In the last month or so we have been made aware of three fraud incidents. All three are different but fortunately, we expect all to have a happy ending.
But let’s not kid ourselves – you must be alert to the indicia of a fraud and be diligent in your practice and office management lest you yourself fall victim to a fraud scheme of some sort.
- An Old Fashioned Cheque Alteration Fraud (yes, these still happen)
A lawyer issued a trust cheque to their client and sent it by mail. The cheque number was 3875 and the cheque was for a modest $11,000.
On receipt of the usual monthly bank statement, the lawyer’s assistant did their usual reconciliation and noticed a cheque number that they had not used yet – let’s call it cheque number 4567. The reason she knew the cheque number could not have been used was because she knew the firm only had cheques up to number 4000 so a cheque with that number was not possible. She immediately called their bank to report the obvious fraud and as she was looking down the statement saw 6 other cheques for the same amount but also with cheque numbers that did not exist – call them numbers 4568 through 4573. All seven of these cheques had cleared their trust account and were in the same amount as the properly issued cheque – $11,000.
The trust account was immediately frozen and copies of the seven deposited forgeries were obtained. On reviewing the seven items, it was quickly determined that the originally issued cheque number 3875 was altered at least these seven times and these altered items were deposited electronically by seven different payees at seven different bank accounts throughout Canada. The lawyer’s bank has confirmed that the seven altered cheques are frauds and the funds have been returned to the lawyer. The lawyer has opened a new trust account.
But the lesson here is obvious. Despite the focus these days on social engineering and cyber frauds, old fashioned cheque alteration frauds still occur thus the importance of reconciling your bank statements promptly and diligently.
- Cyber Incident
A Nova Scotia lawyer (“NS”) acting for a local vendor was completing a transaction with a purchaser and their lawyer, both from another province. NS emailed the other lawyer their trust deposit information for the closing proceeds which were to be sent electronically.
Shortly before closing the purchaser’s lawyer called NS to confirm the banking instructions because he saw that that the address for the trust account was in Ontario. Of course NS said that that is not correct but wondered how that happened. A deeper dive discovered that the purchaser lawyer’s email had been hacked.
The hacker was intercepting emails to that lawyer and in this case – seeing that a significant amount was about to be transferred – altered the email from NS and sent the altered email to the purchaser’s lawyer. The altered email changed the banking information and the email address from whence it came so that if the recipient lawyer replied to it, it would go to the hacker. The alteration to the email address was subtle, as it often is. For example, if the NS lawyer’s proper address was “John@Smith-JonesLaw”, the altered address was “John@Smith_JonesLaw”. But the firm logo, address and colour scheme are identical to the original so on a quick look, all would seem okay. Except when you reply to it, it goes to the fraudster. The subtle change of the hyphen to an underscore could easily slip by without diligent review.
When there is a hack like this, changes to email addresses are very subtle and are somewhere in the address – a letter, letter case, etc.
The important lesson here is that when the purchaser’s lawyer saw something odd he acted on it by calling NS. Had he used email, the note would have gone to the hacker who would have confirmed the banking instructions. Thus only sometime later after NS inquired about the funds would the hack have been discovered. And the purchaser’s lawyer would have suffered a multi-million dollar loss. And who knows when the NS lawyer’s vendor client would have received their funds.
And on the subject of a client’s email being hacked and calling clients to confirm instructions, you might want to read the article “Fraud and a Fib” on page 6 of the June 2023 issue of the Law Society of Manitoba’s Communiqué newsletter.
- Phishing Attack Resulting in Law Firm Impersonation
Every now and then we hear that a law firm or lawyer’s email or web presence has been impersonated.
Typical scenarios include a person receiving an email that appears to be from the lawyer or firm when in fact it is not. Often the email looks like it is from the lawyer as the fraudster has copied the lawyer’s / firm’s web presence. It is easy for someone to copy another person’s online presence and send what appears to be something from that person to an unsuspecting public. Lawyers are not immune to these schemes.
But in the case of a lawyer, if the fraudulent emails are going to existing clients and contacts, something else has likely happened.
And we recently had one of these “something else” scenarios here.
The lawyer received a phishing email, a common form being a notification to retrieve a file from OneDrive. These emails are typically very convincing in appearance and often come from other compromised clients that you have previously emailed which makes it seem more legitimate. The link in the email was clicked and the user was prompted with the real Microsoft 365 login page. The user entered their email address and password and then approved the MFA prompt on their phone. The user was then logged into, and presented with, their actual Microsoft 365 account. The user might land at the home page of their account or, as was the case here, be presented with a document that does not seem relevant to them, i.e., sent in error. But, from the user’s perspective, nothing out of the ordinary has happened.
It is what is in the background that is the problem. There was a man-in-the-middle attack going on and the attacker proxied the real Microsoft login page through a fake URL/Server that captured the users’ credentials with the MFA token that proves MFA was satisfied. The credentials and token were then taken to the attacker’s computer and replayed in their web browser. When the token was replayed in their browser, the system thinks MFA was previously satisfied and does not ask the attacker again.
From there, the attacker sent out SPAM to users in the lawyer’s contacts in an attempt to compromise more accounts. Fortunately, there was no indication that anything else happened besides the spamming.
If it appears that your online presence has been co-opted or that people have received emails that appear to be from you but in fact are not, you should immediately look to see if your systems have been compromised. Granted someone could have gotten those names from a bulk email you actually sent but you should look at your systems in any event.
If what happened is nothing more than someone impersonating your website or you, there might be little you can do beyond sending a notice to your clients.
But it may be more insidious than that.
A reminder that if you receive an email that looks suspicious or just odd, before clicking any links or opening any documents in it, ask yourself if it was unsolicited. Place your cursor over the sender’s address to see if that email address aligns with the name of the sender. If you receive banking instructions, especially changed banking instructions, by email, confirm them with your client by phone using the number in your file, not the number in the suspect email. But most importantly, do not open attachments, links or respond to emails that appear suspicious before doing some due diligence. The risks to you of a privacy breach or having your email compromised and resulting potential financial loss as a result far out way a little due diligence.
It is regrettable when technology is so pervasive and makes things so efficient that we have to slow everything down because fraud has become rampant. But successful frauds always take advantage of vulnerabilities and with all the good that has come from technology, it has created vulnerabilities.