Thanks largely the excellent work being done at Avoid a Claim blog by LawPro, Ontario lawyers’ professional liability insurer, we now receive ongoing updates about cybercrime, and in particular, criminal efforts to target law firms and steal from lawyers’ bank accounts.
A post last week by Tim Lemieux provided a splendid, nuts and bolts roadmap on the steps fraudsters took to steal several hundred thousands of dollars from a law firm trust account. It all began with a phishing email that duped a firm’s unwitting bookkeeper into providing its bank account numbers by telephone directly to the bad guys.
So the cybercrime problem is here and well documented. The question is how do we react and protect ourselves?
Let me offer these tips:
1. Ensure that only one staff member within your firm is authorized to communicate with your firm’s bank. If bank
enquiries are received via anybody else, these enquiries should be directed to the firm’s sole, authorized bank liaison person.
2. The person authorized as your bank liaison person should be instructed to immediately seek guidance from the supervising lawyer prior to responding to any unusual bank-related enquiry.
3. Educate your staff about phishing emails and why they should never be responded to. Inform your staff and associates that enquiries from banks rarely will come from unknown persons or unsigned emails. Bank enquiries are almost never general or generic. They tend to be about specific transactions, and due to privacy legislation and regulation, will virtually never be sent to anyone other than the firm’s authorized bank liaison person.
4. Use your phone’s call display to verify the identity of any unfamiliar caller purporting to be from your bank. Unless the incoming phone number coincides with your bank branch’s phone numbers, take a message, obtain a return number, contact your branch to report the call and verify the caller’s bona fides. Only then, if safe and appropriate, should you call back to address the unfamiliar caller’s enquiry.
5. Do a training session in your firm about the kinds of frauds that law firms now need to worry about and protect themselves against. Talk about examples in the press and on Avoid a Claim . Give your staff and lawyers the information they need to know to protect the firm’s bank accounts.
6. Ask your staff if they have ever received any suspicious calls or emails related to the firm ‘s banking. Be proactive about informing yourself on whether your firm has already possibly been targeted.
7. Instruct your bank to contact your liaison person for confirmation prior to releasing any funds via wire transfer from your account. Put it in writing. Ensure that your instructions are specifically noted on your Bank’s customer and account records.
8. Discuss this concern with your bank. Ask your bank for its advice on best practices to avoid victimization.
9. Ensure that all firm computers have up to date, working anti-virus and anti-malware software, and that such software is set to conduct daily scans to detect keyloggers and other malicious software that could be scooping confidential information from your network.
10. Stay informed. Fraudsters’ tactics will continue to evolve, and yesterday’s scam is unlikely to be tomorrow’s. Regularly read Avoid a Claim for updates on current risks and dangers.
– Garry J. Wise, Toronto (@wiselaw on Twitter)