Urgent Fraud Alert and Guidance from LIANS’ Director, Lawrence Rubin

Due to the significant increase in fund transfer frauds, an issue we have previously discussed, we are sending this notice to all practicing members.

Recently this program came very close to sustaining a loss of over $700,000 because of one such fraud. These losses, or potential losses, are preventable by you exercising appropriate due diligence when disbursing funds to clients.

The facts in our matter are quite simple. But it is important to appreciate that the targets of these frauds are anyone who is obliged to deliver funds to another. In the case of lawyers, those delivering the proceeds of a personal injury resolution, a commercial transaction or a property sale to their client are all targets.

In our matter, the lawyer was acting on the sale of a property. Throughout, the lawyer and their paralegal were communicating with the client at an email address that resembles this: XXX@xxxrealestate. A couple days before the closing, the lawyer received new banking instructions from the client. A client changing banking instructions a couple days before a closing is a red flag that should be questioned. And what the lawyer did not notice was that this email came from XXX@xxxrealetsate. Now take a good look at those two email addresses. Though subtly different, on a quick look the difference is easy to miss. But once you reply to that different address – as our lawyer did – you are no longer communicating with your client. You are communicating with the fraudster.

The fraudster’s request to change the banking instruction included this:

                        Could you please arrange to the payout…to be made via direct deposit or EFT instead of by cheque? This is due to an ongoing tax audit involving our check clearing house.

I will challenge anyone to tell me what that means. Especially given how cheque clearing works in Canada, a topic we have previously presented on. If nothing else, such a non-sensical statement should be enough of a red flag.

In any event, an email conversation between the lawyer and the fraudster (appearing as the client payee) then ensued and the fraudster provided the lawyer with their bank’s direct deposit form that included their account number and an image of a void cheque.

Though the name of the account holder on the form and the cheque image was that of the actual client, and though the account information on the form was the same as that on the cheque image, it was evident from the image that the transit and account information were altered. They were not in the usual cheque account number font even though the institution number was. This too was missed.

After closing, our lawyer issued a cheque from their trust account and took it and the deposit information form they had received with the void cheque – and remember this was now provided by the fraudster – to the payee’s bank for deposit. It is at this point we probably get lucky because the lawyer deposited the cheque at the teller counter. Which means the teller deposited the cheque into the account number on the form that the fraudster provided. Which means the teller should have seen that the name of the account holder they were depositing the cheque to was not the payee indicated on the cheque.

A week or so later the lawyer got a call from the payee bank asking about the deposit. It was evident to the lawyer that the bank had discovered something odd related to the deposit though he did not know what that was. But shortly thereafter when it became apparent that his actual client did not have the funds the lawyer put us on notice.

Fortunately, about a month later, the funds were returned to the lawyer’s trust account. What we do not know is whether those funds were reversed in time through the clearing process before the fraudster withdrew them, or if the funds were returned by the payee bank who took the loss. If it was the bank, one factor is what was noted above, that the teller depositing the cheque should have noticed when they deposited the cheque that (i) the name of the payee and the account information were different, and (ii) the altered transit number placed the branch in Ontario, not Halifax, which was the address on the cheque for the actual client. Another factor is that shortly after the deposit was made, something caused a fraud alert at the payee bank, which alert precipitated the call to the lawyer.

Our being lucky is not because the funds were returned meaning we did not have to pay this claim. We were lucky, we think, because the teller who deposited the cheque should have noted the discrepancies or the fraud alert within the bank was not acted on soon enough. Our argument would have been that these were sufficient intervening events such that it negated the error of the lawyer – our insured – not seeing the discrepancies at first instance. An argument that if we had to go that route likely would have taken some time with the actual client caught in the middle.

But make no mistake. The discrepancies evident in the banking information provided by the fraudster to the lawyer at first instance are discrepancies you should see and for which you must be on high alert whenever banking information is changed by email. Or at all. We cannot rely on there being an intervening act of a third party to avoid these claims. Consider this – what if the cheque was mailed or deposited through an ATM or the fraudster sends a courier to pick it up such that there is no intervening event. We rely on you to prevent these events from happening.

What follows is a short list of things you must do to verify all payment instructions, especially when payment instructions are changed prior to closing or delivery of funds. You must:

1. Always call your client to verify payment instructions using a trusted number, which is to say the phone number in your file that you received from the client when you opened the file;

2. Never email a client, opposing counsel or any other party to verify payment instructions;

3. Implement a funds transfer protocol to be used in all cases, no matter the amount. An example of one such protocol is the checklist prepared by the B.C. Lawyers Indemnity Fund;

4. Break the email chain. The person verifying banking information should never accept or send an email confirming payment instructions have been verified because fraudsters can impersonate lawyers and staff alike. If there is a fraud happening, the email purportedly from the lawyer, their assistant or the client confirming the verification will be from the fraudster;

5. Never use the contact information provided in the instructing or confirming email because a fraudulent email will always contain a fraudulent phone number;

6. Educate yourself and your staff about preventing and detecting cyber and social engineering fraud; and

7. Read LIANSwers and the notices and fraud alerts we send out. It is because not everyone reads LIANSwers where we often talk about these issues that we decided to send this note to all members individually.