Friday, 19 November 2021
Trust account alert: email scams and cyber fraud
Cyber attacks on law firms are on the increase. The Society reminds members of the need to continually be alert to cyber fraud, and to take extra precautions before transferring funds to external bank accounts.
Members are asked to ensure their IT systems have the appropriate levels of security. In particular, email accounts should be checked for any auto-forwarding rules which may have been created by unauthorised users. This is one way that fraudsters monitor an email account without the staff member being aware. The Society also recommends using two-factor authentication to access emails on different devices.
What should I do if my law firm has been scammed?
As well as contacting your client and any other law firm involved, you should also do the following:
- Immediately contact your bank to notify them. You should have your BSB and Account number ready and also the BSB and Account details of the fraudulent account that funds have been paid into.
- Contact your IT support team to have them investigate if the hack has come from your law firm’s internal IT system, or from a client’s email being hacked.
- Contact your Professional Indemnity Insurance provider.
- Report the incident online using the Australian Cyber Security Centre (ACSC) reporting functionality. Reporting as a business will require you to have your business ABN ready, as well as details of what has occurred. You will receive a ReportCyber receipt and a unique Report Reference Number. The report will be referred to the appropriate police jurisdiction for assessment. Note that the ACSC does not advise on the progress of a report once submitted, as it will be referred directly to police.
- Although your bank will contact the receiving bank, you may also wish to contact the receiving bank directly and provide them the ACSC Report Reference Number.
- If trust money has been lost, contact the ACT Law Society on 6274 0300. If outside of business hours, email firstname.lastname@example.org and email@example.com.
Please remember that you, and any staff involved, can also contact our EAP, Acacia Connection, for mental health support at any time. Phone 1300 364 273 (24/7) or visit their website for online options at acaciaconnection.com.
Update: Email scam hits ACT law firm last week
Last week an ACT law firm transferred trust money to a fraudulent bank account. The firm had followed the steps to verbally check bank account details, but unfortunately the phone number they called was not the other party’s phone number, but the number of the scammer.
Scammers are aware that it has become more common for firms to verbally check bank account details before effecting EFTs and the scammers are now altering phone numbers in the email body and/or email signature blocks and even on invoices and other PDF attachments.
The scammers have been known to follow up the conversation with a text message confirming the fraudulent account details. If you receive a confirmation via text, after having a verbal conversation with a third party that seems unusual, then that may be an alert that you need to re-check with the other party using a different phone number.
Do not assume that scammers will not target a firm based on the size of that firm. Scammers will attempt to take any amount of money regardless of whether the firm is small or large. In this instance they took over $300,000.
Please ensure that when you call to verify bank account details with a third party that you are confident that the phone number you are calling is correct.
This may require you to check law firm contact details on the Society’s “Find a Firm” web page. Interstate law societies also have search features on their websites, or you may search using white pages online or other internet searches.
Although two earlier attempts in the ACT did not result in funds being lost to fraudsters, it was only due to the ongoing diligence of our members in taking extra precautions before transferring funds to external bank accounts.
Attempt 1: Email intercepted and account details changed
A recent attempt to scam trust money in the ACT involved a law firm emailing a PDF document to another law firm. The PDF document had client bank account details on it. The law firm sending the PDF asked the other law firm to phone them to orally verify the bank account details received in the PDF before transferring the funds. The other law firm telephoned as requested, and on reciting the account details they had received, it was identified that the account details were completely different to those originally recorded on the PDF. The PDF document had been manipulated in transmission by an unknown third party. Had it not been for the oral verification, a significant amount of client funds would have been transferred to an unknown third party.
Attempt 2: Emailed invoice discovered to be fraudulent
In a different attempt, a Principal received an email request from their Office Manager asking for an invoice (which related to office expenses), to be paid from the trust account. There were various email messages between the law firm staff, and prior to any payment being made, it was identified that the invoice was fraudulently created.
Attempt 3: Altered phone number
Law firms should also check that the phone number they are calling to verify bank account details is the correct phone number. In a situation interstate, a law firm called the phone number at the bottom of an email, not realising that the phone number had been altered by a third party and they were speaking to the fraudster when they called to check bank account details. Subsequently, funds were transferred to the incorrect bank account and lost.
In the Spring 2021 edition of Ethos, Jen McMillan, Manager of Lawcover’s Practice Support Services, provided some timely advice on how law firms can minimise their cyber risk by implementing a handful of simple measures. You can read the article online.
There are also a number of websites that members can access for further information:
- The Australian Government’s Australian Cyber Security Centre (ACSC) provides advice and information about how to protect you, your family and your business online.
- The Professional Indemnity Insurer, Lawcover, provide a significant number of cyber resources on their website.
- Scamwatch is a website run by the Australian Competition and Consumer Commission (ACCC), and provides information to consumers and small businesses about how to recognise, avoid and report scams.