The New Zealand Law Society is repeating earlier warnings to lawyers to be vigilant in ensuring their IT systems are secure against incursion and to be very careful in reacting to emails inviting them to open attachments.
The Law Society says emails with attachments or an invitation to click on a link cannot be trusted even if they appear to come from a known source. Verification by phone where there is the slightest suspicion is recommended.
The warning follows a number of instances in the last week of law firms being attacked or compromised by criminal fraudsters.
We Transfer
In one instance, a large number of contacts of several law firms were sent an email message in the genuine name of one of the firms' employees, stating that some files sent through the (genuine) file transfer service We Transfer were available for download.
The email had not been sent by the firms and were a phishing scam. Details of the firms' contacts would have been obtained through the fraudsters penetrating their IT security.
We Transfer provides a checklist which can be used to see if communications are with the genuine We Transfer or with people pretending to be it with the intention of stealing login details or instaling malware.
Stolen House Deposits
ANZ Bank has advised its clients that there has been an increase in fraudsters stealing real estate deposits by compromising email addresses, usually the real estate agent's email.
The fraudsters impersonate the payment recipient by either hacking their email account or using a similar email address to the original address. They then change payment instructions so the buyer sends funds to the fraudster's third party account instead of the legitimate recipient.
There have been recent instances of attempted frauds on lawyers involved in property transactions through alteration of bank account details during the transaction.
ANZ recommends a number of measures, which the Law Society says lawyers would be well advised to heed:
- Be cautious when making payments to bank accounts that you have not paid before. Making a call to the company's registered address to verify their bank account number is recommended.
- Examine sender details carefully, watching for similar domain names or characters that have been swapped for other letters.
- Be wary of last minute changes to payment instructions, especially if made out of normal business hours.
- Ensure staff handling payments are trained to recognise suspicious emails.
The security of your IT system
Many of the frauds are enabled through lax security in IT systems. The Law Society says it is extremely important that law firms keep their anti-virus software current, that operating software and applications are always up to date, that there are strong firewalls, and strong passwords are used for online transactions, with two-factor authentication the desirable option.
Hackers often gain access through an initial email to the firm (sometimes using the firm's online inquiry), asking for assistance in purchasing or selling a property.
The objective of these emails is to infiltrate the email of a member of the firm. This can happen through sending a document with a link to click on, or a link which is protected and personalised for a specific firm member with the requirement of entering their password and email address.
Once in, the hackers are able to monitor the firm member's email account and look for information about property settlements and required payments. They are patient and may wait for a long time. Sometimes when a payment or settlement deadline arrives, the fraudsters email the client pretending to be from the law firm and reminding them that a payment is due. Bank account details are provided - but not, of course, the firm's bank account.