The Alberta Lawyers Insurance Association (ALIA) has continued to receive reports from Alberta lawyers of attempted theft of trust monies (or money to be deposited into trust) through hacking of lawyer and client email accounts.
In the most recent reported case, a law firm was holding money in its trust account from the sale by their client of some property, to be applied against the subsequent purchase of another property by their client. Excess trust funds would then be returned to the client. The firm and the client had been communicating by email about the money in trust. When the closing date neared, it appears a hacker began communicating with the law firm in the guise of the client, and requested excess funds be transferred to a third-party account for an investment by the client. The new emails appeared to continue to come from the client, even continuing to copy the client’s husband’s email address. The attempted fraud was discovered when the lawyer contacted the client by phone to ask about the transfer.
A recurring theme in these cases, is that whether it is the client’s email or the lawyer’s email that is hacked, the hackers appear to be monitoring email communications, then inserting themselves into the email chain near the time monies are to be transferred in an attempt to divert the funds, whether the transfer be from the lawyer’s trust account or from the client.
In the case above, the attempt to divert the funds was made to the law firm by the hacker pretending to be the client. In another recent case, the request to divert the funds was made to the client and its bank from a hacker pretending to be the lawyer.
In either case, the result can be a loss of the client’s money. ALIA again urges Alberta lawyers to confirm transfers of trust funds with the client in person or over the phone, not by email, as explained below. If both the lawyer and the client avoid transfers that are not so confirmed, this kind of loss should be avoidable.
ALIA’s indemnity program covers participating lawyers against negligence and misappropriation in accordance with the terms of the policy, but it does not currently provide coverage against cybercrime or social engineering fraud. If you wish to purchase additional coverage, please refer to our
November 2018 ALIAdvisory
for more details. It is important to note, that such coverage will not cover all cases of such loss, and in particular, it may not cover situations where the funds were not lost by the lawyer erroneously transferring the funds. Lawyers should consider the exact terms of coverage they have purchased or are considering purchasing, and not assume that cyber coverage will cover all cases where social engineering or similar fraud is involved.
Protect yourself from fraud
To help prevent loss from phishing/hacking attempts, be sure to follow these best practices:
- Any change in banking instructions should be an immediate and major red flag. It is rare to recover funds once disbursed, even in cases of fraud.
- Discourage/eliminate the provision or acceptance of banking details or wire transfer instructions via email.
- If banking instructions must be received by email, you MUST confirm such details, especially any change in banking instructions, with the other party by telephone using confirmed contact information before disbursing monies (i.e. do not use contact information received via email).
- Consider that emails received from a potential fraudster may appear to be identical to the legitimate email address. While you should keep an eye out for inconsistencies that may indicate a fraudulent email (for example, an email address slightly different from the known email address, details within email that are inconsistent with the file, poor grammar, spelling and formatting errors, unexpected foreign address, contact information that does not match client file records), do not assume that a fraudulent email can always be identified in this manner.
- If a party’s email becomes hacked, cease to correspond with this party via email until their email is confirmed to be secure.
- If your law firm is the party that was hacked, immediately contact your IT professional and stop using email until your IT professional advises otherwise.
- If you or your law firm receive any request to handle a legal matter from a client who is from out of the country, consider the possibility that a fraudster is at work. To help protect yourself, follow these Client Identification and Verification Rules before taking on anyone as client.
Other ways to protect yourself from fraudulent emails include:
- Check embedded hyperlinks by hovering your mouse over the link to verify the address.
- Be wary of clicking on any attachments or links, they may contain viruses, malware and spyware.
- Protect your computer with active and updated anti-virus software, spyware filters, email filters and firewall programs.
- Keep your operating system and software up to date.
- Make regular back-ups of important files.