Subscribers should agree with their clients in advance on how changes in payment instructions will be handled.
ALIA strongly recommends that Subscribers discourage or eliminate accepting banking details or wire transfer instructions via email. Subscribers should confirm with their clients that email should not be used to communicate banking instructions or changes unless they are approved by telephone via a known number, video conference or, if possible, in person.
Changes in banking instructions should be an immediate and significant red flag.
As the Zurich Policy does not cover social engineering losses, Subscribers must protect themselves by verifying all changes to payment instructions by confirming the change in instructions using a different medium from which they were first received (e.g., if you receive new instructions via email, then you should call your client at the phone number contained in your file to verify the payment instructions). This step can help reduce the risks posed by email hacks and cases where documents have been intercepted and manipulated.
Law firms that have implemented independent verification protocols have successfully foiled fraud attempts. For example, a quick call to verify written wire payments might save you from being a victim of fraud.
Make fighting fraud part of your law firm’s culture by continually educating yourself and training your staff about fraud risk.
Below are examples of independent internal verification in action:
- A law firm partner emails from the firm address or a personal email instructing you to wire money out of trust. You walk down the hall to the partner’s office to ask if the partner sent the instructions. You learn the partner is out of the office, and rather than replying to the email to confirm the direction, which will not help if the email account is compromised, you decide to call or text the partner.
- Before wiring funds to another firm, a lawyer from Firm A emails wire instructions to a lawyer at Firm B. The lawyer or staff from Firm B calls the lawyer or staff at Firm A to confirm the wire instructions. This verification process can also apply to receiving wire instructions from a financial institution or any other request for payment by wire transfer.
- Before wiring funds to a client, the client emails to instruct you to wire payments to an account. Next, you call the client at the number you have on file to verify that the client’s instructions are valid and that the client’s account has not been hacked.
ALIA regularly publishes information on social engineering scams targeting Alberta lawyers and law firms in ALIAlerts. For more tips on how to prevent business email compromise, a form of social engineering, view the following articles: