Understanding and Combating Social Engineering

As noted in our recent post, Funds Transfer Fraud Alert, CLIA Subscriber jurisdictions and our partners continue to see claims involving hacked emails. This is also known as social engineering - where fraudulent electronic communications or websites designed to impersonate you or your firm cause you damage.

So what is social engineering and how can we avoid being duped? The Get Cyber Safe campaign from the Government of Canada states:

Social engineering presents realistic messages with urgent requests to trick us into giving away our personal information that scammers can use to commit financial fraud.

As the Lawyers Indemnity Fund notes:

If a fraudster tricks you into willingly paying funds out of trust through the intentional misrepresentation of some material fact, you’ve fallen victim to a “social engineering” fraud. The “bad cheque” scam is one type, but there are others. They often have nothing to do with trying to convince you that real funds have been deposited into trust, but instead involve fraudsters pretending to be an existing client or someone genuinely authorized to give instructions on the client’s behalf.

Common scams include:

• Phony change in payment instructions; and

• Phony direction to pay from a senior partner, staff member or other lawyer

See Other Social Engineering Scams, Including Phony Change in Payment Instructions for more details on these scams.

Social engineering tactics include (see the video links below):

• Using Fear as a Motivator

• Making Urgent Requests

• Offering Irresistible Opportunities

You can protect yourself and your firm by slowing down, trusting your instincts and asking questions before acting.

 For any change in payment instructions, follow this protocol:

Have a firm-wide protocol in place that requires a change in payment instructions – even from the lawyer handling the file – to be confirm verbally with the lawyer handling the file and verbally with the client. Any time you are transferring trust funds, you must verify emailed instructions through direct phone or in-person contact.

• You must initiate the phone contact with your client, the bank, or another lawyer or notary, in-person or by using the original phone number in the file or from a reliable directory.

• Do not rely on a party calling you to confirm instructions. That call is likely to come from the fraudster.

• Never use the contact information provided in the instructing email.