Queensland Law Society

Cyber security

Scam warning from the President of the Queensland Law Society. For priority action by all firms, especially those engaged in conveyancing

This notice is to warn you of a sophisticated fraud network that has been targeting law firms in Queensland. These criminals have stolen several million dollars from clients and practitioners.

The precise method of attack varies, but the essence is that the criminals obtain access to the firm’s email accounts and use this to misdirect trust money or settlement funds. Some thefts have been of money going to the trust account, others involve money incorrectly paid out.

Although conveyancing transactions have been hardest hit, any movement of trust funds is at risk.

The key to the scam is that the criminals obtain valid email credentials of a legitimate party to a transaction – usually one of the law firms. They then use this valid email account to send false or altered payment instructions to the other party. The receiving party is fooled because the source of the email is trusted. The emails pass normal spam and junk email filters for the same reason.

For example, a currently active scam involves sending what appears to be a legitimate email inquiry from a new client asking for pricing information. When you respond, they ask more questions, and send you a link to download documents relevant to the inquiry. The link requires you to enter your email credentials in order to access the documents. If you do so, you have just given the criminals your valid email login credentials.

What should we do?

Secure our own email accounts

Firstly, all practitioners must take the measures they can to ensure their email account is secure – and stays secure. Recognise that legitimate sites do not request your email credentials.

Warn your staff of the risk – including your junior support staff. Any valid email from your firm can be used to work this scam.

Be aware that email accounts of other law firms may have been subverted

The scam relies upon the goodwill and trust that exists between legal practitioners. While we continue to have faith in our fellow lawyers, we need to keep in mind that their email accounts are being targeted too, and may have been hacked.

Verify the validity of payment instructions

Funds transfers to bank accounts are the target of this scam. When the sums involved are large, some extra security precautions are warranted to verify the banking details you have been provided. This can be as simple as telephoning the other law firm (or client as the case may be) and verifying with them the bank account details you have been sent.

Encourage your clients to call you to verify your Trust Account details before transmitting funds to your bank account. Let them know that you won’t send them new banking details immediately before settlement. 

Other resources

QLS has resources available outlining the problem, some preventative measures and what to do if the worst happens. These resources may be found on this page.

In response to numerous incidents in recent times, Lexon has prepared a free online training package for employees of all firms insured by Lexon. It takes around five minutes, and I suggest that you encourage all staff to complete it prior to starting their Christmas break.

Online Cyber Security training.