Other Social Engineering Scams, Including Phony Change in Payment Instructions

Funds Transfer Instructions Verification Checklist
How do you protect yourself?
Learn to identify the scams
Take steps to manage the risk
If you’ve been caught, report immediately
Additional resources

Your trust fund may be the target of a fraudster. If a fraudster tricks you into willingly paying funds out of trust through the intentional misrepresentation of some material fact, you’ve fallen victim to a “social engineering” fraud. The “bad cheque” scam is one type, but there are others. They often have nothing to do with trying to convince you that real funds have been deposited into trust, but instead involve fraudsters pretending to be an existing client or someone genuinely authorized to give instructions on the client’s behalf.

Note: Although the scams detailed in this section relate only to social engineering frauds that target trust accounts, you will want to be aware of the other frauds that target lawyers. They range from other social engineering frauds that try and trick you into opening a link that will plant malware in your computer and allow a fraudster to steal passwords or other confidential information or — like the “bad cheque” scam  — believing that real funds have been deposited into trust, to employee theft. Protect yourself. Read the general risk management tips below as well as the information about other scams and risks and employee fraud available here, and talk to your broker about purchasing excess cyber coverage.

More information and risk management tips relating to the “bad cheque” scam is available here.

How do you protect yourself?

  • Learn to identify the scams (see below)
  • Keep on top of new variations that the Law Society notifies the profession about. Make it a priority to read the email notices the Law Society sends. And for your non-lawyer staff who may also need to “keep on top,” sign them up for the Law Society’s RSS feeds so that they receive the same email fraud alerts that you do. Staff can also sign up for free electronic subscriptions  to the Benchers’ Bulletin (includes Notices to the Profession and E-Brief).
  • Take steps to manage the risk (see below)
  • Talk to your broker about buying excess cyber insurance.

And find out what to do if you suspect that you are the target of a social engineering scam, or worse, you’ve been caught.

Learn to identify the scams

Here are the other social engineering scams that the Law Society of BC has reported on to the profession that involve fraudsters attempting to trick lawyers into willingly paying funds out of trust. Appreciate that there are – and will be – other variations as scamsters target lawyers worldwide. For instance, fraudsters pretending to be bank representatives investigating suspicious transactions in order to persuade law firms to send cash payments to an account as a test or obtaining banking information to impersonate a lawyer’s bank representative to convince lawyers to click on an email attachment. Appreciate as well that your own client might "cross the line" in an attempt to defraud you.

1.  Phony change in payment instructions

A fraudster hacks into an email account belonging to some party related to a transaction. In a real estate matter, the fraudster might hack the email of a lawyer’s vendor client or related party (e.g., a lender), the realtor, or even the lawyer themselves. This hacking allows the fraudster to monitor the account, and acquire the information necessary to assume the identity of one of the parties. The fraudster waits until the lawyer receives the purchase proceeds and then, cloaked with the fraudulent identity, emails the lawyer with directions to wire the funds to a different bank account. The email appears to come from the real party, but any replies go to the fraudster (often the party’s true email address is used but with just one small change, such as an extra letter). The fraudster might also telephone the firm or invite the firm to call a number given in the email and, as an imposter, confirm the wiring instructions. After the funds are wired as directed, the real party calls, looking for their funds. They are gone. Read more:

Funds Transfer Instructions Verification Checklist
Fraudsters continue to target BC lawyers (Notice to the Profession, August 6, 2019)
Fraudsters continue to target BC lawyers and their staff in relation to trust funds (Notice to the Profession, October 11, 2017);
Fraudsters again target lawyers disbursing trust funds (Notice to the Profession, January 19, 2017) – phony instructions from a lender;
Fraudsters are targeting lawyers disbursing trust funds with a change in payment instructions (Notice to the Profession, May 7, 2015) – phony instructions from a client;
Fraud Alert from Saskatchewan described in the May 2018 Law Society of Manitoba's Communiqué (p. 10);
Alert from the North Carolina State Bar

Variations on this scam continue. For instance, we are aware of the scam in a litigation context. The fraudster purported to be the self-represented claimant in a litigation matter, entitled to receive settlement funds from the lawyer.

2.  Phony direction to pay from a senior partner, staff member or other lawyer

A fraudster "spoofs" a senior staff member’s email address, making it appear that the email is actually sent by a senior partner or other law firm staff, asking staff (usually a controller) to send funds or divulge bank account information. As the spoof involves using the staff member’s real email address, readily available on the Internet, the fraudster tries to craft a message that discourages any reply. On the pretext of a need for extreme sensitivity and relying on a staff member not questioning the instruction of someone senior in the firm, sent to them personally, the fraudster tries to convince staff to ignore normal protocols and simply send the funds as directed in the email. A sequence of fake previous exchanges might be included to try and add authenticity to the request. The fraudster might also pose as a lawyer from another firm. Read more:

Fraudsters continue to target BC lawyers and their staff in relation to trust funds (Notice to the Profession, October 11, 2017)
New email "phishing" scam targets firm accounting staff and lawyers (Notice to the Profession, April 8, 2015)
More information from LawPro’s Avoid-a-claim blog.

