At least two Queensland law firms have lost several million dollars after falling victim to a “highly sophisticated” email scam, prompting an urgent warning from the Queensland Law Society.
Hackers commandeered the email accounts of staff at the law firms by tricking them into revealing their email account login details before hijacking payments from clients.
QLS president Christine Smyth said at least one of the firms that had been hit by the scam was on the Gold Coast, with both legal practitioners and clients having lost out.
“The precise method of attack varies, but the essence is that the criminals obtain access to the firm’s email accounts and use this to misdirect trust money or settlement funds,” Ms Smyth said.
“Some thefts have been of money going to the trust account, others involve money incorrectly paid out.
“Although conveyancing transactions have been hardest hit, any movement of trust funds is at risk.”
Robbins Watson Solicitors managing director and IT expert Andrew Smyth said hackers have been making attempts to access staff email accounts “almost every day” at his workplace.
Mr Smyth described the hackers’ two-step plan.
The first phase sees the scammer email a law firm expressing interest in using their services, a common backstory is that they are buying a house and are interested in conveyancing services.
The hackers continue the conversation until they say they will go ahead and use the firm.
At this point, they send a link to supposed important documents the firm will need. The link is protected and personalised for the specific legal staffer who they have been speaking with and requires them to enter their email address and password to access the documents.
Once the login information has been entered, the scammers have what they came for and the matter goes no further.
Then comes phase two.
The hackers monitor the legal staffer’s email account and watch for information about settlements and payments that need to be made.
When the deadline comes for money to be paid to the firm from the client, the scammer emails the client, posing as the law firm, and reminds them.
However, they change the bank account details where the money needs to be paid to. The hackers give their own desired account instead of the firm’s trust account.
Once the transaction is done, the firm and client are left trying to figure out where the money has gone.
“They are quite cunning. They’re not auto-bots, they are people who speak good English, answer in a convincing away and come with a backstory,” Mr Smyth said.
“There’s a bit of a pattern that you can pick if you have seen these kinds of emails before.
“These emails are coming almost every day now at our firm, just from different people.
“It’s something we talk about with staff on a daily basis, as soon as you are asked for email credentials then pull back.
“But a smaller one-man-band firm with a junior staffer may not be so alert.”
Ms Smyth said the scam was difficult to detect because the source of the emails is trusted, but there are preventative measures that can be taken.
“Firstly, all practitioners must take the measures they can to ensure their email account is secure and stays secure. Recognise that legitimate sites do not request your email credentials,” she said.
“Verify the validity of payment instructions. Funds transfers to bank accounts are the target of this scam.
“When the sums involved are large, some extra security precautions are warranted to verify the banking details you have been provided.
“This can be as simple as telephoning the other law firm (or client as the case may be) and verifying with them the bank account details you have been sent.
“Encourage your clients to call you to verify your trust account details before transmitting funds to your bank account.”
“Let them know that you won’t send them new banking details immediately before settlement.”
A Queensland government spokesman said law firms were not immune to cyber threats.
“All law firms should be vigilant in this area and ensure they take appropriate steps to protect themselves and their data.”