Million-dollar funds transfer fraud twist: Fraudulent verification

Fraudsters recently targeted two medium-sized Vancouver law firms. Here are the details:

  1. A partner we’ll call John represented a plaintiff in a civil litigation matter. John reached a settlement and received settlement funds of approximately $1.4 million. John emailed his client requesting account details to wire transfer the funds. John’s assistant, Sarah, received an email with wire transfer details for a Canadian bank that purported to come from the client but was actually from a fraudster. The fraudster had gained access to the firm’s system and was able to monitor and intercept emails to control the conversation.

    In a new twist, the fraudster then sent an email to Sarah using John’s email that “confirmed” that verification of the wire instructions had been completed. In a further twist, the fraudster also added John’s electronic signature to the firm’s internal wire transfer form. Believing the process was complete and correct, Sarah proceeded to wire transfer the settlement funds of $1.4 million to the fraudster’s bank account. Although the firm acted quickly when the fraud was discovered and reported immediately to the bank and insurers, it remains to be seen how much can be recovered.

    How did this happen? The fraudsters breached the firm’s email system, took control of John’s email account, and quietly intercepted all email communications with not only his client but his assistant as well. Aside from initially asking his client to send wire transfer instructions, John never saw any of the other emails.
     
  2. Another firm narrowly avoided a funds transfer fraud on New Year’s Eve, a time frequently exploited by fraudsters due to distractions and reduced staffing during holidays.

    Following the settlement of a civil litigation matter, Jane, the lawyer, approved an internal wire transfer of settlement funds to the client and then departed on holiday. Kim, the firm’s trust accounting clerk, received the wire instructions and noticed several red flags. After confirming with Jane's assistant that purported verification of the wire instructions had been completed—based on telephone confirmation from opposing counsel’s assistant—Kim remained concerned because the payee did not match the name of the client in the file. Still suspicious, Kim decided to verify the wire transfer instructions herself.

    When Kim reached the opposing firm, she was told the lawyer was on holiday and the assistant was working from home, and was instructed to call the assistant’s personal cell to confirm the wire transfer instructions. Finding this unusual, Kim went directly to the bank in person to verify the account, only to discover it was fraudulent. Kim did not transfer the funds to the fraudsters and saved her firm from becoming the victim of a cyber-attack and the theft of hundreds of thousands of dollars of client funds.

    What happened? When Jane’s assistant called the opposing counsel’s assistant to verify the wire transfer instructions, she used the phone number in the email from the fraudster.

Key takeaways:
 
  1. First, never email a client, opposing counsel or another party to verify payment instructions — call a trusted number. Second, the verifier should never send an email confirming that the payment instructions have been verified but instead meet with you in person to confirm verification. Why? As you can see in this recent case, fraudsters impersonate lawyers and staff alike, and the email purportedly from the lawyer or assistant confirming that verification has been completed may be from the fraudster. Always meet with the verifier in person or virtually (where you can see them) to confirm that the verification of payment instructions has been properly completed.

  2. Complete internal wire transfer request forms with physical signatures not digital signatures.

  3. Call a trusted number. Never use the contact information provided in the instructing (or confirming) email. A fraudulent email will always contain a fraudulent phone number.

What else can you do?
 
  1. Constantly educate yourself and your staff about preventing and detecting cyber fraud. Have all your staff read the notices we send out. Awareness, vigilance and training are key to cyber security.

  2. Confirm you have a funds transfer verification process in place. Use our checklist. If you are not personally making the phone call to verify instructions, review with your assistant or the verifier in-person a completed checklist on every payment before the funds leave your account. Always ask what contact information was used to verify the wire transfer instructions. Ensure that the phone number in the instructing email (or confirming letter) was not used.

  3. Make your computer network as secure as you can. Ask your IT professional to regularly test for vulnerabilities and talk to them about security, including:
    • Using Coalition Control – (www.coalitioninc.com/en-ca/lif/control) to actively monitor your risks.
    • Multi-factor authentication – Ensure two pieces of information are required to access email or your computer network. If a criminal acquires only one, your computer network may still be safe.
    • Routine backups – Regularly back up your systems and secure your information to a location that is separately secured from your network.
    • Email security – Email is the single most targeted point of entry into an organization for a criminal hacker. Talk to your IT professional, Coalition, or your other cyber insurer about measures including SPF, DKIM, DMARC, and an anti-phishing solution to protect your domains against abuse in phishing or spoofing attacks.
    • Password management – Create strong, unique passwords for each account. Change them regularly and never share passwords with anyone. Encourage employees to use a password manager.

  4. Ensure that your firm has cyber insurance, either through Coalition or another insurer, or a combination of both. In addition to the financial benefit such insurance provides, the specialized guidance from the insurer in the immediate aftermath of a security or privacy breach can be invaluable because the experience can be terrifying.

If you think you have been a victim of a funds transfer fraud:
 
  1. Immediately notify your bank of the fraud and request a claw-back of the funds;

  2. Contact your IT department and cyber insurer (Coalition or other) to ensure the fraudster is not still lurking in your system; and

  3. Report any potential loss of client trust funds to LIF (under Part C of your policy)* and the Law Society Rule 3-74 (Trust Shortage).

How can you check if your firm has coverage under the Coalition policy?

Your firm’s Designated Representative can access a current Certificate of Insurance for the Coalition policy as follows:
  1. Log into the Law Society's Member Portal.
  2. Scroll to “Law firm information.”
  3. Click on the link that is your firm’s name.
  4. Click on the tab that says “Cyber Insurance” for your firm’s certificate.
If a certificate for the firm does not exist, the firm does not have Coalition’s coverage. If this is unexpected, take action right away to obtain coverage. Firms that have previously allowed their Coalition coverage to lapse can always join the program again if they have resolved their network security vulnerabilities.

Find additional information here about funds transfer frauds.

*There is funds transfer fraud coverage through Part C of your LIF Indemnity policy up to $500,000 for each fraud, each lawyer, and the firm, collectively and in aggregate, regardless of the number of losses. The deductible is 15% of the loss if someone in the firm verified instructions, but 30% if this was not done. Talk to a commercial insurance broker about additional coverage for funds transfer fraud and cybercrime.