Two B.C. law firms were targets of so-called social engineering frauds causing almost $2 million in real estate and investment funds to be wired to people other than clients the firms believed they were sending money to.
In one case, a client had received instructions for a fund transfer in person. Before the transfer, though, the firm received an email purportedly from the client. It was, however, from the fraudster and directed the firms to wire funds to a different account.
The client never received the funds as the lawyer sent the funds to the fraudster’s account. In this case, the email address used by the fraudster was identical to that used by the client.
The second firm redirected over $1.5 million in investment funds held in trust for a corporate client raising capital in a securities transaction.
As in the first case, the firm originally received payment instructions from the corporate client. And, before wiring the funds to the client, the firm received an email, purportedly from the client but actually from the fraudster, directing that the funds be wired to a different bank account.
Once again, funds were sent to the fraudster and not received by the client. In this case, the email address used by the fraudster was identical to that used by the client, except for one letter.
The law society suggests lawyers, clients and other businesses can protect themselves in various ways:
- Any time a payment is imminent, assume that a hacker is also aware. Any client’s or lawyer’s email account can get hacked allowing a fraudster to perpetrate a social engineering fraud on the lawyer;
- Establish due diligence protocols for transferring funds and ensure all staff receive training and adhere to them; and
- Be aware that scammers can replicate firm and company websites.