Queensland Law Society

Queensland Police warn of new scam targeting lawyers

The Queensland Police Financial and Cyber Crime Group is warning all Queensland legal practitioners to be on the lookout for ‘fake invoice’ cyberfraud.

This scam works by convincing:

  • a firm to pay money due to a supplier, or
  • a client to pay money due to the firm

to the wrong bank account.

Although a simple concept, execution can be very professional including the use of letterheads, telephone calls or emails from ‘supplier representatives’ to convince business operators the account change of detail is legitimate.

The criminals may spend time building a relationship with accounts staff, using information obtained from social media or stolen emails, and may take over email between client/firm/supplier to substitute doctored invoices. Fake bank details might be supplied when the invoice is first rendered, but often the target may be contacted weeks in advance asking them to change payment details on their system, so just because your records match the invoice is no guarantee that you are safe.

Money stolen in this way is not usually covered by insurance.

Even big companies with strong protection have been targeted this way:

  • Brisbane City Council (2016, $450,000 stolen)
  • Google (2014, $100 million stolen)
  • Microsoft (2014, $100 million stolen)
  • a subsidiary of Citibank announced that it had been scammed USD$450 million that year as well.

Techniques perfected stealing large amounts from big companies inevitably get used to target smaller enterprises. In 2018, one of the targets of choice are Queensland lawyers.

Below is the full police warning and their practical suggestions to avoid this happening to you.

The full text from QPS:

The Financial and Cyber Crime Group, Queensland Police Service has observed a trend in invoice scams targeting members of the legal industry in Queensland. A number of businesses have already lost income as a consequence.

The scam involves offenders engaging with businesses pretending to be a supplier or creditor and convince businesses operators to change the supplier’s banking account details held on record.

The engagement has been very professional including the use of letterheads, telephone calls or emails from ‘supplier representatives’ to convince business operators the account change of detail is legitimate.

Tips to avoid becoming a victim of invoice scam through change of banking account details:

  • Double check all requests to change suppliers or other businesses/persons bank account details.
  • Independently verify all notices of changes in bank account details. Ensure telephone verification contact is done with the telephone number obtained from the particular businesses official website or Yellow Pages entry.
  • Do not use telephone numbers located within the email to verify the change, always use details you already have or that you have sourced independently
  • Use your database contact details to confirm notifications for any changes of banking details via official correspondence with your suppliers (such as a letter), preferably before processing the next payment.
  • Always have up-to-date virus protection and remind staff not to open unknown emails or open links within emails they are unfamiliar with.
  • Beware of false confirmation emails from almost identical email addresses, such as .com instead of co.za, or slight variations from genuine addresses that can be easily missed.
  • Consider a multi-person approval process for transactions over a certain dollar threshold.
  • Always confirm the identity of the person your business is dealing with.
  • Ensure you always shred and never just throw away your business (and suppliers’) invoices or any communication material that contains letterheads.
  • Do not publish your bank account details on the internet. This private information can be used fraudulently to trick genuine customers into making payments to alternative accounts.
  • Ensure that your company’s private information is not disclosed to third parties who are not entitled to receive it, or third parties whose identities cannot be suitably verified.

If you suspect you have been a victim of an invoice scam, please report on Australian Cyber Online Reporting Network (ACORN).