Just as you can’t rely on bank account details in external emails from clients and others, it is also risky to rely on payment directions in emails from people within your office without phone verification. A matter recently reported to LPLC highlights the risks in relying solely on emails, particularly in today’s increasingly remote working environment.
The firm was administering a deceased estate and had funds in trust for distribution to beneficiaries.
Unbeknown to the firm, one of its email accounts had been infiltrated by cyber criminals who intercepted email communications between the practitioner and client. They sent bogus emails to the practitioner (from an email address with a minor spelling variation to the client’s email address) substituting their own bank account details to fraudulently redirect payment of the funds.
The firm was aware of cybercrime risks and had implemented various measures to warn clients of the dangers in transmitting bank account details by email, including a policy of calling clients to confirm bank account details that were sent via email.
In this case the cyber criminals also sent a fraudulent internal email purportedly from the practitioner to the accounts manager in the firm requesting the estate money be transferred, and stating that the practitioner had spoken to the client and confirmed the bank account details.
In fact, the practitioner hadn’t confirmed the bank details with the client, and although the practitioner had authorised the distribution of estate funds, the money was transferred by the accounts manager into the cyber criminals’ account rather than the client’s account.
The firm’s normal process would have been for the accounts manager to verify the bank account details before making payment. However, in this case the fraudulent internal email tricked the accounts manager into transferring the money without making that phone call, believing the practitioner had already done this. There was no internal phone call or other conversation between the practitioner and accounts manager in relation to the transfer of what was a substantial sum of money. The process was transacted solely on the basis of email communications.
Risk management lessons
Multifactor authentication (MFA) would most likely have prevented the cyber-criminals from getting into the firm’s email system and sending the false emails in the first place. All firms should enable MFA as an additional layer of security for their IT systems.
Importantly, you can’t rely on an email confirmation that verification of bank account details has been done by someone else.
As this case shows, if the cyber-criminals are in your email system changing bank account details they can also be sending false internal emails to your accounts department that bank account details have been confirmed.
LPLC’s risk management advice with all electronic funds transfers to unverified bank accounts is to CALL BEFORE YOU PAY. It is unsafe to rely solely on email directions for EFT payments, whether those directions are coming from a client externally or from someone inside the firm. Undoubtedly this involves extra work and checking, but in today’s business environment the threat of cybercrime is everywhere, particularly where large sums of money are being move around.
Different firms will adopt different internal procedures for authorising and verifying EFT payments. How would your firm’s process for confirming payee bank account details stack up in the context of this scenario?
Take time now to formulate, tighten up and clarify your firm’s policy and procedure for ensuring phone verification of bank details occurs in every case.