Wednesday, 20 December 2017

Risk Alert: Email scam warning

Law Society members and Law Mutual (WA) insureds are advised of a sophisticated email scam which has cost at least two Queensland law firms several million dollars.

As reported in the Brisbane Times, hackers commandeered the email accounts of staff at the law firms by tricking them into revealing their email account login details before hijacking payments from clients. Once the login information has been entered, the hackers monitor the legal staffer's email account and watch for information about settlements and payments that need to be made.

When the deadline comes for money to be paid to the firm from the client, the scammer emails the client, posing as the law firm, and reminds them. However, they change the bank account details where the money needs to be paid. The hackers give their own desired account instead of the firm's trust account.

It's happening in WA

Law Mutual (WA) has recently received details from an insured practice that they had been subject to an email scam that could have resulted in a loss in excess of $200,000.

The practice received an email from their client relating to a deceased estate instructing them to deposit funds from their trust account into a particular account for the beneficiaries of the estate. The email had been intercepted by a hacker and the account details had been changed. The practice only realised the error after the money had been transferred. Fortunately, in this instance, the banks involved were very helpful.

The practice was able to liaise with the banks involved and place a block on the funds being received into the recipient account. Following the incident, the practice has reviewed their policies and procedures on the transfer of funds and implemented further safeguards (primarily in relation to client identification) to mitigate the risk of falling victim to cybercrime.

Steps you can take

Practices should consider implementing policies and protocols that balance security, privacy, and efficiency to mitigate the risk of falling victim to cybercrime, especially on any matters where money will be transferred via the firm’s trust account including:

• Transfer of funds: Adopt the practice of verifying every client and instruction to transfer or payout trust funds (e.g. payee, account, amount) (s226 LPA Offence to cause deficiency). Adopt protocols to protect law practice funds (e.g. verification of certain amounts or types of payments)
• Adopt employment practices that promote security: Set clear expectations about staff commitment, competence and compliance regarding cyber security and consequences for breach. Require users to declare policies have been read and agreed to. Use log on screen reminders to reinforce safe use. Monitor and enforce compliance. Provide adequate training.
• Background checks: Vet staff and contractors for trustworthiness, especially those in accounts and IT.
• Phishing and suspicious emails: Ensure users can recognise the characteristics of suspicious emails (e.g. odd URLs or language, urgency, directions to transfer funds). Use phishing tests to check users can be trusted to report suspicious emails and not click on links or attachments.

In October 2016, Law Mutual (WA) facilitated the seminar Cyber crime – how to prevent an attack and its impact on professional liability. The seminar provided practical examples of basic protections that legal practices can adopt to mitigate the risk of cybercrime. The presentation is available on the Law Mutual (WA) website.

In addition to the cybercrime presentation, Law Mutual (WA) provided a number of sample controls and resources to assist practices in implementing cyber security measures, also available on the Law Mutual (WA) website.

Law Mutual (WA) insured practices are reminded that losses as a result of cybercrime may not be covered under the Law Mutual (WA) Professional Indemnity insurance arrangements; cover will depend upon the facts of each individual case.