The following is an excerpt from a fraud alert recently posted to the Law Society of British Columbia, with a scenario that could also threaten Nova Scotia lawyers:
“Two BC law firms, one in BC’s interior and one in downtown Vancouver, have recently fallen victim to sophisticated social engineering frauds involving millions of dollars. One firm redirected over half a million dollars in sale proceeds that it was holding in trust for a real estate client. The firm’s original instructions were received in-person, from the client. Before wiring the funds to the client as originally instructed, the firm received an email, purportedly from the client but in fact from the fraudster, directing that the funds be wired to a different account. The client never received the funds as the lawyer sent the funds to the fraudster’s account. In this case, the email address used by the fraudster was identical to that used by the client.
The second firm redirected over 1.5 million dollars in investment funds it was holding in trust for a corporate client raising capital in a securities transaction. The firm originally received payment instructions from the corporate client. As in the first fraud, before wiring the funds to the client, the firm received an email, purportedly from the client but that was actually from the fraudster, directing that the funds be wired to a different bank account. The funds were sent to the fraudster and not received by the client. In this case, the email address used by the fraudster was identical to that used by the client, except for one letter.
Protect yourself from liability.
Any time a payment of trust funds is imminent, assume that a hacker is also aware. Any client’s or lawyer’s email account can get hacked allowing a fraudster to perpetrate a social engineering fraud on the lawyer. Establish due diligence protocols for transferring funds and ensure all staff receive training and adhere to them.“
As we’ve warned in the past, we bring this to your attention for several reasons. First, and we do not want to scare you, but you should take appropriate steps to confirm, perhaps by phone, that emailed fund transfer instructions you receive from a client, especially if they seem odd or are significantly different from your original instructions, (which could include a wire transfer to a foreign country) are correct. Second, social engineering fraud is not part of the cyber coverage we offer in our policy. In the similar cases, coverage has been denied by a cyber insurer when the lawyer/firm did not have the social engineering rider on its commercial cyber policy. Third, depending on the facts, there may not be coverage for such a fraud under the professional liability part of your insurance policy either. Accordingly, a lawyer falling victim to such a fraud who lacks appropriate insurance coverage could be in the position of having to reimburse their trust account for the loss.
Where possible, use the Large Value Transfer System (LVTS), an electronic funds transfer system that allows large payments to be exchanged securely and immediately.
For tips to avoid being victimized, visit the Fraud section on lians.ca. To report or seek advice on dealing with fraud and scam attempts, contact Cynthia Nield at cnield@lians.ca or 902 423 1300, x346.