« Return to 2024 March - The Confidence Client Issue Index
One click and you are out $1 million
Could it happen to you? If you have a trust account, then you’re at risk.
We are seeing a sharp increase in social engineering fraud against law firms and their clients, where the goal is to divert funds to fraudsters’ accounts. When money gets diverted, the lawyer and/or the client is out of funds. For the lawyer and staff involved, an errant funds transfer is one of the most stressful situations to be in.
Picture this situation: Your firm acts for a couple selling their home and buying a new one. They need to discharge the mortgage on their first house to complete the same. You log into your account and see an email from the current mortgage company with payment instructions, including the wire transfer account number.
Several days later, the mortgage company sends you a further email, asking that you send the funds to a different wire account. The email appears to be from your regular contact at the company. The mortgage company apologizes for the earlier email and advises that the funds transfer direction was sent in error. The email provides new wire transfer instructions.
What do you do? Do you wire the payment to the first account, the second account or not at all? Unfortunately, sometimes, we have seen lawyers send the funds without taking further steps to independently verify the instructions. Hundreds of thousands of dollars have gone missing; sometimes several million dollars diverted.
Preventing loss from social engineering fraud
Claims related to or arising out of social engineering are covered to a sublimit of $250,000. However, lawyers can extend this “social engineering coverage” to the standard $1 million limit by taking the following steps:
What should I do to avoid social engineering claims and prevent the associated sublimit?
1. Include written instructions in a retainer or other agreement for the receipt, release, and transfer of any funds or assets.
2. Advise in the written retainer or other agreement that the client or another party to which you owe a duty of care should not ordinarily expect to receive any revised instructions from you or your firm for the transfer of funds or assets.
3. Advise in the written retainer or agreement that, should the client or another party to which you owe a duty of care receive revised instructions for the transfer of funds or assets, they should immediately contact you by way of a telephone number specified in the written retainer or other agreement.
4. If you or your staff receive any changes to the contact information of a client or other party to which you owe a duty of care, or any changes to established instructions for the transfer of funds or assets, you confirm those changes by either calling the client or other party to which you owe a duty of care using contact information previously confirmed to be that of the client or other party, or by meeting with the client or other party.
5. Maintain in writing any updated contact information for a client or other party to which you owe a duty of care, and any updated instructions for the transfer of funds or assets.
For a full description of your obligations under the policy, please see Exclusion (k) of Part III, which applies to losses arising out of or connected to Social Engineering. Nothing in this summary should be taken as limiting or altering that exclusion.
To learn more about social engineering fraud and steps to take to protect yourself and your client see: Social Engineering Toolkit www.practicepro.ca/socialengineering