Cyber security breach – claims caused by fake client email

29 June, 2017
Download PDF

It is no longer safe practice to transfer money to a client’s account based only on email instructions from your client. Always verify email instructions from a client, especially if it involves handling money, by confirming the details orally with the client.


LPLC has received four notifications in the last two years, one only last week, where fraudsters sent emails to law firms purporting to be from their clients. The emails directed the firms to pay money into bank accounts that turned out to belong to the fraudsters, not the clients.

These emails are becoming increasingly convincing. In the most recent example the fraudster had hacked into either the practitioner or the client’s email system and knew exactly what was happening on the matter.

The fraudster sent a very convincing email asking for the money to be sent to the client’s bank account instead of by cheque as she was ‘too busy’ to bank the cheque. The email address looked legitimate, even when hovering the mouse over it, and the wording and sign-off was consistent with previous legitimate emails.


Risk management

The weakest link in the cyber security chain is each one of us. To avoid falling for these elaborate scams there are things firms and every staff member can do.

Firms should:

  • Implement a protocol of always confirming orally with clients any email direction to pay money using known telephone numbers for the client.
  • Regularly raise cyber security issues and information with all staff.
  • Keep all of the software on your computer up to date by ensuring all updates and security patches are installed. Make sure you get an alert from your software vendors when they release updates, then install them promptly.

Every staff member should:

  • Read the material on the cyber security section of our website especially our Key risk checklist: Cyber security
  • Stop and think before sending client money and follow the protocol
  • Use strong, unique passwords for each device, change them at least every 12 months and keep them secure. Use a minimum of eight characters containing uppercase and lowercase letters, numbers and symbols.

What to do if you are duped into transferring money

  • Immediately contact your bank and the bank of the receiving account and endeavour to freeze the fraudster’s account (like you would do if your credit card was stolen).
  • Notify the police and the Australian Cybercrime Online Reporting Network at www.acorn.gov.au
  • Where applicable, contact the other side of the transaction if you think there is any step they might be able to take to prevent a loss from arising.
  • Investigate the problem – engage an IT consultant to secure your system and find out where and how the breach occurred including whether any data has been stolen. Most commonly someone’s email password will have been compromised so login details should be analysed to see where the email account was recently accessed from.
  • Change your email password immediately even if your IT consultant can’t find any evidence your system was compromised.
  • Inform the client what has happened and what is being done to investigate and rectify the situation.
  • Recommend to all email account holders that have the potential to be the source of the compromise that they change their password.
  • If trust money has been lost, notify the Victorian Legal Services Board and Commissioner of any trust account irregularity under section 154 of the Uniform Law.
  • Notify LPLC of the risk of a claim.

For more information on these issues see a recent FBI report on Business Email Compromise