Financial Fraudsters Want You: Avoiding Scams Targeting Lawyer Trust Accounts

Don't Be Complacent

It is disconcerting to me how many lawyers think they would never be duped by fraud. If you take one thing from this article, don’t be complacent and think you will never be fooled. And firm size doesn’t matter. Lawyers and staff members at all size firms are being targeted—and successfully defrauded.

These frauds are often very sophisticated. The fraudsters will be very convincing, their contrived legal issues will look like a legitimate matter, and the client ID and other documents you get will look real. The fake checks you will get from them are indistinguishable from real checks as they are printed on real check stock. Phishing emails will appear to come from your existing clients, your bank or other legitimate companies.

Fraudsters will email you posing as colleagues or clients, and corporate documents may be altered or created to show the fraudsters as the individuals involved with a corporate entity. Two or more fraudsters can collaborate on both sides of a transaction to make the scenario even more convincing—and the fraud far more likely to succeed (e.g., the person selling the equipment to your client is also a fraudster who is in cahoots with your client). While initial contacts will be by email, some may come to your office in person or follow up with you over the phone.

As the malpractice carrier for every lawyer in private practice in Ontario, LAWPRO gets a complete perspective on the frauds targeting trust accounts. The two most successful frauds LAWPRO sees are bad check scams by fake clients and spear phishing.

Bad Check Scams

At their core, most bad check scams are very simple. Fraudsters will retain a lawyer for a contrived legal matter that sets up circumstances for a deposit of a counterfeit check or bank draft into the firm’s trust account. The contrived circumstances of the matter also typically require an urgent transfer of the deposited funds out of the trust account, usually by wire, giving real funds back to the fraudster. When the bad check or draft bounces—usually long after there is any chance to recover the wired funds—the law firm is left with a shortfall in its trust account. Bad check scams are usually done by email. No effort will be spared to make these contrived legal problems look like legitimate legal matters. The fraudster will provide legitimate-looking identification along with the supporting documentation you would see on a real matter. Following are examples of the most common contrived legal matters used as a setup for bad check scams:

• Equipment/inventory purchase fraud. Typically targets business lawyers. Fraudster will ask you to handle an equipment or inventory purchase. To rush payment, the buyer will say the purchase price is a bargain that will be lost to someone else unless the payment is made quickly.
• Business loan or debt collection fraud. Often targets litigators. Fraudster will ask for help with a commercial debt or personal business loan collection. Despite the client stating a lawyer is needed to help push for payment, the debtor pays without any hassle.
• Divorce settlement fraud. Targets family lawyers. Fraudster will ask for help with collection from ex-spouse, often further to a collaborative settlement agreement. Ex-spouse will pay up with little or no pushing.
• Real estate deposit fraud. Targets real estate lawyers. Overseas purchaser gets in touch with real estate lawyer, sometimes through real estate agent. Fraudster will send lawyer a deposit check for a property they saw online. Fraudster then backs out of the deal and asks lawyer to wire the deposit funds back, minus a generous fee for the lawyer.
• Intellectual property rights fraud. Targets IP or business lawyers. Fraudster seeks damages for the breach of a trademark or copyright agreement. The person or company in breach will pay up with little or no pushing.

Red Flags of a Bad Check Scam

To avoid being duped, savvy and street smart lawyers and law firm staff should recognize these red flags of a bad check fraud:

• Client is in a distant jurisdiction.
• Client is new to your firm.
• Initial contact email is generically addressed (e.g., “Dear attorney”) and/ or BCC’d to many people.
• The name and/or email address in the From line is different from the name and/or email address of the person you are asked to reply to in the body of the email.
• Client uses one or more email addresses from a free email service (e.g., Gmail, MSN, Yahoo!), even when the matter is on behalf of a business entity.
• Domain name used in email address or website was recently registered (check at WhoIs.net).
• Email header indicates sender is not where he/she claims to be.
• Client says he/she prefers email communication due to time zone differences.
• Client will sign retainer agreement without questions, but never actually makes the requested payment and then will suggest retainer be taken from the check.
• Client is in a rush and pressures you to do the deal quickly before the check clears.
• Client shows up and wants the matter completed just before a holiday when banks are closed.
• Client is willing to pay higher-than usual fees on a contingent basis from (bogus) funds you are to receive.
• Check or bank draft arrives at your office in a plain envelope and/or without a covering letter.
• Check is drawn from the account of an entity that appears to be unrelated (e.g., a spousal arrears payment from a business entity).
• Payment amounts are different than expected or change without explanation.
• Client instructs you to quickly wire the funds to an offshore bank account based on changed or urgent circumstances.
• Client and others involved don’t seem concerned if shortcuts are taken.
• Some or all of the payment is going to a third party who appears unrelated to the matters.

