Notice to lawyers
December 19, 2024

About to pay out trust funds? STOP. Recently, a BC law firm was tricked into sending over $4 million dollars by wire transfer to fraudsters. The firm was acting for a lender in a commercial financing transaction for a property development. The scammers had already obtained access to the lender firm’s email and inserted themselves into email communications, impersonating the borrower’s lawyer. The scammers sent fraudulent wire instructions requesting that the funds be paid to an account with a numbered company as the account holder. The firm then wired the funds. Unfortunately, the lender’s lawyer did not phone the developer’s lawyer to verify the payment instructions. That step would have prevented the fraud from progressing. The fraudster also used their access to the email account to intercept communications, causing further delay with the intention of moving as much of the money as possible to other accounts before the scam was detected.

Although the firm acted quickly when the fraud was discovered and reported it immediately to the bank, it remains to be seen how much of the money can be recovered.

What can you do? Before paying out funds in any matter, verify that instructions sent by email (and possibly confirmed by letter!) are legitimate through direct phone or in-person contact with the party providing the instructions. If the instructions are from your client, contact your client directly using the original number in the file or in-person. If the instructions are from a bank or another law firm, call to confirm that the transfer instructions are legitimate using the number on your file or from a reliable directory. Never use the contact information provided in the instructing email (or confirming letter). Implement a firm-wide protocol to make a verification phone call on every payment of trust funds.

Please keep reading…

What else can you do? Awareness, vigilance and training are key to cyber security. You should:

  1. Constantly educate yourself and your staff about preventing and detecting cyber fraud. Have all your staff read the notices we send out.
  1. Confirm you have a funds transfer verification process in place. Never use the contact information provided in the instructing email (or confirming letter), and use our checklist. If you are not personally making the phone call to verify instructions, review with your assistant in-person a completed checklist on every payment before the funds leave your account.
  1. Do not rely on email communication to complete the secondary verification because – as we have seen – the email purportedly from your assistant confirming that verification has been completed may actually come from the fraudster.
  1. Make your computer network as secure as you can. Ask your IT professional to regularly test for vulnerabilities and talk to them about security, including: 
    • Using Coalition Control – (coalitioninc.com/en-ca/bclaw/control) to actively monitor your risks.
    • Multi-factor authentication – Ensure two pieces of information are required to access email or your computer network. If a criminal acquires only one, your computer network may still be safe.
    • Routine backups – Regularly back up your systems and secure your information to a location that is separately secured from your network.
    • Email security – Email is the single most targeted point of entry into an organization for a criminal hacker. Talk to your IT professional, Coalition, or your other cyber insurer about measures including SPF, DKIM, DMARC, and an anti-phishing solution to protect your domains against abuse in phishing or spoofing attacks.
    • Password management – Create strong, unique passwords for each account. Change them regularly and never share passwords with anyone. Encourage employees to use a password manager.
  1. Ensure that your firm has network security and privacy liability insurance, either through Coalition or another insurer, or a combination of both. In addition to the financial benefit such insurance provides, the specialized guidance from the insurer in the immediate aftermath of a security or privacy breach can be invaluable because the experience can be terrifying.

If you think you have been a victim of a funds transfer fraud:

  1. Immediately notify your bank of the fraud and request a claw-back of the funds;
  1. Contact your IT department and cyber insurer (Coalition or other) to ensure the fraudster is not still lurking in your system; and
  1. Report any potential loss of client trust funds to LIF (under Part C of your policy) and the Law Society Rule 3-74 (Trust Shortage).

Find out additional information here about funds transfer frauds.