« Return to 2016 January Indigenous Issue Index
Danger: When a hacker emails you instructions in the name of your client
The determination and energy of hackers knows no bounds. They show remarkable imagination and ingenuity in coming up with ever more devious ways to steal trust funds by duping lawyers.
As an example of this, we have recently seen several instances where a fraudster hacked into a client’s email with the intent to divert funds coming out of a lawyer’s trust account. After gaining access to the client’s email account, the hacker surreptitiously monitors emails going back and forth between the lawyer and the client.
At the opportune time, usually just before a real estate deal is closing or the loan funds are to be advanced, the hacker sends an email redirecting where the funds should go. This change of instructions appears to be coming from the client via the client’s email, but if the lawyer follows these instructions, the money ends up going to the fraudster.
Our malpractice insurance colleagues from across Canada and the U.S. tell us they are also seeing examples of this type of fraud. We are aware of a variation where the lawyer’s email is hacked, and the instructions allegedly from the client are sent from a different email account that very closely mimics the client’s email address. Communicating by email has become the norm for clients and their lawyers. Both lawyers and clients readily and unquestionably accept the legitimacy of an email sent by their counterpart. That’s what makes this fraud work so well.
How do you protect yourself? At the start of the matter, get specific written instructions as to how funds will be transferred and where they will be going. If those instructions change, especially via an email at the very last minute, and/or the recipient of the funds seems odd (a red flag of fraud), seek confirmation of the instructions from the client through another communications channel (i.e., call them on the telephone). and one other essential takeaway – this type of fraud can be prevented if people regularly change their passwords. Good advice for you and your clients.