Moving Money on Emailed Instructions

By: Tana Christianson, Director – Insurance

We have been warning you for a couple of years to never accept new or changed payment instructions from your client by email without checking if that email really came from them.

We think that by now, most lawyers and their staff know that if a client gives them instruction by email to move funds, they should call the client at the phone number on their file and confirm that the client had in fact emailed the instruction and that nobody had been hacked.

Last month a local lawyer encountered a new twist. They were acting for a client who had a transaction closing. The law firm informed the client of the amount required to close the transaction and told the client to get a bank draft or a certified cheque to the lawyer before the closing date.

The client called the lawyer from her bank branch at the suggestion of the bank teller. The client had received an email, purportedly from the lawyer, telling the client to wire the funds to certain coordinates. The client had gone into the bank to arrange for the wire transfer and an alert teller had suggested that she call her lawyer before wiring the funds.

Sure enough, the client’s email had been hacked. The fraudster had sent an email that appeared to come from the lawyer’s firm giving her instructions to send the money to the fraudster’s account.

We know that law firms have been warning clients that the firm will not accept changes to payment instructions by email. It would be a good idea to warn your clients that you will not be changing your payment instructions to them by email either.

What can You do to Avoid Future Frauds?

1. Share cyber security and awareness information with lawyers and staff, using the Law Society’s Cyber Security resource library as a starting point;
2. Educate all lawyers and staff in your firm about fraud risks directed at law firms:
   1. Review and discuss the Law Society’s recently updated Fraud Awareness page in the Trust Accounting Fundamentals;
   2. Reference this article as a real-world example for why you need to follow these steps, as well as earlier Communique articles from June 2022, December 2022 and January 2023;
   3. Walk through the Safe Flow of Funds guideline, found in the Trust Accounting Fundamentals.
3. Review and discuss your firm’s cheque requisition process, adding a checklist if you don’t already use one. If you already have a checklist, review it to ensure key elements and risks are addressed;
4. Include anti-fraud awareness and training as part of orientation of all new lawyers and staff;
5. Refresh existing staff knowledge by ensuring their cyber security knowledge and awareness is kept current;
6. Review your checklists as you receive new information to ensure they evolve with the ever-changing fraud techniques; and
7. Tell your clients that you will not be changing payment instructions by email either and that if they do receive an email purportedly from you re-directing funds, they should phone you at the phone number that they look up in the Law Society’s Lawyer Lookup or in previous communications from you.

For more information visit the Cyber Security Resource Library: