Imagine that you have received an email with banking instructions to do a wire transfer. You are distributing funds from an estate. Your assistant has checked, and the email was sent from the sender’s correct email address. The exact same email address that you have been corresponding with for months. You send the money out. Everything seems like a completely normal transaction, and then the nightmare begins. The emails were hacked. The money went to a bad account. The amount sent may have exceeded your insurance loss limits, or your insurance did not cover cyber losses at all. It may be impossible to track the money.
A useful seminar is available entitled “Avoiding the wire transfer nightmare” which was originally held on December 2, 2021, and organized by the Toronto Lawyers Association and LawPRO. The appropriate wire transfer method to follow in their view is to use a “two-step” or “two-factor” verification. This can involve a simple follow-up phone call or other follow-up verification step that does not involve using email. The seminar suggests that all emails can be hacked, as email is not a secure method of communicating. Memorable comments from the seminar presenters included, “be incredibly paranoid about wire fraud” because hackers are “trying to get access to your trust account”.
The LawPRO website further states that: “ Finding out that money you sent out of trust has gone missing is a lawyer’s worst nightmare. Unfortunately, we are seeing a rise in wire fraud efforts targeting law firms and their clients. Fraudsters have developed several ways to convince lawyers and law clerks to wire funds out of law firm trust accounts to fraudsters’ accounts.”
LawPRO suggests the following further steps:
- Implement robust computer and phone security practices.
- Provide staff training on identifying bad cheques and phishing messages.
- Verify instructions received by email.
- Ensure you have sufficient cyber insurance.
- Make or update your incident response plan.
I have only one New Year resolution for 2022. Avoid the nightmare. Always use “two-step” verification and “call” before you “click”.
Thanks for reading!