Thursday, 12 January 2023
Trust account alert: email scams and cyber fraud
Cyber attacks on law firms are on the increase. The Society reminds members of the need to continually be alert to cyber fraud, and to take extra precautions before transferring funds to external bank accounts.
Members are asked to ensure their IT systems have the appropriate levels of security. In particular, email accounts should be checked for any auto-forwarding rules which may have been created by unauthorised users. This is one way that fraudsters monitor an email account without the staff member being aware. The Society also recommends using two-factor authentication to access emails on different devices.
Do not assume that scammers will not target a firm based on the size of that firm. Scammers will attempt to take any amount of money regardless of whether the firm is small or large.
Update 12 January 2023: Be vigilant for micro-transactions
This week, a local law firm lost around $10,000 from their trust account in fraudulent withdrawals.
Over a two hour period, 17 PayPal withdrawals of between $500 and $600 each were made from the firm’s trust account. The firm does not have a PayPal account. It is assumed that a fraudster opened a PayPal account and linked it to the firm’s trust account. It is not known at this stage how the fraudster became aware of the firm’s account details. Importantly, the day before the fraudulent withdrawals, the law firm received two small deposits to their trust account (in the amounts of 0.04 cents and 0.14 cents), which it is now assumed were a test by the fraudster to determine if the account was active.
Law firms should be alert to very small deposits appearing in their bank accounts, and contact their bank immediately. Such micro-deposits may indicate the account is being tested by a fraudster in preparation for withdrawals.
Update 20 December 2022: Phishing scam leads to hijack of firm email
Another law firm was targeted recently with a sophisticated attack involving a phishing email with an HTML attachment that lead to a malicious proxy site. This proxy site was almost identical to the user's normal logging in process, effectively circumventing the multi-factor-authentication (MFA) security in place. One of the few visually suspicious elements in the scam was the domain name used in the proxy site landing page.
Having used this phishing scam to gain access to one of the firm's email accounts, the scammers sent an email to a client purporting to be a normal request for funds, advising of changed bank account details and asking funds to be transferred to this new account. The clients transferred the money to this fraudulent account, resulting in a loss of almost $30,000.
The firm has since upgraded their IT security including more sophisticated spam filters, an email system which scans emails to identify potentially fake links, and a geo-blocking version of office 365 which prevents any logins from overseas.
It can be very easy for employees to fall for such scams. Members should remind their staff to be extra careful with email attachments, and to err on the side of suspicion.
What should I do if my law firm has been scammed?
As well as contacting your client and any other law firm involved, you should also do the following:
- Immediately contact your bank to notify them. You should have your BSB and Account number ready and also the BSB and Account details of the fraudulent account that funds have been paid into.
- Contact your IT support team to have them investigate if the hack has come from your law firm’s internal IT system, or from a client’s email being hacked.
- Contact your Professional Indemnity Insurance provider.
- Report the incident online using the Australian Cyber Security Centre (ACSC) reporting functionality. Reporting as a business will require you to have your business ABN ready, as well as details of what has occurred. You will receive a ReportCyber receipt and a unique Report Reference Number. The report will be referred to the appropriate police jurisdiction for assessment. Note that the ACSC does not advise on the progress of a report once submitted, as it will be referred directly to police.
- Although your bank will contact the receiving bank, you may also wish to contact the receiving bank directly and provide them the ACSC Report Reference Number.
- If trust money has been lost, contact the ACT Law Society on 6274 0300. If outside of business hours, email email@example.com and firstname.lastname@example.org.
Please remember that you, and any staff involved, can also contact our EAP, Acacia Connection, for mental health support at any time. Phone 1300 364 273 (24/7) or visit their website for online options at acaciaconnection.com.
Some earlier attempts in the ACT have also resulted in funds being lost to fraudsters.
Email intercepted and account details changed
A recent attempt to scam trust money in the ACT involved a law firm emailing a PDF document to another law firm. The PDF document had client bank account details on it. The law firm sending the PDF asked the other law firm to phone them to orally verify the bank account details received in the PDF before transferring the funds. The other law firm telephoned as requested, and on reciting the account details they had received, it was identified that the account details were completely different to those originally recorded on the PDF. The PDF document had been manipulated in transmission by an unknown third party. Had it not been for the oral verification, a significant amount of client funds would have been transferred to an unknown third party.
Emailed invoice discovered to be fraudulent
In a different attempt, a Principal received an email request from their Office Manager asking for an invoice (which related to office expenses), to be paid from the trust account. There were various email messages between the law firm staff, and prior to any payment being made, it was identified that the invoice was fraudulently created.
Email intercepted and phone numbers altered
Law firms should also check that the phone number they are calling to verify bank account details is the correct phone number. In a situation in the ACT, a law firm called the phone number at the bottom of an email, not realising that the phone number had been altered by a third party and they were speaking to the fraudster when they called to check bank account details. Subsequently, funds were transferred to the incorrect bank account and lost.
Scammers are aware that it has become more common for firms to verbally check bank account details before effecting EFTs and the scammers are now altering phone numbers in the email body and/or email signature blocks and even on invoices and other PDF attachments. Scammers have been known to follow up the conversation with a text message confirming the fraudulent account details. If you receive a confirmation via text, after having a verbal conversation with a third party that seems unusual, then that may be an alert that you need to re-check with the other party using a different phone number.
Please ensure that when you call to verify bank account details with a third party that you are confident that the phone number you are calling is correct. This may require you to check law firm contact details on the Society’s “Find a Firm” web page. Interstate law societies also have search features on their websites, or you may search using white pages online or other internet searches.
Legal Aid cyber attack
On Thursday 3 November 2022, Legal Aid ACT was subject to a cyber incident. You can read more on their website.
There are a number of websites that members can access for further information:
- The Australian Government’s Australian Cyber Security Centre (ACSC) provides advice and information about how to protect you, your family and your business online.
- The Professional Indemnity Insurer, Lawcover, provide a significant number of cyber resources on their website.
- Scamwatch is a website run by the Australian Competition and Consumer Commission (ACCC), and provides information to consumers and small businesses about how to recognise, avoid and report scams.