Some of these red flags may occur on a legitimate file, but when they show up on the same file the alarm bells should go off. If you see multiple red flags, proceed with extreme caution and follow the steps in "Due Diligence on a Suspected Fraudster" (below) to help determine if the client is a fraudster.

The Basics of Phishing/Vishing/Smishing

Phishing is one of the most common scams that cybercriminals use because it can produce spectacular results with very little effort and expense on the part of the hacker. Phishing occurs when a fraudster tries to acquire sensitive information (e.g., usernames, passwords or credit card details) by masquerading as a person or entity you trust. Phishing can occur by email, a text message (called “smishing”) or phone call (called “vishing”). With bulk email and texting tools or auto-dialers, fraudsters can easily phish/smish/vish tens of thousands of people, and they only need to successfully dupe a few people to make it pay off. While the rest of the article references phishing, the comments apply equally to smishing and vishing.

For example, one commonly used phishing message is one that will appear to come from your bank or an online retailer you have dealt with. The message will say that your account has been compromised or that a payment is due, and it will ask you to log in to reset your password or to make or verify a payment. However, the link you click on in the phishing message takes you to an imposter website that looks much like the site of your bank or the retailer you deal with, but when you log in you are actually giving your password or other personal information to the hackers. They will use your information for malicious purposes such as ID theft or credit card fraud. (See sidebar, "Sample Phishing Scam Messages" below)

Cybercriminals do their best to make phishing messages look official and legitimate. They will mimic real communications from the company or entity they are masquerading as by using the same layout, fonts, wording, message footers and copyright notices, etc. as official messages. They will often include corporate logos and even one or more links to the alleged sender’s real website.

To make it more likely you will fall for the scam, phishing messages commonly involve urgent scenarios—one of the big red flags. They may suggest that you must reset your password because your account has been compromised by hackers, or they may request that you log in to your account to review an invoice or deal with an outstanding payment. To make matters worse, clicking on links or attachments in phishing messages often causes malware to be downloaded to your computer as well.

A common vishing scam is a call from someone claiming to be from Microsoft who tells you your computer is infected and that you must go to a special website to download an update that will fix the problem. Phishing scams can also be a request to complete a survey or to give information to collect a prize you have won. They can also be requests for money supposedly from someone you know.

Spear Phishing

Spear phishing attacks take phishing to a higher level. The “spear” in spear phishing alludes to the fact that these messages are targeted to specific individuals and may include other detailed personalized information, making them even more convincing. They are a concern as they are becoming more common and they are more likely to fool the person receiving them.

In one recent spear phishing attack, a senior accounting person at a large firm received a request on an active file, purportedly from the firm’s managing partner, to send a bank account number and account signatures to a person in Europe so they could verify a certified check was from the firm. While spear fishing scammers may use public information to personalize the message (e.g., a posting on social media that indicated where the sender is), in this case, the fraudster seemed to know details about the matter that were not public. The email was even followed up with a phone call.

Thankfully, the person receiving the email noticed some irregularities that served as red flags: The email opened with an honorific and surname, notwithstanding that these two people had worked together for more than two decades and always addressed each other using their first names; the message used odd phrasing; and, on the call, the person had an accent that was incongruous with the ethnicity of the name used in the email.

Even Very Simple Scams Can Work

Over the last few years LAWPRO has received hundreds of reports of an email funds transfer fraud targeting Ontario lawyers. Given the similarity of the conversations and the email addresses that are being used, we believe it is the same individual(s) behind this fraud. It has been successful several times.

This fraud is remarkably simple. A lawyer or staff person at the firm will receive an email requesting assistance with making a payment. This request will appear to come from a firm lawyer who is out of the office. While the name of that lawyer will appear in the From line of the email, the email address it was sent from will not be a firm email address (the real address will be hidden behind the name that is displayed). This leads the person in the office to believe they are communicating with their colleague, when in fact they are communicating with the fraudster.

The following is the email exchange that occurred on one of these frauds between the lawyer in the office (the Office Partner) and the fraudster (Vacation Partner). Coincidently, or not (did the fraudster perhaps know this from a social media post?), the Vacation Partner was out of the office preparing for a vacation—something that made the request seem more legitimate.

From: Vacation Partner (fraudster)

Sent: 6/9/2017 12:00 PM

To: Office Partner

Subject: Re: Request

—————————————–

Are you in the office?

