Call before you pay: the simplest way to stop email payment fraud

The anatomy of the email fraud is always the same. There is an active legal matter, an email appears to provide or change account details, and the recipient acts on that email without fully verifying the information. In one LPLC claim example, a Victorian law firm distributed more than $400,000 in estate funds to accounts controlled by cybercriminals after a compromised client email account was used to send false details.

These frauds are not confined to one practice area or one type of transaction. The LPLC data shows the risk arising across practice areas and where clients make payments into trust. Data on business email compromise confirms that criminals commonly target routine payment workflows because they can exploit trust, urgency and familiarity.

Business email compromise usually does not begin with an obviously suspicious message. Instead, the attacker may gain access to a real mailbox, monitor communications, wait for a transaction involving money, and then send payment instructions that look entirely consistent with the matter. In some cases, the fraudster uses the actual compromised account; in others, the email address is altered so slightly that the change is easy to miss in a busy practice. See LPLC article 'Defending against sophisticated cyber scams'.

There are two common variants of this attack vector. In the first, the law practice receives false instructions and pays money to the wrong account. In the second, the client receives false instructions appearing to come from the firm and pays funds to the fraudster rather than to the firm trust account.

Both scenarios are dangerous because the email may fit seamlessly into the existing correspondence trail. A reply may arrive at exactly the right time, refer to the correct matter, and appear to come from a known person. That appearance of legitimacy is precisely what makes email-only verification unsafe.

Email is useful for communication, but it is not a reliable standalone method for authenticating bank account details. The Australian Cyber Security Centre warns that business email compromise can involve compromised accounts, spoofed messages and altered payment details, all of which can make fraudulent instructions appear genuine.

Call-before-you-pay is an effective cyber mitigation strategy when undertaken correctly. While the specific process will vary across law practices and workflows, any approach to the call-before-you-pay process should include the following:

1. Any instruction to pay money, transfer money, or change bank account details should trigger a mandatory verbal verification step.
2. The person making the payment, or authorising it, should call the client, colleague or third party using a telephone number obtained from a trusted source already on file, not from the email that provided the payment instructions.
3. During the call, the bank details should be read out and read back in full, including the BSB and account number. The caller should then compare those details against the written instructions and make a clear file note recording who was called, which number was used, the time of the call, and exactly what details were confirmed.
4. The person who verbally verified the banking details should be the person who undertakes the transaction. Confirmation of the verification should not be emailed to another person to undertake the transaction as this places the process back into the electronic domain where cybercriminals may be able to change the details.

This procedure should apply regardless of whether the payment is being made by the law practice or by the client. If the firm is paying settlement proceeds, estate funds or trust money, staff must call before paying. If the client is transferring money to the firm, the client should be told from the outset that they must call and confirm the trust account details before making any payment.

LPLC analysis notes that there are several points of failure if the call-before-you-pay process.

• Relying on contact details in fraudulent email: The person who is about to make the transaction calls the recipient on the telephone number contained in the fraudulent email. This call is answered by the criminal who confirm the (criminal’s) account details are correct.

• Account details are not recited: The firm does make a call, but the caller fails to read out the account details and have them confirmed back. Merely confirming that a transfer was proceeding is not enough. The control only works when the actual BSB and account number are independently checked.

• The person verifying does not make the transaction: The firm correctly verifies the account details; however, the person making the call then emails a different person to make the transaction. Because the cyber-criminal is in the firm’s email system, the details in the email are changed and the payment is made into the criminal’s account.

Client education is a critical part of the control. LPLC data shows that many fraud incidents involve clients being tricked into paying money to a fraudster’s account rather than to the law practice, often because the fraudulent email arrives at a time when the client is expecting to transfer funds.

For that reason, firms should warn clients at the start of every relevant matter that bank details should never be accepted or changed by email alone. Clients should be told that if they receive payment instructions by email, or any message stating that account details have changed, they must stop and call the firm on a known number before transferring any money. Better still, law firms should generally avoid changing trust accounts details. If it is unavoidable, law firms should find alternative ways to email to inform clients of a change in trust account details, such as a post or hand delivered letter.

The warning about email fraud should not be limited to one conversation. It is better reinforced through engagement letters, matter-opening correspondence, email signature banners, website guidance and repeated reminders at the point funds are likely to be transferred. Repetition matters because fraud succeeds when a person acts quickly on a familiar-looking message without pausing to verify it.

A law practice should have a written office policy that no email instruction for the payment of money is actioned until verbal verification has occurred. That policy should apply to trust account transfers, settlement proceeds, estate distributions, cheque banking instructions, refunds, third-party payments and any request to alter existing account details.

The policy should also make clear that a partial check is not enough. It is not sufficient to call and ask whether “the email was sent” or whether “the payment is going ahead”. The caller must verify the actual banking details, because that is the information the fraudster changes.

Staff should also be trained not to rely on follow-up emails as proof that verification has occurred. Past LPLC claims show that confirming emails can themselves be sent fraudulently by a cybercriminal impersonating a staff member or client. A file note and a culture of checking are far more reliable than assumptions based on the email trail.

Calling before paying is an essential payment control, but it should sit alongside broader cyber-security measures. The Australian Cyber Security Centre advises businesses to secure email systems and implement multifactor authentication to reduce the risk of account compromise, which is often the starting point for business email compromise.

If the firm expects a client EFT and the money does not arrive, staff should not assume the funds are merely delayed in transit. Delay can be a warning sign that the client has paid money to the wrong account after acting on a fraudulent email.

In that situation, the safer course is to check immediately with the client whether payment has been made and which account details were used. If fraud is suspected, urgently contact the transferring bank and the receiving bank, because recovery prospects diminish quickly once funds are moved on.

Watch our short video below about verification of bank account details.