The following is an edited version of a fraud incident alert that the B.C. indemnity fund recently sent its insured lawyers. These incidents continue to occur everywhere. Preventing them requires diligence on your part whenever funds are being transferred.
About to pay out trust funds? STOP. Recently, a BC law firm was tricked into sending over $4 million dollars by wire transfer to fraudsters. The firm was acting for a lender in a commercial financing transaction for a property development. The scammers had already obtained access to the lender firm’s email and inserted themselves into email communications, impersonating the borrower’s lawyer. The scammers sent fraudulent wire instructions requesting that the funds be paid to an account with a numbered company as the account holder. The firm then wired the funds. Unfortunately, the lender’s lawyer did not phone the developer’s lawyer to verify the payment instructions. That step would have prevented the fraud from progressing. The fraudster also used their access to the email account to intercept communications, causing further delay with the intention of moving as much of the money as possible to other accounts before the scam was detected.
Although the firm acted quickly when the fraud was discovered and reported it immediately to the bank, it remains to be seen how much of the money can be recovered.
What can you do? Before paying out funds in any matter, verify that instructions sent by email (and possibly confirmed by letter!) are legitimate through direct phone or in-person contact with the party providing the instructions. If the instructions are from your client, contact your client directly using the original number in the file or in-person. If the instructions are from a bank or another law firm, call to confirm that the transfer instructions are legitimate using the number on your file or from a reliable directory. Never use the contact information provided in the instructing email (or confirming letter). Implement a firm-wide protocol to make a verification phone call on every payment of trust funds.
What else can you do? Awareness, vigilance and training are key to cyber security. You should:
- Constantly educate yourself and your staff about preventing and detecting cyber fraud. Have all your staff read the notices we send out.
- Confirm you have a funds transfer verification process in place. Never use the contact information provided in the instructing email (or confirming letter), and review this checklist. If you are not personally making the phone call to verify instructions, review with your assistant in-person a completed checklist on every payment before the funds leave your account.
- Do not rely on email communication to complete the secondary verification because – as we have seen – the email purportedly from your assistant confirming that verification has been completed may actually come from the fraudster.
- Make your computer network as secure as you can. Ask your IT professional to regularly test for vulnerabilities and talk to them about security, including:
- Multi-factor authentication – Ensure two pieces of information are required to access email or your computer network. If a criminal acquires only one, your computer network may still be safe.
- Routine backups – Regularly back up your systems and secure your information to a location that is separately secured from your network.
- Email security – Email is the single most targeted point of entry into an organization for a criminal hacker. Talk to your IT professional(s) or your other cyber insurer about measures including SPF, DKIM, DMARC, and an anti-phishing solution to protect your domains against abuse in phishing or spoofing attacks.
- Password management – Create strong, unique passwords for each account. Change them regularly and never share passwords with anyone. Encourage employees to use a password manager.
- Ensure that your firm has network security and privacy liability insurance. In addition to the financial benefit such insurance provides, the specialized guidance from the insurer in the immediate aftermath of a security or privacy breach can be invaluable because the experience can be terrifying.
It is not our intention to make you scared about completing a transaction and sending your client their funds. Though let’s be honest, when we as an insurer write about risk management, that can be the effect.
But the reality is that in this day and age, all lawyers who do any transactional work have to be live to the potential for a fraudster to insert themself into the transaction. This is the world we live in. For all the good that technology does and has to offer, the fact is that that same technology facilitates these frauds.
If you think you have been a victim of a funds transfer fraud, you should:
- Immediately notify your bank of the fraud and request a claw-back of the funds;
- Contact your IT department and cyber insurer to ensure the fraudster is not still lurking in your system; and
- Report any potential loss of client trust funds to the Society and LIANS.
And we remind you of the requirement in the cyber insurance policy for annual awareness training for lawyers and firm staff. LIANS has circulated resources in the past that may be of use:
Cyber Security and Mandatory Insurance Coverage Message From LIANS
Cyber Security and Mandatory Insurance Coverage (Part 2 & 3)
Finally, remember that if you decide to proceed in any matter, you must always confirm a prospective client’s identification in accordance with the Client ID Regulations of the Nova Scotia Barristers’ Society. Perform all searches as thoroughly as possible, be vigilant and take your time – and beware of any aggressive urgency on behalf of the other parties to complete the transaction. Be cautious with all cheques received, especially if they exceed an agreed upon amount. If you decide to proceed with a transaction, be sure to go to the bank website to verify branch transit number, address and phone number on the cheque. Wait until the bank confirms that the funds are legitimate and are safe to withdraw from the deposit. You may also choose to use the Bank of Canada’s Lynx system, an electronic funds transfer system in which settlement occurs after the clearing of each individual payment, resulting in the transfer of funds in central bank money from one participant to another. Once settled, a payment is final and irrevocable.