By Law Mutual (WA)
Business email compromise continues to cause issues for law practices across Australia. With law firms under a duty to replace any lost client funds, the financial burden of email fraud attacks could be crippling. Attacks are becoming more sophisticated, and law practices need to remain vigilant.
What can you do to identify an attack, curtail the transaction and prevent the loss?
Practices should consider implementing policies and protocols that balance security, privacy, and efficiency to mitigate the risk of falling victim to cybercrime, especially on any matters where money will be transferred via the firm’s trust account.
Questions for each legal practice to consider:
- Before accepting and acting upon a client’s directions for payment that are provided by email, does your firm verify by phone call and using the phone number recorded at the time initial instructions were taken, not a phone number included in the same email as the directions for payment?
- Do you inform your clients in writing that you will never send them an email changing your trust account details or asking for money to be sent to an account other than your trust account?
- Do you advise your clients in writing to contact your firm urgently if they receive an email from the firm purporting to change the payment details? Do you include this warning on your email communications with the client?
- Are all staff members advised of the requirement to telephone to check payment directions received from other solicitors, when these are received by email?
Steps you can take:
- Transfer of funds: Adopt the practice of verifying every client and instruction to transfer or payout trust funds (e.g. payee, account, amount) (s226 LPA Offence to cause deficiency). Adopt protocols to protect law practice funds (e.g. verification of certain amounts or types of payments)
- Adopt employment practices that promote security: Set clear expectations about staff commitment, competence and compliance regarding cyber security and consequences for breach. Require users to declare policies have been read and agreed to. Use log on screen reminders to reinforce safe use. Monitor and enforce compliance. Provide adequate training.
- Background checks: Vet staff and contractors for trustworthiness, especially those in accounts and IT.
- Phishing and suspicious emails: Ensure users can recognise the characteristics of suspicious emails (e.g. odd URLs or language, urgency, directions to transfer funds). Use phishing tests to check users can be trusted to report suspicious emails and not click on links or attachments.
Law Mutual (WA) insured practices are reminded that losses as a result of cybercrime may not be covered under the Law Mutual (WA) Professional Indemnity insurance arrangements. Cover will depend upon the facts of each individual case
