Did Your Client Really Just Instruct You to Release Funds? When Clients’ Emails Get Hacked

In the past year, lawyers are reporting a more sophisticated kind of cybercrime: a hacker will gain access into a client’s email account and comb through the account to discover communications with the lawyer. The hacker will watch communications between the client and the lawyer until money finds its way into the lawyer’s trust account, such as when litigation is settled, a house is sold, or a corporate transaction is complete, the hacker will then pose as the client and send an email to the lawyer with instructions to redirect the funds into the hacker’s account.

In some cases the hacker will use the client’s email account, send the email, and then promptly delete it. The client never knows the email has been sent until it is too late, as no record of the email exists in the client’s account.  In other cases the hacker will use an email address that looks like the client’s email address but might be off by a character or two (such as ian.hu@lawpro1.ca instead of ian.hu@lawpro.ca). If the lawyer is even slightly distracted, such as reading the email on a cell phone, or working on something else at the same time, then the discrepancy is missed. Meanwhile, if the lawyer falls for the deception and assumes that the instructions from the client are genuine, the funds are redirected to the hacker.

Take extra care when a client instructs you to release funds. Anything out of the ordinary should alert your spidey senses that something might be amiss. Double-check the email address – in some email programs only the name of the sender is displayed, but not the email address. The name is easy to spoof. But if you click on a button such as “details”, you can make sure the actual email address is corresponds to the one for your client. If the client is giving you instructions to wire the money to an account you’ve never seen or to write the cheque to someone else, call the client to confirm the instructions.

The same basic pattern can happen if the hacker breaks into the email account of an opposing lawyer, a self-represented claimant, or a third party. The hacker monitors communications until money is exchanged, at which point a request is made to redirect the funds into the hacker’s account.

As lawyers it is natural to respond quickly to a client’s instructions. It’s this very instinct that hackers prey on when they pose as the client in an email. Pay special attention to instructions to release funds, and, when appropriate, take the extra step of confirming it through another communication channel.

The best practice is to get instructions from the client at the start for how monies should be released. If this changes at any point then take extra steps. Confirm the release of monies by cheque or wire transfer using a different mode of communication than the original instructions.

Ian Hu (@IanHuLawpro)

Start the discussion!

Leave a Reply

(Your email address will not be published or distributed)