These incidents are increasing, not just in Nova Scotia but everywhere. We have recently been involved with a matter here that we will describe in a later issue of LIANSwers. But for our purposes this month, it is easier to just copy in the notice the BC Lawyers Indemnity Fund recently sent to its insureds:
Three more BC law firms fall victim to funds transfer frauds (March 23, 2023)
“Here are the details:
- Last week a small law firm acted for a borrower in a commercial refinancing transaction and unwittingly paid out over $1.7 million to cybercriminals. He had instructions to clear the existing private lender mortgage on title. He received an email with payment instructions and the payout statement apparently from the lawyer for the lender, but it was actually from the fraudster using a spoofed email address. Apart from the direction to the fraudster’s account, the payout statement was identical to previous, genuine forms and the email address was exactly the same. The lawyer physically attended at his bank to complete the wire transfer of $1.7 million. The teller advised him that the SWIFT Code was missing but that the name of the bank account for the wire transfer was correct; it was in the name of the lender’s law firm. Our lawyer emailed the lender’s lawyer requesting the SWIFT code as he was unable to reach her by phone. The lawyer received an email response with the SWIFT Code (again, from the fraudster) and proceeded to make the wire transfer without verifying the authenticity of the payment instructions. Later that day he realized he’d been defrauded when he received a call from the lender’s lawyer advising that she had not received the funds.
- A medium-sized law firm acted for a client in a commercial litigation matter and inadvertently paid out funds from trust to fraudsters. A settlement was reached and the firm received the settlement proceeds. Unbeknownst to the lawyer or client, a fraudster had already compromised the client’s email. The lawyer received email instructions that appeared to come from her client but was actually the fraudster (again, through a spoofed email address) asking that the settlement funds be sent to a certain bank account by direct deposit. The firm then sent the settlement proceeds to the fraudster’s bank account without making a secondary verification. The fraudster also posed as the lawyer in subsequent email communications with the client, which allowed a delay of several days before the client phoned the lawyer and asked about the missing deposit. Only then was it discovered that the email instructions were fraudulent. Due to quick action, the bank was able to return the money to the lawyer’s trust account.
- At a large Vancouver law firm, a fraudster spoofed an employee’s email address and sent an email to the law firm’s payroll staff requesting that the employee’s automatic payroll deposits from the law firm’s general account be sent to a different bank account. The lawyer and payroll staff just happened to speak directly before the funds were sent to the fraudster, averting the fraud. The law firm has changed its office procedures so that no one will ever rely on email instructions alone for any payment. Someone will either verify instructions in person or by phone.
What can you do? The crux of it is that any time you are transferring trust funds, by any means, you are at risk and must verify emailed instructions through direct phone or in-person contact with the party purporting to provide the instructions. If the instructions appear to come from your client, contact your client in-person or by using the original phone number in the file. Even if the instructions purport to come from a bank, another law firm, or anyone at all, call to confirm that the transfer instructions are legitimate using the number on your file or from a reliable directory. Never use the contact information provided in the instructing email (or confirming letter). Implement a firm-wide protocol to make a verification phone call on every payment of trust funds.
You can download this checklist and use it for every payment. Find out additional information here about funds transfer frauds, learn the steps you can take to prevent fraudsters from hacking into your systems here and what you can do to avoid cybercrimes hitting your firm. For more tips to help keep you safe, see Real estate transactions – know your client primer (Summer 2021 Benchers’ Bulletin).
If you think you have been a victim of a funds transfer fraud, immediately notify your bank and request a claw-back of the funds. Next, contact your IT department and cyber insurer to ensure the fraudster is not lurking in your system.”
Review the NSBS Regulations made pursuant to the Legal Profession Act, S.N.S 2004, c.28, including 4.12: Cash Transactions; 4.13: Client Identification; and Part 10: Trust Accounts.
Remember that you must always confirm a prospective client’s identification in accordance with the Anti-Money Laundering (Client ID) Regulations of the Nova Scotia Barristers’ Society.
Moreover, you have to be cognizant that coverage under our insurance policy or the cyber policy is dependant on the facts that give rise to the claim. Even in the case of what appear to be similar events, there might be policy coverage for one and not the other, often due to very subtle differences. The best policy you can have to prevent these frauds, and minimize your own personal risk, is your own diligence and internal processes.
LIANSwers v80, March 2023