Funds Transfer Fraud Alert
About to pay out trust funds? Stop and read this first!
CLIA Subscriber jurisdictions and our partners continue to see claims involving hacked emails. This is also known as social engineering - where fraudulent electronic communications or websites designed to impersonate you or your firm cause you damage. Review this recent BC example involving a multi-million dollar funds transfer fraud and the steps you should take to verify fund transfer instructions to avoid being victim to a similar scam:
Recently, a BC law firm was tricked into sending over $4 million dollars by wire transfer to fraudsters. The firm was acting for a lender in a commercial financing transaction for a property development. The scammers had already obtained access to the lender firm’s email and inserted themselves into email communications, impersonating the borrower’s lawyer. The scammers sent fraudulent wire instructions requesting that the funds be paid to an account with a numbered company as the account holder. The firm then wired the funds. Unfortunately, the lender’s lawyer did not phone the developer’s lawyer to verify the payment instructions. That step would have prevented the fraud from progressing. The fraudster also used their access to the email account to intercept communications, causing further delay with the intention of moving as much of the money as possible to other accounts before the scam was detected.
Although the firm acted quickly when the fraud was discovered and reported it immediately to the bank, it remains to be seen how much of the money can be recovered.
What can you do?
Verify Instructions:
Have a firm-wide protocol in place that requires a change in payment instructions – even from the lawyer handling the file – to be confirm verbally with the lawyer handling the file and verbally with the client. Any time you are transferring trust funds, you must verify emailed instructions through direct phone or in-person contact.
You must initiate the phone contact with your client, the bank, or another lawyer or notary, in-person or by using the original phone number in the file or from a reliable directory.
Do not rely on a party calling you to confirm instructions. That call is likely to come from the fraudster.
Never use the contact information provided in the instructing email.
Education:
Employees continue to be the most exploitable element of organizational security in Canada. Therefore, it is imperative that employees receive awareness training. The training is not prescriptive and can take any form, including law society courses, or in-house training, that would qualify as training. For example, see the Law Society of Manitoba’s Cyber Security webpage for a comprehensive collection of resources. The following training has been approved by the cyber insurer and is available on the CLIA website:
An Introduction to Cyber Security
Some other useful resources to help recognize and avoid social engineering scams include:
Deceptive and Manipulative: Social Engineering Techniques (Office of the Privacy Commissioner of Canada)
Social Engineering: How Cyber Scams Trick Us (Government of Canada)
Episode #34: Social Engineering (Technology Practice Tips Podcast, Law Society of Ontario)
Other Social Engineering Scams, Including Phony Change in Payment Instructions (Lawyers Indemnity Fund)