This is a must-read notice about a new twist on funds transfer frauds.
Recently, a BC lawyer unwittingly paid out funds from a trust account to cybercriminals. He thought his assistant completed the secondary verification but the supposed verification actually came from the fraudster.
Here is what happened. Dal (not his real name) received an email request from his executor client to pay funds to an estate beneficiary. Payment was to be made by direct deposit. There was some back and forth by email to get the details correct. Dal then emailed his assistant directing her to make a secondary verification by telephone using the number on file. However, the fraudster, having hacked into the firm’s system and gained access to their email, was watching the email traffic and inserted himself at the opportune moment. The fraudster then sent his own reply to Dal using the assistant’s email confirming that the secondary verification had been made and payment instructions were valid. Confident that confirmation had been obtained from the client, Dal paid out the funds to the fraudster and the money was lost.
What should you do? If you are having your assistant complete the secondary verification of your client’s emailed payment instructions, you will need to talk to your assistant in person or by phone to confirm that the secondary verification has in fact been completed. You must break the chain of electronic communication with a personal interaction. To summarize, you should:
- Ensure you have a process in place, and use our updated checklist. Have that checklist completed, printed and physically brought to you for review by your assistant for every payment;
- Do not rely solely on email communication to complete the secondary verification, as an email purportedly from your client or assistant may well be coming from the fraudster; and
- Educate your staff about detecting fraud and the importance of personal verification of client instructions, especially if the instructions come by email.
If you think you have been a victim of a funds transfer fraud:
- Immediately notify your bank and request a clawback of the funds;
- Contact your IT department and cyber insurer (Coalition or other) to ensure the fraudster is not lurking in your system; and
- Report to us.
Find additional information here about funds transfer frauds, and learn how you can prevent fraudsters from hacking into your systems, as well as what you can do to avoid cybercrimes, here. Also see Real estate transactions – know your client primer (Summer 2021 Benchers’ Bulletin) and the Client ID & Verification web page.