Lawyers have been contacting LIF asking for more details about the recent frauds that hit two BC law firms. Below you will find answers to the common questions we received. The crux of it is that any time you are transferring trust funds, by any means, you are at risk and must verify instructions. Increase your vigilance because cyberattacks exploit the unsuspecting, and the costs can be devastating.
Here are our answers to your questions:
Is a direct deposit of funds, instead of a wire transfer, safe?
No. A funds transfer fraud can happen with a direct deposit just as easily as with a wire transfer. In fact, the first fraud, which involved the lawyer for the purchaser sending over $2 million in a real estate transaction to a fraudster, was a direct deposit of trust funds.
It may be possible to recover funds more easily with a direct deposit than with a wire transfer, but both methods are susceptible to fraud. How soon the fraud is discovered and how quickly the fraudster can withdraw the money are determining factors in the success of the fraud. In either situation, though, the funds were missing from the client’s trust account and unavailable for a period of time.
Have funds transfer frauds only happened with off-shore accounts and foreign banks?
No. In the first fraud all of the banks involved were Canadian banks.
Does the fraud always involve a change of payment instructions?
No. Earlier frauds involved a change of instructions, but recent frauds have not. In two of our claims, the fraudster hacked an email account to provide initial fraudulent payment instructions.
In a change of instructions, the fraudster may change the name of the payee, but even if not, the reasons for the change in instructions can be plausible and very convincing. It’s the fraudster’s “job” to do whatever is necessary to get you to pay, so don’t rely on spotting obvious red flags. Any payment instructions received by email, even if confirmed in a letter or by phone message left at your office, should be verified by your phone call. If the instructions turn out to be legitimate, the person emailing them will likely appreciate your vigilance.
Have only small law firms been targeted?
No. Firms of all sizes have been successfully targeted – small, medium and large.
Have only Vancouver law firms been targeted?
No. Firms throughout BC have been successfully targeted.
Do funds transfer frauds only arise in real estate transactions?
No. We have seen funds transfer frauds occur across many practice areas: commercial, real estate, litigation, estate matters, family and others.
What steps can I take to prevent a funds transfer fraud?
- Immediately implement a firm-wide funds transfer verification protocol.
Always verify the authenticity of any instructions to transfer funds by phoning or meeting with the person instructing (whether purporting to be your client, another lawyer, bank, or real estate agent) to check that emailed instructions (which may be confirmed by letter), bank account details, and recipient information are all correct. Always use a trusted number, such as from the original file or from a reliable directory. Never use the contact information provided in the instructing email (or confirming letter).
Ensure that everyone in your office is aware of this protocol and maintain a record of your verification on every file. Consider downloading this checklist and using it for every file.
- Train your staff.
Inform them of the frauds and train them on the instruction verification process to ensure a consistent approach to preventing funds transfer fraud.
What should I do if I have been the victim of a funds transfer fraud or social engineering fraud?
Some losses can be recoverable if you act immediately:
- First, notify your bank of the fraudulent transfer, and request a claw-back of the funds. This may require an interbank agreement between your bank and the receiving bank.
- Then immediately report to LIF and follow the additional reporting obligations set out on this webpage.
- Notify the other lawyer or client as it may be they who suffered the security breach that allowed the fraudulent email to be sent. Their insurance may be the most appropriate source of compensation.
- Be a squeaky wheel and repeatedly inquire with your bank and the receiving bank about the status of the recovery.
- File a report with the police.
How much insurance does my firm have if I have been the victim of a funds transfer fraud?
As of July 16, each lawyer has funds transfer fraud coverage through Part C of your LIF Indemnity policy up to $500,000. This limit is a single annual limit for each fraud, each lawyer, and their firm, collectively and in aggregate, regardless of the number of losses. The deductible is 15% of the loss if someone in the firm verified instructions, but 35% if this was not done. There is a $2 million annual profession-wide limit for funds transfer fraud coverage for BC lawyers.
Talk to a commercial insurance broker about additional coverage for funds transfer fraud and cybercrime. Discuss with your broker what coverage would be provided by: (1) a standalone crime policy with social engineering added, without the verification requirement for funds transfer fraud, or (2) a cybercrime extension.
What additional file opening steps can I take to reduce the risk of a funds transfer fraud?
When opening a new file, obtain your client’s phone number and a password from your client and record it in the physical file. The password can be used as another step to verify any transfer of funds. In addition, inform your client and other relevant parties that your firm verifies emailed payment instruction details only by phone or in person. Finally, advise your clients and other relevant parties to contact you at a trusted phone number immediately if they receive an email from your firm purporting to change payment instructions.
Managing cyber risk is now an integral part of every legal practice.
For the latest updates from LIF, follow us on Twitter @Lifbc.