Hacked: A Cautionary Tale
Solicitors need to be vigilant when transferring funds. You may think email hacking couldn’t happen to you but lawyer Simon Kerr cautions against complacency.
|This article appeared in the March 2018 edition of the Law Institute of Victoria Journal
By Simon Kerr
8 March 2018
I have always taken the view that the only way I could fall victim to cybercrime was if access to my online banking facilities was compromised. Further, if my bank account were hacked I had faith that my bank would reimburse me. After all, I have installed the latest anti-virus and anti-malware software and use best practice when it comes to protecting passwords. The idea that someone could fraudulently convince me to make a payment was unthinkable. I had little sympathy for those victims of the “Nigerian millions” or the “long lost uncles millions” except where the victims have been elderly people who are sometimes naïve when it comes to the internet and identity fraud.
Anyway, this all changed for me recently. This is how it happened to a client who was in the business of importing goods from China.
The client had ordered goods from the supplier over the past few years. In each case there was a deposit paid for the goods and then, once the container was loaded and a bill of lading was supplied to the client, the client would pay the balance so that the container would be released on arrival in Australia.
In this case the deposit was paid to the usual bank account of the Chinese supplier. Then, after the container was loaded and the balance became due, the supplier purportedly sent an email with a copy of the bill of lading and instructions to pay the balance into another account – this account was with Lloyds Bank rather than Bank of China which was the customary bank.
My client, being diligent, queried why the supplier would change their account and sent an email to that effect. The supplier replied with a perfectly reasonable explanation about exchange rates and the like. Accordingly, my client made the payment of the balance due to the Lloyds account. Importantly, the account name provided for the Lloyds account was the supplier’s exact name. The name that appears on an account when making an electronic transfer means nothing. It is meaningless. The only information the recipient’s bank uses to identify the money’s destination is the account numbers (ie, BSB and/or SWIFT code together with the account number).
Three business days after the balance due was paid, the supplier contacted my client by phone and said they could not see the money in their account. My client responded: “To which account are you referring?” The supplier replied (you guessed it) “We only have one account”.
There ensued a flurry of calls to banks and fraud squads (even to Scotland Yard) but it was all too late, the client had transferred $US25,000 to an unknown third party who immediately appropriated the funds.
The fraudsters (I am informed they are most likely an eastern bloc organised crime gang) had hacked the supplier’s server in China and intercepted all incoming mail. They could even amend the incoming mail and forward it through to the supplier.
As for the supplier’s outgoing mail, while the fraudsters couldn’t send an email from the supplier’s server, they set up other email addresses that were almost identical to the supplier’s email, for example “email@example.com” might become “someone@_abc.com” (notice the underscore).
These emails, like all emails, arrive in your inbox with the usual sender’s name in large font on top of the subject line and will only be picked up if you pay close attention to the email address (which I for one never do). When you reply the email doesn’t even need to be intercepted, it will go directly to the fraudster who can then start to converse as if they are the intended recipient.
- the fraudster opens a bank account using someone else’s identity (either a stolen identity or a real person who is paid a nominal amount to open the account and then provide the fraudster with the online access details)
- the fraudster sends the fake email and continually monitors the account waiting for payment
- as soon as any funds hit the account (remember the account name means nothing) they are immediately wired around the globe after which the money is untraceable.
What happened to the $US25,000? It was not recoverable and the client had to swallow a very bitter pill. The bank would not accept any liability because the payment had nothing to do with their systems and there was no insurance in place for this kind of event. It also took more than 10 weeks (because of privacy and various fraud departments in no less than three banks running separate investigations) for the client’s fears to be confirmed.
Your trust account
Now, suppose you have sold a property for an interstate client whose email address is firstname.lastname@example.org. You regularly deal with Joe via email and have very little telephone contact.
You send an email to Joe letting him know that settlement has occurred and you are going to forward the balance of proceeds to him once the funds clear in your trust account.
Joe’s email server has been hacked. You receive a reply from email@example.com telling you that he wants you to deposit the funds into a different account and gives you the account details and thanks you for your excellent work.
You don’t pick up the difference in the email and your office transfers the funds from trust to Joe’s “nominated” account.
You are now faced with the reality of explaining to the Legal Services Board why Joe’s trust account ledger has a negative balance and worse still, you must try and explain this to Joe. Sure, you can try telling him that it is his fault because his email was compromised . . . but good luck with that.
All practitioners should have two-step authorisation before paying any money from a trust account – written authority coupled with some other communication. In my view, best practice would dictate written authority and audio-visual authority (for example via skype or Facetime). However, if this is not practical then, at the very least, consider getting written and verbal authority.
I, like many sole practitioners, use Leap as my practice management system and I intend to ask Leap to incorporate a two-step authorisation as a checklist which needs to be ticked off before entering a payment from trust.
Simon Kerr is principal at Kerr & Co Lawyers, Geelong.