As part of ALIA’s ongoing efforts to help lawyers protect themselves against fraud, we ask all private practice lawyers to help us and their peers remain vigilant and aware by notifying the profession of attempted frauds against lawyers and firms in Alberta.
We offer this article as an introductory caution to lawyers who are less experienced in cyber protection. Below, you will find a brief summary of the kinds of attempted crimes that Alberta lawyers and firms have shared with ALIA over the past several months.
ALIA also proactively publishes ALIAlerts to warn of specific frauds and scams.
Lawyers as targets
Like banks, law practices hold valuable information and money. Computer systems may contain client information, trade secrets, and intellectual property. Trust accounts often hold large sums of money. A cyber breach or trust account theft harms clients and could potentially cripple a practice reputationally and financially. Security guards, specialized safes, and sophisticated procedures protect banks. What safeguards have you put in place for your practice?
Perceived to be less sophisticated than banks and big companies, lawyers make easy targets for tech-savvy criminals. The payoff, which can include emptying trust accounts and taking advantage of confidential information, is tempting for hackers.
Potential bad-cheque frauds are continually targeted at Alberta lawyers. While some of the emails are obvious – riddled with typos and suspect fact patterns - others are much more sophisticated, containing smooth language and forged documents.
Bad-cheque fraud occurs when a fraudster, posing as a legitimate client, retains a lawyer on a contrived legal matter. The fraudster may ask for help with collecting a business debt, facilitating a loan, enforcing an agreement against an ex-spouse, or collecting a fee for trademark or copyright infringement. Whatever the legal issue, a common red flag is that the matter must be resolved quickly and with little effort.
A cheque arrives from the (fraudulent) opposing party, and the lawyer deposits the cheque.
The client demands the funds from the cheque be released immediately. The lawyer releases the funds before the cheque clears. The fraudster vanishes into thin air, and the lawyer discovers, too late, that the bad cheque has bounced.
These deceptions can be sophisticated. Fraudsters use realistic looking fake identification. They will have all the usual supporting documents a real file will have. They will seek to add you on LinkedIn and may appear in your social network as “friends” of people you know. In Canada, there have even been fake websites created to support these frauds. Organized crime is behind some of these frauds, and more money and effort is invested into duping lawyers than ever before.
Spot the red flags
Fraudster clients are often in a rush and pressure you to take shortcuts to get the deal done quickly. They have no issue with paying higher fees. They may use names that do not match their email addresses and often express a preference to only communicate by email. Without explanation, the payment amounts may not match the expected payments and no explanation is forthcoming. The cheque is drawn from an unrelated party and, in all cases, fraudsters demand the funds from the cheque to be transferred before the cheque clears. Additional red flags can be found on the Law Society of Alberta’s Fraud & Loss Prevention website.
Protect yourself with these tips
Never disburse funds from your trust account until you are sure the incoming funds are real and in your account. Be aware that the bank can reverse a bad cheque, even a certified cheque or bank draft, after any amount of time. Cross-check names online, including LAWPRO’s practicePRO AvoidaClaim.com blog where you can find the names of confirmed fraudsters, and follow these Client Identification and Verification Rules before taking on a client. Look up addresses using Street View in Google Maps, and conduct reverse searches on phone numbers using canada411.ca. And, if you are in doubt, please send an email to the ALIAlert mailbox and we will help you determine if the matter is legitimate.
Email is the most frequent way law firm systems are compromised. This occurs when someone opens an infected attachment, clicks on a link in an email, or responds to a phishing message. Once installed, malware can give hackers access to your system and/or destroy your data. Educate your staff about the dangers of email.
Phishing - don't take the bait
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an email. Phishing scams are usually bulk emails sent to large numbers of people. Even if only two or three per cent of recipients fall for them, hundreds or even thousands of people can be victimized.
Phishing messages take the form of an email, allegedly from your bank or another business you know, that suggests your account has been compromised or that payment is overdue. They will have the same layout, logos, and links as legitimate emails from these companies. They try to create a sense of urgency and ask you to login to reset your password or verify a payment was made. However, the link you click takes you to an imposter website that looks much like the familiar company site, and when you login you are actually giving your password or other personal information to the hackers. They will use your information for malicious purposes such as ID theft or credit card fraud.
Prevent phishing by putting your cursor over the link in an email. Your email program should show the actual web address at the bottom of the screen. If it is not familiar to you, it is likely a phishing attempt.
Spear Phishing - a bait just for you
The “spear” in spear phishing alludes to the fact that messages are targeted to specific individuals. Spear phishing messages are more convincing because they are personally addressed, appear to be from someone you already know, and may include other detailed personalized information. In some cases a phone call will come in as a follow-up to the message. ALIA has seen cases where lawyers in a firm receive emails purportedly from another member of the firm (usually a partner) asking for business development funds and other transfers that the partner (falsely) was unavailable to deal with.
Follow your firm’s processes and procedures for the review and approval of financial transactions, and do not bypass them due to urgent circumstances. Never share confidential client or firm information without being sure it is appropriate to do so by getting confirmation from someone familiar with the file. Be on the lookout for and question any last-minute changes on fund transfers or payments.
Loss of client data on portable devices
Laptops, tablets, and mobile phones may contain confidential and sensitive information. Should a portable device be lost or stolen, client data may go with it. Prevent the intrusion by ensuring all portable devices have a strong password and are encrypted. A good practice is to enable the device to allow a remote wipe of all data.
Other cyber fraud
There is no end to the efforts and imaginative schemes that hackers will employ to infiltrate law practices. In 2012, a Trojan banker virus infected an Ontario law firm. This virus presented a spoofed version of the website of the firm’s bank on the bookkeeper’s computer, and passwords entered on the fake site were passed on to the hackers, who then used them to wire funds from the firm’s trust account.
ALIA has also recently seen several instances where a fraudster hacks into a client’s or lawyer’s email and surreptitiously monitors emails going back and forth between the lawyer and the client. At the opportune time, usually just before a real estate deal is closing or other funds are to be advanced, the hacker sends an email redirecting where the funds should go. This change of instructions appears to be coming from the client via the client’s email, but if the lawyer follows these instructions, the money goes to the fraudster. Other recent Alberta cases have seen firm emails hacked with fraudulent instructions coming from the lawyer to the client in an attempt to intercept funds being sent to the firm.
Ransomware is another form of attack. It is usually spread by clicking on an infected email attachment or website. That single click launches a virus that encrypts all the data files on a firm’s computers. A message then pops up stating that if you do not pay a certain amount of money within a tight deadline, the files will be destroyed.
Maintaining good tech hygiene requires vigilance, awareness, and regularly following safe computing practices. Passwords should be used at entry points and changed regularly. Poor passwords are one of the main ways hackers gain access to law firms.
Operating systems (Windows, Linux, OS X) and other software should be updated regularly. Once out of date, operating systems are vulnerable, as known weaknesses can be exploited. Firewalls, which protect access to the network, should be turned on. Anti-virus software should be installed and updated. Networks and systems should be checked regularly. Professional IT assistance is encouraged.
The legal profession handles massive amounts of information and money. Cyber criminals continue to find inventive ways to hack in. The need to be vigilant and keep up with technological safeguards is high. Hackers will look for and exploit the weakest link in your systems and hardware.
Be proactive and take the steps discussed here. See the
ALIAlert Fraud Alert website
for more information on recent fraud activity and tips to keep your professional and personal data safe.
Lawyers are urged to consider buying cyber insurance as part of the overall insurance coverage for their firm or practice. Although insurance may not cover all of the situations described above, it can be an important part of a lawyer’s overall risk management strategy.
More information on the availability of cyber insurance can be