In a new variation of this scam, a fraudster “spoofs” a vacationing lawyer’s email address by displaying the vacationing lawyer’s actual name in the “From:” line of the email. The email asks another lawyer in the office or staff to transfer funds on the pretext that the vacationing lawyer is unable to do so. Read how one BC lawyer got caught:

Happy holidays? Not for one BC law firm reeling from a six-figure theft  (Notice to the Profession, December 15, 2017)

Read more:

Summer Fraud Alert: Email "phishing" scam targets vacationing lawyers (Notice to the Profession July 6, 2017)

More information from LawPro’s Avoid-a-claim blog
.

Take steps to manage the risk

Some scenarios should make you suspicious. For instance, are you being asked to wire real estate sales proceeds to an account that’s not in the seller’s name or geographical location? Have you received a message with grammatical or spelling mistakes, or an unfamiliar tone?

Establish protocols for transferring money out of your accounts and adhere to them. Empower your lawyers and staff to resist any request to bypass trust payment protocols on the basis of urgent circumstances (a sense of urgency may be a red flag of a fraud).

Consider implementing a policy of refusing to accept payment instructions by email, requiring instructions and changes to be given in person. At a minimum, telephone the sender to verify the instructions or any changes, and be sure to use a telephone number that’s been previously provided and independently verified, not a number given to you in the email.

Protect your computer systems and your data. Change passwords regularly and recommend that your clients and other parties to a transaction do so, as well. Use secure email domains. Do not open suspicious emails and attachments. Obtain professional technical expertise to help you protect confidential information through security measures including antivirus software and strong passwords, and to detect potential security breaches. Articles that you may find helpful are available here, including Security practice tips and Tech security for lawyers, and in the LawPro December 2013 Magazine Cybercrime and Law Firms: The risks and dangers are real’.

Regularly perform internet searches of your own name and firm to see what turns up.

Educate your staff about scams, and remind them of the risk of receiving any request or instructions to transfer funds by email and the need to comply with protocols. Consider a ‘fraud detection’ exercise by sending your own fake email, for instance, to see if your training has worked.

(a) If you receive any change in payment instructions, consider the possibility that the new instructions may be fraudulent. Take whatever steps are necessary to satisfy yourself that any change in instructions is legitimate. These include:

i. double-checking the email address to ensure that it’s identical, as hackers may use an email address that is similar to your client’s or another party to the transaction with a dropped letter or some other small change; and

ii. initiating direct, in-person contact with your client to confirm the change, even if the email address is or appears to be identical. And remember to use the number your client initially provided to you, not any number provided in the email, for any telephone contact.

Consider using our Funds Transfer Instructions Verification Checklist on every file.

(b) Get specific written instructions before any funds are received as to how they will be paid and to whom. In a real estate transaction, for instance, ask the seller to commit to specific wiring or other delivery instructions at closing, and in your presence. This will help you identify and respond appropriately to any changes.

(c) Pay particular attention if you act on real estate closings or loan transactions, as fraudsters may be particularly interested in the pending injection of sales or loans proceeds into your trust account.

(d) If you provide payment instructions to another law firm or a bank, consider making it standard practice to add a notification along the lines of: “If you receive new payment instructions on this transaction please notify us immediately. Our law firm does not alter its payment instructions”.

(a) If you receive a direction to pay from a staff member or other lawyer, double check by speaking with the lawyer handling the file before any funds are paid out. Contact that staff member or other lawyer to confirm that they actually sent the direction.

(b) If your accounting staff’s names and contact information are on your website, consider removing them from public view. Once a scamster knows a staff member’s name, it is easy to figure out their email address because every address will presumably have the same domain name, e.g., @ buchananandco.com. 

As compliance with the Law Society’s client identification and verification rules (the ‘Rules”) is a prerequisite for any coverage under Part C of the compulsory policy if you actually suffer a trust shortfall, you will want to ensure that you have followed the Rules.


Additional resources

A Canadian website that you can view to inform yourself generally about scams and new trends is the Government of Canada’s Canadian Anti-Fraud Centre’s (CAFC) website. Although fraud attempts against lawyers are not specifically targeted, the CAFC collects information and criminal intelligence regarding various types of fraud complaints. In addition, they provide information and resources to protect yourself, such as the Get Cyber Safe Guide for Small and Medium Businesses.

 

Last updated: December 2017