Another social engineering scam that may target you and your trust account is the “phony change in payment instructions” scam with respect to an existing file. In this situation, unlike the bad cheque scam, the client is who they say they are, at least in the beginning. However, along the way, a scammer learns about the timing of an expected payment to your client, and sends you a convincing email, redirecting the funds to them. Believing the email is from your client, you transfer funds to the scammer and create a trust shortage. Below are some examples of how this can happen.
Canadian law firms have fallen victim to the phony change in payment instructions scam and faced hundreds of thousands of dollars in trust shortages, funds which they are professionally obligated to replace (Rule 1526 – Duty to Eliminate a Trust Shortage and to Report to the Society). If you are about to pay out trust funds, and you receive new or changed payment instructions electronically from your client, assume that a hacker is impersonating your client behind the scenes.
This social engineering scam is similar to the phony change in payment instructions scam. In this scheme, scammers usually pose as individuals working in your own law firm. The fraudster “spoofs” another lawyer’s or senior staff’s email address (may be senior accounting staff), to make it appear that the email was from the individual whose name is displayed in the “From:” line. Sometimes a lawyer is away on vacation, and the imposter, knowing this, uses the information for the pretext that the vacationing lawyer is unable to perform the task while away. Commonly, the imposter asks the recipient of the email (usually a more junior lawyer or other staff member) to transfer funds from trust to a client or to purchase gift cards for a client from the firm’s general account. The guidance to protect yourself is similar to the phony change in payment instructions:
If your accounting staff’s names and contact information are on your website, consider removing them from public view. Once a scammer knows a staff member’s name, it is easy to figure out their email address because every address will presumably have the same domain name, e.g., @buchananandco.com.