Law firms lose millions to hackers in ‘highly sophisticated’ email scam

This article is but one example of the way email can be used to steal from clients. Lawyers Conveyancing has taken cyber-security a step further, and we no longer send important documents as attachments to emails. Instead, all clients have access to their own Secure Document Exchange (SDX) portal where documents can be exchanged safely and with a time-stamped audit trail.

At least two Queensland law firms have lost several million dollars after falling victim to a “highly sophisticated” email scam, prompting an urgent warning from the Queensland Law Society.

Hackers commandeered the email accounts of staff at the law firms by tricking them into revealing their email account login details before hijacking payments from clients.

QLS president Christine Smyth said at least one of the firms that had been hit by the scam was on the Gold Coast, with both legal practitioners and clients having lost out.

“The precise method of attack varies, but the essence is that the criminals obtain access to the firm’s email accounts and use this to misdirect trust money or settlement funds,” Ms Smyth said.

“Some thefts have been of money going to the trust account, others involve money incorrectly paid out.

“Although conveyancing transactions have been hardest hit, any movement of trust funds is at risk.”

Robbins Watson Solicitors managing director and IT expert Andrew Smyth said hackers have been making attempts to access staff email accounts “almost every day” at his workplace.

Mr Smyth described the hackers’ two-step plan.

The first phase sees the scammer email a law firm expressing interest in using their services, a common backstory is that they are buying a house and are interested in conveyancing services.

The hackers continue the conversation until they say they will go ahead and use the firm.

At this point, they send a link to supposed important documents the firm will need. The link is protected and personalised for the specific legal staffer who they have been speaking with and requires them to enter their email address and password to access the documents.

Once the login information has been entered, the scammers have what they came for and the matter goes no further.

Then comes phase two.

The hackers monitor the legal staffer’s email account and watch for information about settlements and payments that need to be made.

When the deadline comes for money to be paid to the firm from the client, the scammer emails the client, posing as the law firm, and reminds them.

However, they change the bank account details where the money needs to be paid to. The hackers give their own desired account instead of the firm’s trust account.

Once the transaction is done, the firm and client are left trying to figure out where the money has gone.

See the full article at Brisbane Times