Hacked Email Fraud Alert
CLIA Subscriber jurisdictions continue to see claims involving hacked emails. This is also known as social engineering - where fraudulent electronic communications or websites designed to impersonate you or your firm cause you damage. In a recent example, a hacked email from a lawyer in the firm provided instructions for funds to be paid to a bank in another jurisdiction rather than the local financial institution on file:
The insured acted for the seller in the sale of farmland. The purchase price of nearly $400K was paid to the firm’s trust account. The firm had a void cheque from the client to a local credit union, which was the basis for the client’s payment instructions.
Unfortunately, the lawyer’s email account was hacked and the hacker was able to see the details of the client’s farmland sale in his email account. The hacker, using the lawyer’s actual email account, sent an email to the real estate assistant with a change in the payment instructions to a small bank in another jurisdiction.
The real estate assistant checked to make sure that this was a real bank but did not confirm the change in payment instructions with the lawyer handling the matter or with the client. The real estate assistant and the hacker posing as the lawyer had a brief email exchange. The real estate assistant made arrangements to wire the money to this account.
It took a few days for everyone to realize that the client had not received the funds in his account and it was at that time that everyone realized that a fraud had occurred.
The most important aspect of this type of fraud is prevention. As we noted in our previous post, Fraud Alert Roundup, any time you are transferring trust funds, by any means, in any kind of legal matter, you are at risk and must verify emailed instructions. Educate your staff about frauds and the importance of verifying client wire instructions, especially if they come by email.
Verify Instructions:
Have a firm-wide protocol in place that requires a change in payment instructions – even from the lawyer handling the file – to be confirm verbally with the lawyer handling the file and verbally with the client. Any time you are transferring trust funds, you must verify emailed instructions through direct phone or in-person contact.
You must initiate the phone contact with your client, the bank, or another lawyer or notary, in-person or by using the original phone number in the file or from a reliable directory.
Do not rely on a party calling you to confirm instructions. That call is likely to come from the fraudster.
Never use the contact information provided in the instructing email.
Education:
Some useful resources to help recognize and avoid social engineering scams include:
Deceptive and Manipulative: Social Engineering Techniques (Office of the Privacy Commissioner of Canada)
Social Engineering: How Cyber Scams Trick Us (Government of Canada)
Episode #34: Social Engineering (Technology Practice Tips Podcast, Law Society of Ontario)
Other Social Engineering Scams, Including Phony Change in Payment Instructions (Lawyers Indemnity Fund)