New Zealand Law Society - Acting on hacker’s instructions
A lawyer, D, who acted on instructions from a hacker he believed was his client and paid client funds into unrelated bank accounts, was guilty of unsatisfactory conduct.
A lawyer’s standards committee censured D and ordered him to pay the client, Ms C, $30,828, the portion of the settlement funds that had not been returned to her.
Ms C instructed D in relation to the sale of one property and purchase of another. She emailed D with details of her designated bank account for deposit of the balance of settlement funds.
The hacker emailed D on settlement day from Ms C’s email address and provided D with alternative bank details. The account number was different but the bank and account name were the same.
“An electronically-altered bank statement was attached to the email. The fraudulent alterations were relatively subtle, namely the font for the account name and the slight misalignment of columns,” the committee said.
D spoke to Ms C three times on settlement day but did not raise the issue of the change in her instructions.
Funds were then transferred into the account provided by the hacker. The following day, the bank automatically returned the funds to D’s trust account because the account name and number did not match.
Further emails were exchanged by the hacker and D, and the hacker directed D to transfer the funds to a business account in Malaysia for an investment project.
D emailed the hacker and said he could only transfer funds to a bank account in New Zealand. The hacker replied, asking D to split the settlement funds between two different bank accounts.
D says he first became aware that Ms C’s emails had been hacked and that he had acted on the hacker’s instructions during a telephone conversation between himself and Ms C on Easter Sunday 2016.
The following Tuesday, D spoke to the police who liaised with two banks to which funds had been transferred. A portion of the transferred funds were recovered but over $30,000 remained unaccounted for.
The committee found that D did not take “adequate steps” to confirm the authenticity of the change in bank account details provided to him by the hacker.
Following settlement funds bouncing back to his trust account, D “ought to have been on notice of the possibility that the alternative account details provided to him were either incorrect or were not legitimate.”
From that point, D had a positive obligation to satisfy himself as to his client’s instructions and ought to have continued his efforts to speak to Ms C by telephone, the Committee noted.
D was familiar with his client’s personal circumstances and there was some “unusual syntax” in some of the hacker’s emails. His suspicions “ought to have been further aroused as a result of the hacker’s email … which directed him to transfer the funds to an account in Malaysia.
“Even to a lawyer acting for a corporate client, such a direction should have caused suspicion in the absence of specific knowledge of the client’s affairs giving credibility to an instruction of that sort.”
The Committee considered that while D may have subjectively believed that he was acting on his client’s instructions, it was not reasonable for him to have done so in the circumstances.
D had breached obligations to his client under section 110 and section 111 of the Lawyers and Conveyancers Act 2006 in relation to handling and accounting for client funds. This was unsatisfactory conduct.
“While not central to these findings, the [committee] noted the general awareness of the legal profession of email scams that target lawyers and that the Law Society has issued a number of warnings to the profession in relation to this topic,” the committee said.
D also failed to immediately contact the two banks once he realised he had transferred Ms C’s funds to unrelated accounts. The committee found this to be unsatisfactory conduct.
The committee said it appreciated that D found this out during the evening of a public holiday (Easter Sunday). “However, [D] failed to adequately discharge his duties to his client by not immediately contacting the two banks and the police, instead waiting until [the following] Tuesday to communicate with the police (who called him).”
One bank had an 0800 number that its website said was available seven days a week from 6am to midnight. There was no material before the committee to indicate D had attempted to use the 0800 number or take other sufficiently prompt steps, such as emailing the banks, in an effort to prevent the subsequent transfer of his client’s funds, the committee said.
As well as censuring D and ordering him to pay Ms C $30,828 the committee ordered him to cancel and refund his fees to Ms C and to pay $1,000 costs.
During the investigation of Ms C’s complaint, the committee noted issues with the way D carried out his conveyancing for Ms C and opened an “own motion” investigation. The committee found that:
These actions were found to be at the “upper limit” of unsatisfactory conduct. “There were serious failings in the conveyancing processes,” the committee said.
The committee gave serious consideration as whether to refer the matter to the Lawyers and Conveyancers Disciplinary Tribunal, because of D’s “seemingly reckless” conduct, but decided against such a referral “by a fine margin”.
The committee censured D and ordered him to undertake at his own expense two separate Continuing Legal Education Courses from a selection provided by the Lawyers Complaints Service. D was also ordered to pay $1,000 costs. Given D’s apparent financial position, the committee exercised its discretion not to fine him.
The committee directed that a copy of the determination be provided to the Registrar-General of Land.