Recently, a BC law firm was tricked into sending over $4 million dollars by wire transfer to fraudsters. The firm was acting for a lender in a commercial financing transaction for a property development. The scammers had already obtained access to the lender firm’s email and inserted themselves into email communications, impersonating the borrower’s lawyer. The scammers sent fraudulent wire instructions requesting that the funds be paid to an account with a numbered company as the account holder. The firm then wired the funds. Unfortunately, the lender’s lawyer did not phone the developer’s lawyer to verify the payment instructions. That step would have prevented the fraud from progressing. The fraudster also used their access to the email account to intercept communications, causing further delay with the intention of moving as much of the money as possible to other accounts before the scam was detected.

Before paying out funds in any matter, verify that instructions sent by email are legitimate through direct phone or in-person contact with the party providing the instructions. If the instructions are from your client, contact your client directly using the original number in the file or in-person. If the instructions are from a bank or another law firm, call to confirm that the transfer instructions are legitimate using the number on your file or from a reliable directory. Never use the contact information provided in the instructing email (or confirming letter). Setting up protocols within your firm to make a verification phone call on every payment of trust funds would be of benefit.

Awareness, vigilance and training are key to cyber security. You should:

1. Constantly educate yourself and your staff about preventing and detecting cyber fraud. Have all your staff read the notices sent out from the Law Society. We remind you of the requirements in our cyber insurance policy for annual awareness training for lawyers and staff.
2. Set up a funds transfer verification process in which you must always verify instructions on every payment before the funds leave your account.
3. Not rely on email communication to complete the secondary verification because – as we have seen – the email purportedly from your assistant confirming that verification has been completed may actually come from the fraudster.
4. Make your computer network as secure as you can. Ask your IT professional to regularly test for vulnerabilities and talk to them about security, including:

• • Multi-factor authentication – Ensure two pieces of information are required to access email or your computer network. If a criminal acquires only one, your computer network may still be safe.
  • Routine backups – Regularly back up your systems and secure your information to a location that is separately secured from your network.
  • Email security – Email is the single most targeted point of entry into an organization for a criminal hacker. Talk to your IT professional about security measures and anti-phishing solutions to protect your domains against abuse in phishing or spoofing attacks.
  • Password management – Create strong, unique passwords for each account. Change them regularly and never share passwords with anyone. Encourage employees to use a password manager.

If you think you have been a victim of a funds transfer fraud, you should:

1. Immediately notify your bank of the fraud and request a claw-back of the funds;
2. Contact your IT department and cyber insurer to ensure the fraudster is not still lurking in your system; and
3. Report any potential loss of client trust funds to the Law Society/Lawyers Insurance Programme.

Finally, remember that if you decide to proceed in any matter, you must always confirm a prospective client’s identification in accordance with the Client Identification and Verification Requirements in the Rules of the Law Society . Perform all searches as thoroughly as possible, be vigilant and take your time – and beware of any aggressive urgency on behalf of the other parties to complete the transaction. Be cautious with all cheques received, especially if they exceed an agreed upon amount. If you decide to proceed with a transaction, be sure to go to the bank website to verify branch transit number, address and phone number on the cheque. Wait until the bank confirms that the funds are legitimate and are safe to withdraw from the deposit. You may also choose to use the Bank of Canada’s Lynx system, an electronic funds transfer system in which settlement occurs after the clearing of each individual payment, resulting in the transfer of funds in central bank money from one participant to another. Once settled, a payment is final and irrevocable.

To view a list of loss prevention tips, please click here.

Posted: April 10, 2025