About to pay out trust funds? STOP. Last week, two BC law firms – a small firm outside Vancouver and a medium-sized firm in downtown Vancouver – unwittingly paid out funds from trust to cybercriminals. We urge you to read to the end of this bulletin so that your firm does not experience a similar fate.
The first firm acted for a purchaser in a conveyance. The firm’s paralegal received email instructions from the seller’s law firm’s paralegal requesting that the purchase proceeds be sent to a certain bank account. The firm sent over $2 million to this bank account only to discover afterward that the email instructions from the other firm’s paralegal were fraudulent. In a sophisticated new twist, the cybercriminal impersonating the paralegal even sent a letter on a mock-up of the firm’s letterhead, confirming the fraudulent instructions.
The second firm was returning retainer funds to its client’s out-of-province lawyer. Again, a hacker impersonated the out-of-province lawyer, but this time by directly infiltrating the out-of-province lawyer’s system when they sent the request to the second firm and the funds were sent to the hacker’s bank account.
Any time a payment of trust funds is imminent, assume that a fraudster is aware and monitoring your emails. Once in your system, cybercriminals can lie in wait for an ideal opportunity. Before paying out funds in any matter, verify that instructions sent by email (and possibly confirmed by letter!) are legitimate through direct phone or in-person contact with the party providing the instructions. If the instructions are from your client, contact your client directly using the original number in the file or in-person. Even if the instructions are from a bank or another law firm, call to confirm that the transfer instructions are legitimate using the number on your file or from a reliable directory. Never use the contact information provided in the instructing email (or confirming letter). Implement a firm-wide protocol to make a verification phone call on every payment of trust funds.
Please keep reading…
Verification is also a requirement of your cyber coverage with Coalition. And if you have been or think you may have been a victim of a cybercrime, immediately follow the reporting instructions. The sooner you report the more likely that steps can be taken to stop or mitigate the transfer fraud. Any lawyer can be tricked by social engineering. Learn more tips here and watch this video to find out how two other BC law firms fell victim to sophisticated social engineering frauds involving millions of dollars.
Finally, note that you are required to report a trust shortage to the Executive Director of the Law Society and to replenish trust funds lost from client accounts.
We know you are busy trying to close conveyances, get proceeds from litigation or matrimonial settlements to your clients, and disburse bequests to beneficiaries when acting for estates. An extra phone call to a person giving payment instructions by email is an irritant. We get that. But that one phone call could save your firm from serious financial consequences.
Would the partners in your firm be able to immediately come up with $2 million to avoid bankruptcy?
For the latest updates from LIF, follow us on Twitter @Lifbc.