The Office Partner answered less than a minute later:

From: Office Partner

Sent: 6/9/2017 12:00 PM

To: Vacation Partner (fraudster)

Subject: Re: Request

—————————————–

yes

The fraudster then set up a wire-transfer fraud with this message:

From: Vacation Partner (fraudster)

Sent: 6/9/2017 12:03 PM

To: Office Partner

Subject: Re: Request

—————————————–

I am tied up in a meeting and I want you to handle a payment for me today. Let me know how soon you can get it done and I will forward you the details.

=======================

These two lawyers had worked together for many years and often helped each other out. In this case the Office Partner took steps to make the payment the fraudster requested, but thankfully, figured out it was a fraud while waiting in line at the bank. In this case, looking at the email address behind the displayed name would have confirmed this was a fraud. LAWPRO has paid claims where lawyers were successfully duped on frauds that started with similar conversations. Lawyers and staff alike should be trained to recognize phishing scams.

How to Spot Phishing Messages

Phishing scams work because some people are gullible. If you get a phishing message from a bank and you don’t have an account there, you aren’t likely to fall for the scam. However, if you have an account at that bank, the message may look legitimate to you and you are more likely to fall for the scam. Here are some clues that can help you recognize a phishing message:

• The link you are asked to visit is different from the company’s usual website URL (see the next paragraph).
• The main part of the sender’s email address is not the same as the company’s usual email address.
• Bad spelling and poor grammar.
• Nonsensical or rambling content.
• The promise of receiving money or another big prize.
• Anyone asking for money—even if you know them.

Checking the link you are asked to go to is one of the best ways to confirm that a message is a phishing scam. Place your mouse over the link you are asked to go to (but don’t click on it!) and look at the taskbar in your browser window (usually at the lower left). It will show you the URL of the link. It should start with the proper characters in the proper website (e.g., lawpro.ca) and not a URL that appears unrelated (e.g., http://12.67.876/aed/1234/bnklogin). An unrelated URL virtually guarantees it is a phishing scam. Watch for small differences: “yourfirm.com.tv” seems close but is different!

Watch out for and don’t respond to phishing requests. Never reply to unsolicited or suspicious emails, instant messages or webpages asking for your personal information (e.g., usernames, passwords, Social Security number, bank account numbers, PINs, credit card numbers, mother’s maiden name or birthday), even if they appear to be from a known or trusted person or business. Legitimate businesses should never send you an email message asking you to send your username, password or other information to them in an email message. If in doubt, call the company yourself using a phone number from a trusted source. Don’t use the number in the email—it could be fake, too!

Please advise lawyers and staff at your firm to be highly suspicious of any email requests to transfer funds. Please consider implementing a policy that any such requests are carefully scrutinized and verified directly with the individual making the request. Do not rely on the sender’s displayed email name—to deceive you the fraudster will spoof (fake) it so it appears as the name of a person at your firm. Look behind the displayed name to see the email address the message was actually sent from.

Would Insurance Help?

Consider whether you have or should get insurance that would indemnify you for a fraud loss. As frauds may be excluded from coverage, check the terms of your professional liability and other insurance policies to understand the coverage you have and so you can consider adding protection for fraud or other cyber dangers.

Education Is the Key

Educate the lawyers at your firm to make sure they will recognize and not be duped by bad check frauds and phishing scams. And just as importantly, give the same education to your staff as it is just as likely that they will be targeted. Make sure there are financial controls at your firm that provide for a clear process with respect to the initiation, approval and making of any payments. And never bypass these controls due to urgent circumstances. Be on the lookout for and carefully investigate any last-minute request to change the payee on funds transfers or payments.

With appropriate education and knowledge, lawyers and law firm staff can easily spot and avoid bad check scams and phishing messages. An ounce of prevention is worth a pound of cure as it is virtually impossible to get money back; take time to educate staff and lawyers.

And if you aren’t completely sure a matter is legitimate, terminate the retainer. Don’t be sucked in by your emotions or a strong desire to help. Don’t let the lure of a generous fee cause you to ignore your concerns as to the legitimacy of a matter. If you’ve been asked to do something that seems irregular, ask questions. If it looks too easy or sounds too good to be true, it probably is.

Sidebar: Due Diligence On a Suspected Fraudster

Before sending sensitive information or payments, take these steps to cross-check and verify information provided to you by the client.

