Here are the details:
- Last week a small law firm acted for a borrower in a commercial refinancing transaction and unwittingly paid out over $1.7 million to cybercriminals. He had instructions to clear the existing private lender mortgage on title. He received an email with payment instructions and the payout statement apparently from the lawyer for the lender, but it was actually from the fraudster using a spoofed email address. Apart from the direction to the fraudster’s account, the payout statement was identical to previous, genuine forms and the email address was exactly the same. The lawyer physically attended at his bank to complete the wire transfer of $1.7 million. The teller advised him that the SWIFT Code was missing but that the name of the bank account for the wire transfer was correct; it was in the name of the lender’s law firm. Our lawyer emailed the lender’s lawyer requesting the SWIFT code as he was unable to reach her by phone. The lawyer received an email response with the SWIFT Code (again, from the fraudster) and proceeded to make the wire transfer without verifying the authenticity of the payment instructions. Later that day he realized he'd been defrauded when he received a call from the lender’s lawyer advising that she had not received the funds.
- A medium-sized law firm acted for a client in a commercial litigation matter and inadvertently paid out funds from trust to fraudsters. A settlement was reached and the firm received the settlement proceeds. Unbeknownst to the lawyer or client, a fraudster had already compromised the client’s email. The lawyer received email instructions that appeared to come from her client but was actually the fraudster (again, through a spoofed email address) asking that the settlement funds be sent to a certain bank account by direct deposit. The firm then sent the settlement proceeds to the fraudster’s bank account without making a secondary verification. The fraudster also posed as the lawyer in subsequent email communications with the client, which allowed a delay of several days before the client phoned the lawyer and asked about the missing deposit. Only then was it discovered that the email instructions were fraudulent. Due to quick action, the bank was able to return the money to the lawyer’s trust account.
- At a large Vancouver law firm, a fraudster spoofed an employee’s email address and sent an email to the law firm’s payroll staff requesting that the employee’s automatic payroll deposits from the law firm’s general account be sent to a different bank account. The lawyer and payroll staff just happened to speak directly before the funds were sent to the fraudster, averting the fraud. The law firm has changed its office procedures so that no one will ever rely on email instructions alone for any payment. Someone will either verify instructions in person or by phone.
What can you do? The crux of it is that any time you are transferring trust funds, by any means, you are at risk and must verify emailed instructions through direct phone or in-person contact with the party purporting to provide the instructions. If the instructions appear to come from your client, contact your client in-person or by using the original phone number in the file. Even if the instructions purport to come from a bank, another law firm, or anyone at all, call to confirm that the transfer instructions are legitimate using the number on your file or from a reliable directory. Never use the contact information provided in the instructing email (or confirming letter). Implement a firm-wide protocol to make a verification phone call on every payment of trust funds.
Verification will also save you a deductible of 35% of the indemnified loss. You can download this checklist and use it for every payment. Find out additional information here about funds transfer frauds, learn the steps you can take to prevent fraudsters from hacking into your systems here and what you can do to avoid cybercrimes hitting your firm. For more tips to help keep you safe, see Real estate transactions – know your client primer (Summer 2021 Benchers’ Bulletin) and the Client ID & Verification web page.
If you think you have been a victim of a funds transfer fraud, immediately notify your bank and request a claw-back of the funds. Next, contact your IT department and cyber insurer (Coalition or other) to ensure the fraudster is not lurking in your system, and then report to us.
ALSO: Check out our job prospects as we have an opening for a Claims Counsel on our Careers page.
For the latest updates from LIF, follow us on Twitter @Lifbc.