August 10, 2022

Business Email Compromise Tricks Calgary Law Firm

ALIA is cautioning Subscribers to be alert to Business Email Compromise (“BEC”), a form of social engineering, after a Calgary firm sent more than $200,000 of client funds to fraudulent bank accounts. BEC is a cybercrime designed to gain access to critical business information and/or to extract money through email-based fraud. 


The scam involved a criminal impersonating a home builder through a slightly modified email address (also known as email spoofing), convincing the firm to redirect payments to be made to the builder.


The fraudulent instructions were emailed to the firm less than half an hour after the firm received initial payment instructions from the real builder. The criminal requested the builder’s “international account” be used because the initial bank account was unavailable. When the firm indicated it could not wire the funds, instructions for another bank account were provided. The bank advised that this account was not in the name of the builder, but the criminal convinced the firm it was the builder’s subsidiary.


A couple of days later, the criminal, again impersonating the builder through email, instructed that another client’s funds be sent to a second account at a different bank. This time, the account was in the name of a logistics company.


The fraud came to light when the builder contacted the firm to inquire about the missing funds.


ALIA strongly recommends that Subscribers discourage or eliminate accepting banking details or wire transfer instructions via email. Subscribers should confirm with their clients that email should not be used to communicate banking instructions or changes unless they are confirmed by telephone via a known number, video conference, or, if possible, in person. Payment instructions from other parties should also be verified with them (or their counsel, as appropriate) using similar verification processes. Taking these steps is an effective tool to prevent BEC.

Changes in banking instructions should be an immediate and major red flag. Other red flags, in this case, include the fact that multiple bank accounts were involved, one with a different name and an international account.


In the first email to the law firm, the criminal contacted a firm employee. Training to recognize red flags and detect scams is important not only for Subscribers, but also for legal assistants, paralegals, and other employees, who are often on the frontline in receiving initial contact from clients and fraudsters.


For more information on recognizing BEC tactics and how to protect yourself from cyberattacks, visit the Canadian Centre for Cyber Security, Royal Canadian Mounted Police and the FBI.


ALIA remains grateful to Alberta lawyers and firms for their continued reports of potentially fraudulent activities and for keeping us on our toes.


ALIA does not provide legal advice. ALIAdvisory notices, ALIAlerts and the content on ALIA’s website, notices, blogs, correspondence and any other communications are provided for general information purposes only and do not constitute legal or other professional advice or an opinion of any kind. This information is not a replacement for specific legal advice and does not create a solicitor-client relationship.

ALIA may provide links to third-party websites. Links are provided for convenience only; ALIA does not vet or endorse the information contained in linked websites or guarantee its accuracy, timeliness or fitness for a particular purpose.

If you believe you have been targeted by potentially fraudulent activity, please contact ALIAlert.