- Policies and premiums
- About LPLC
Don’t fall for fakes1 March, 2016
Practitioners need to be wary of increasingly sophisticated scams.
The LPLC is often asked if scams targeted at legal practitioners have resulted in claims. Unfortunately, the answer is yes.
Most practitioners will be familiar with advance fee fraud or so-called Nigerian scams, involving an unsolicited invitation to pay money in advance to assist another party secure a benefit they offer to share, which is fictitious. Many practitioners have also been targeted by bad cheque scams where a practitioner is asked by a purportedly new, typically foreign-based client to receive a cheque payment on the client’s behalf regarding a matter in the practitioner’s jurisdiction. The client then requests that the funds be disbursed urgently before the practitioner is able to establish that the cheque is a fake.
However, below are two recent examples of practitioners being caught by more sophisticated scams.
One claim resulted from a lawyer receiving instructions from a client’s email account that had been hacked.
The practitioner, who was acting on the sale of the client’s residential property, emailed a deposit release statement to the client, who signed and returned it with his bank account details for payment of the balance of the deposit and net proceeds of sale. A few weeks later, the practitioner emailed the client advising the balance of the deposit had been received and would soon be available for release.
At least some of the email correspondence was intercepted by a hacker. A week later, the practitioner received an email from what appeared to be the client, directing payment of the balance of the deposit into a different bank account. Later that day, the practitioner received a further email from the hacker, asking for the payment to be re-directed into yet another Australian account. The practitioner paid the balance of the deposit into the account.
Three weeks before settlement, the hacker emailed the practitioner requesting that the net proceeds of sale be paid into the “client’s” South African business account. A second South African account was subsequently nominated. The numerous changes to payment details and use of the North American spelling “check” and phrase “closing date” should have been red flags to the practitioner. The salutation, sign-off, sentence structure and font used by the hacker also differed slightly from the actual client’s emails.
Settlement proceeded and the practitioner sent the funds to the South African account. When the client called the practitioner the following day enquiring about the progress of settlement, the fraud was discovered and the payment was stopped. However, the client was unable to recover the balance of the deposit that was paid into the Australian account nominated by the hacker.
The LPLC is also aware of at least one instance of a hacker sending emails purportedly from a practitioner to a client with bank account details for a money transfer. As the transfer related specifically to a transaction in progress, it can be inferred that either the practitioner or the client’s email account was compromised.
Fake law firms
The UK and Australia have experienced frauds where either a false firm has been used or the fraudsters have pretended to be an existing firm. In many instances, while the letterheads of the firms looked legitimate there were tell-tale signs that they were not. There were subtle mistakes like misspelling the name of the town or not including a landline telephone number. The Solicitors Regulation Authority in the UK has written a warning notice on the issue called “Bogus law firms and identity theft” which has some useful steps to take to protect against these frauds.
Vishing is another type of scam used against lawyers. The term has been coined to refer to the use of voice technology, often telephones, to trick someone into revealing information. It is a close cousin to phishing which is the use of false emails to illicit information.
In a recent example fraudsters phoned a UK sole practitioner purporting to be members of the security team of the practitioner’s bank. They said the practitioner’s trust account had been compromised and she should call the bank’s helpline on the back of her card.
The practitioner immediately phoned the number. Unfortunately for her, landlines in the UK – as in Australia – have a delay before calls are cleared. The fraudsters were still on the line, continued to impersonate bank staff, and informed the practitioner that the bank would call her the next day to facilitate transfer of the money into “safe” accounts.
The fraudsters called the practitioner with details of new accounts and she subsequently transferred £734,000 of client money into those accounts. Most of the money had been withdrawn by the fraudsters by the time the practitioner became suspicious.
Be alert to potential red flags for fraudulent emails such as:
- incorrect phrasing, spelling or grammar
- someone avoiding communication other than by email
- unexplained urgency and client’s willingness to accept shortcuts
- requests for payment to a third party or offshore account
- unexpected changes to payment details
- the sender or email address does not seem right, such as a free email service when the client is a business
- the factors listed in the SRA Warning notice Bogus law firms and identity theft.
Consult an IT expert to ensure you have taken appropriate steps to protect your systems from cyber attacks.