Many practitioners who’ve experienced cyber fraud tell us that they never thought their firm would be a target. However, the reality is that all firms and practitioners are the potential focus of cyber criminals and increasingly larger sums of money are being stolen and the recovery of those funds more and more unlikely.
It’s often incorrectly assumed that banks will reimburse practitioners and their clients for money transferred by fraud or mistake. At the time of writing in Australia there is no requirement for banks to check that funds have been sent to the correct bank account by matching the name of the intended recipient to the account number. While banks will try to recover the funds, the speed of electronic fund transfers means there is typically only a small window of time to act before the cyber-criminal moves the money and it’s unrecoverable. In most cases now notified to LPLC, the fraud is only discovered once this window has shut and banks are not obligated to reimburse funds when this occurs.
The most frequent cyber claim scenarios notified to LPLC results from compromised email accounts — where the accounts have been accessed by cyber criminals who have impersonated either the client or the firm to redirect the payment of funds to a fraudster’s account. We are however seeing a change of focus from law firms incorrectly paying money to fraudsters’ accounts, to the client now paying funds — necessary for a transaction like a family law settlement or a property purchase — to the fraudster’s account instead of to the firm’s account.
In most of these cases, the fraud isn’t discovered until it is too late. While the practitioner typically checks their trust account and flags that the money hasn’t arrived, valuable time can elapse whilst they ‘sit tight’, allow the client more time and don’t check in with the client for a few more days or longer. Often they assume the funds are still in transit, such as when money is paid over the weekend or in instalments, or they think the client simply hasn’t paid on time. Sitting tight waiting for funds to transfer has now become a risky strategy.
To avoid being in this situation and face a time consuming, stressful, and costly cyber fraud incident, here are three basic steps that practitioners should take now.
1. Warn your client.
Raise the risk and tell them to always call to verify bank details.
Before clients are required to transfer money, warn them about the risk of email compromise and that they should first call to confirm the bank account details are correct before paying.
At the start of the matter, give them the firm’s bank details, noting they won’t be changed unless you speak to them first and they will never be changed via an email alone.
To assist with your cyber warnings to clients, LPLC has a template cyber security client brochure, How to Protect Yourself and ALWAYS call before you pay email signature banner as an additional prompt.
Don’t leave it to chance. Always provide the client with clear instructions to call before they pay, be proactive and keep records.
2. Time is of the essence.
If an expected EFT payment hasn’t arrived, don’t assume it’s still in transit. CHECK.
Vigilance is essential when dealing with client money. If you are expecting the client to transfer funds, check your trust account to confirm its arrival. Payment by EFT is quick and can be the same day. If an expected payment isn’t in your account, don’t assume the funds are still in transit. Be on the front foot and contact the client straightaway to check and confirm they have made the payment and the account details. If you have the client’s payment receipt, you can check the bank account details in the receipt are the same as your trust account details.
In the event of fraud, immediately contact the transferring and recipient banks. LPLC has a handy reference list for accessing bank information relating to cyber fraud and bank contact details in the event of a cyber incident.
3. Prevent email compromise from occurring in the first place.
Secure your systems and email and install multi-factor authentication now.
It continues to be the case that almost all cyber fraud claims notified to LPLC could have been avoided by having multifactor authentication (MFA) installed on the firm’s business systems and devices. Not using MFA is similar to leaving the front door to your house unlocked, open and unattended. Without MFA it is easier for cyber criminals to readily gain access to your email account, sit silently in the background watching your email exchanges, wait for an opportune time to impersonate you and trick a client into redirecting funds into their bank account.
MFA is simple to install and efficient to use. It prompts staff to verify their credentials on separate devices with a second factor of identification before granting access to the firm’s systems and email. You can set it up so that you don’t have to manually approve access every time.
For more information about how to use MFA, the Australian Cyber Security Centre have step by step guides on their website about setting up MFA on a variety of different platforms including Microsoft.
For further information on how to help secure your systems and email accounts and stay cyber safe, see LPLC’s Cyber Security Guide for Lawyers and Cyber Resources.