Skip to main content

The following article discusses security concerns in relation to receiving payment instructions via email.

You are handling a property settlement for a vendor and receive a bank cheque at settlement made payable to the client for the net proceeds of sale.

You send an email to the client confirming settlement and advising that you are holding a bank cheque for the client. You receive an email reply asking you to deposit the bank cheque into the client’s bank account with the BSB and account number included.

What do you do?

You’ve heard about business email compromise before – it’s been all over the news, including the recent case involving a former MasterChef contestant who had $250,000 diverted from a settlement because of a conveyancer’s compromised email account. But those things happen to other people, it wouldn’t happen to you, right?


No one is immune from these scams. They’re happening to law firms with increasing regularity and practitioners are continuing to fall for it.

Last week LPLC received three notifications from practitioners falling victim to a business email scam. Each case involved different techniques used by fraudsters but all of them involved compromised email accounts being used to send bogus email instructions for the payment of money.

In the case above, a close examination of the email instructions would have revealed a cleverly-disguised discrepancy in the email address – the ‘m’ in the client’s name had been replaced with ‘rn’ making it difficult to tell it was not from the client.

No one at the firm detected the difference. Plenty of practitioners would not have picked this up in a busy legal practice. But the firm did not have a policy requiring all email instructions for the payment of money to be double-checked by a telephone call to the client. Instead, the email instruction was accepted at face value and a clerk was sent down to the local branch to bank the cheque for some hundreds of thousands of dollars into the specified account.

The bank teller obligingly processed the deposit and the fraudster received the money.

Clearly this case involved a bank error in negotiating the bank cheque into an account which didn’t match the cheque payee name. The bank promptly recompensed the client for its mistake.

However, it was a close shave for the firm, and they have now updated their internal office policy to implement LPLC’s 5-step process in relation to any email instructions for transfers of money.

Consider also how easy it was for the cyber-thief – no guns, no balaclava, no getaway car required – just an email to a law firm and a bank teller asleep at the wheel to complete the heist.

Please help LPLC to spread the message around the profession that all email instructions for the payment of money must be verified before being acted upon. Get on the telephone to the client and check email instructions – every client, every time.