1. Cross-check names, addresses and phone numbers of the client and other people/entities involved in the matter on Google and other search engines. (To find exact matches, enclose your search terms in double quotes.)
2. Do reverse searches on phone numbers.
3. Look up addresses using Street View in Google Maps.
4. Ask your bank or the issuing bank to confirm the branch transit number and check are legitimate.
5. Call the entity making the payment or loan and ask if they are aware of the transaction.
6. Contact the company to confirm it is expecting a debtor’s payment or business loan.
7. Hold the funds from the client’s check deposit until your bank confirms the funds are in your account.

Sidebar: Sample Phishing Scam Messages

Here are six examples of phishing scam messages masquerading as people, banks or companies.

1. A message pretending to be from a bank that is intended to get you to disclose your banking information by suggesting your account has been compromised.

From : <name of bank displayed but with non-bank email address>

Subject : Account Alert!

Dear <your email address>

Your password was entered incorrectly more than 5 times. Because of that, our security team had to suspend your accounts and all the funds inside. Your account access and the hold on your funds will be released as soon as you verify your information.

Review Your Account Activity

We are sorry for this inconvenience but this is a security measure which we must apply to ensure your account safety. If you have already confirmed your information then please disregard this message

Thanks for choosing <name of bank>.
The <name of bank> Security Team

Copyright© 1999 - 2013 <name of bank>. All rights reserved.

Link to real bank’s website

1. A message pretending to be from a debtor that is intended to get you to open an infected attachment

From: <pretend name and scammer email address>

Subject: Invoice Payment Confirmation

Hello

My name is Ann Tara, i was asked by my boss to send you the payment been made Earlier today. Kindly see the attached payment slip for confirmation. Thus acknowledge the receipt of payment been made.

Thanks

Attachment: PaymentCopy.zip

3. A message pretending to be from a person you know that is intended to trick you into disclosing your Google login credentials

From: <name of person you know displayed, but from a fake email address>

Subject: Document for you

--------------------------------------------------------------------------------

Google Drive. Keep everything. Share anything

Please check the document I uploaded for you using Google Docs. CLICK HERE and just sign in with your email to view the document. It’s very important.

Thank You.

<Name of someone you know>

<the person’s full address>

4. A message pretending to be from Wells Fargo that is intended to trick you into disclosing your login credentials

From : <Wells Fargo name displayed but with non-Wells Fargo email address>

Subject : Wells Fargo: Changes to Your Membership Checking Account

Important changes coming to your Membership Checking Account

There are important changes coming to your Membership Checking account that will take effect September 1, 2020. Please sign on to view a secure message about these changes.

Thank you. We appreciate your business.

Sincerely,

Wells Fargo Online Customer Service

Wells Fargo Fraud Information Center

Wells Fargo Bank, N.A. Member FDIC.

Please do not reply to this automated email.

5. A message pretending to be from PayPal that is intended to trick you into disclosing your login credentials

From : <pretend name and fake PayPal email address>

Subject : Restore your account.

Dear PayPal Customer,

During our regularly scheduled account maintenance and verification procedure we have detected a slight error in your Paypal account. This might be due to the following reasons:

1. A recent change in your personal information (ie. change of address, email address)

2. An inability to accurately verify your selected option of payment due to an internal error within our systems.

Please fill in all the details that are required to complete this verification process. To do this we have attached a form to this email. Please download the form and follow the instructions on your screen.

Restore.your.account.html

Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience. If you choose to ignore our request, you leave us no choice but to temporary suspend your account.

Sincerely,

PayPal

Please do not reply to this email because we are not monitoring this inbox.

Copyright© 2013 PayPal, Inc. All rights reserved.

To make it more likely you will fall for the scam, phishing messages commonly involve urgent scenarios—one of the big red flags.

6. A message addressed to you from someone you know “stuck in London” asking for money

(If you are getting this message, it likely means the person that it is from has had their email account hacked, likely by falling for a phishing scam.)

From: name and email address of person you know

Subject: Please help me

Hello,

I’m sorry for this odd request because it might get to you too urgent but it’s due to the situation of things right now. I’m stuck in London, England right now, I came down here for a short vacation then i was robbed, worse of it is that bags, cash and cards and my cell phone were stolen at GUN POINT, it’s such a crazy experience for me, I need help flying back home, the authorities are not being 100% supportive but the good thing is i still have my passport and return ticket but currently having troubles paying off the hotel bills and also getting a cab to take me to the airport.

Please i need you to loan me some money, will refund you as soon as i’m back home, I promise. All i need is ($900 USD) but dont know how much you would be able to spare. we will be waiting to hear back from you on how you can get the fund to me please

Thank You