranging from inadequate authentication procedures to inadequate monitoring of suspicious activity—constitute a breach of its duty to protect client funds. The complaint further uses vivid language, claiming the bank “put a bullseye on the law firm, handed these bad actors a bow with arrows, and then watched as the arrows struck [the firm] in rapid succession without taking any action to stop the attack.”
Responses and Ongoing Developments
As of the filing, Rabideau Klein’s counsel, Anthony Yanez of Hodgson Russ, declined to comment on the litigation, and a spokesperson for First Horizon did not respond to requests for a statement. The silence from both parties leaves the factual dispute to be resolved in court, where the firm will need to demonstrate that the bank’s shortcomings were the proximate cause of the fraudulent transfers.
Broader Implications for Banking Security
The case highlights vulnerabilities in the authentication and fraud‑detection processes of even large, well‑capitalized banks. Despite First Horizon’s status as one of the 40 largest U.S. insured banks with over $80 billion in assets, the incident shows that reliance on knowledge‑based verification (e.g., asking for an account number) can be thwarted by simple social‑engineering tactics. The outcome may prompt other financial institutions to tighten multi‑factor authentication, improve call‑center verification scripts, and implement real‑time anomaly detection for high‑value accounts, especially those holding escrow or client trust funds.