Queensland Law Society

Cybercrime and additional caution re EFTs

It has come to the Society’s attention that a number of law practices have been the subject of cybercrime fraud in recent months. Alerts have been included in QLS Update and Lexon Risk Alerts during August, October, November and December 2017. 

The frauds have resulted in trust funds being incorrectly disbursed from law practice trust accounts. There have also been a number of instances where client funds have failed to be received by law practices.

The Society encourages law practices to have all staff complete Lexon Insurance’s online cyber security training.  The course is free and includes 1 point towards practitioner’s CPD requirement. 

It is suggested that law practices consider implementing the following procedures:

  • Ensure that all clients provide the law practice with a telephone number or other personal identifier at the commencement of any matter or shortly after.
  • Do not provide any bank account details for trust account or general accounts to anyone via email (or include in a document attached to an email).
  • When requesting the client to deposit funds to the law practice trust account, ask the clients to telephone the law practice to receive the BSB and account number verbally. Law practice can then confirm the telephone number matches the number previously provided or via some other form of personal identification, that has been agreed upon.
  • All bills of costs should request the client to contact the law practice to verbally obtain bank account details. Law practice can then confirm the telephone number matches the number previously provided or via some other form of personal identification, that has been agreed upon.
  • Where a law practice is required pay trust funds from the law practice trust account, the law practice should obtain bank account details verbally from the intended payee.
  • If bank account details are provided to the law practice via email or letter attached to an email, the law practice should always obtain verbal confirmation from the payee (client, creditor, other law practice) that bank account details are correct.
  • If bank account details provided via email/letter differ to the verbal confirmation, do not disburse funds until:
    • further enquiries are completed
    • additional investigations have been undertaken to confirm that person spoken to on phone was the client/correct payee
    • a review of  computer systems for possible security breaches is considered.

After funds have been electronically transferred to the specified bank account, the payee should be requested to confirm the next day that funds have appear in their bank account.

Consideration should be given to not making any electronic fund transfers (EFTs) to client bank accounts. If a law practice decides to issue trust account cheques rather than EFT trust funds consider: 

  • depositing the trust account cheque to the client/payee bank account after verbal confirmation from the client as to BSB and account number in accordance with client instructions (possibly with a special clearance request if required)
  • implementing processes for the law practice to place a stop payment on the cheque (as a cheque does not clear for 3 business days after banking) if the funds are paid into the incorrect bank account
  • requesting confirmation from the payee that funds have appeared in their specified bank account on the day after funds transfer
  • if the client/payee advises that funds were not received to their account, consideration should be given to placing a stop payment order on the cheque.

If law practice becomes aware that it has incorrectly disbursed trust funds, the law practice needs to: 

It should be remembered that law practices have an obligation to restore any deficiency to the trust account immediately they become aware of the deficiency.