Lawyers are increasingly being targeted by scammers in New Zealand and around the world due to their handling of confidential client data and the perception that they hold large sums of money for clients. Falling victim to scams can result in substantial financial loss and reputational damage.

The Law Society, in partnership with ANZ, is delivering a series of sessions across the motu about frauds, scams and cyber threats impacting the legal profession and wider community and how to prevent them.

The sessions, which started in July and run until September, provide information on how law firms are being targeted and how to keep your company, your staff, and your clients safe from malicious actors. Find out about future sessions at lawsociety.org.nz/events.

“Scams are on the rise and are increasingly complex in nature with the majority starting online, via social media and search engines, including through paid and promoted content”

John Sheddan from Gore firm Sheddan Pritchard Law, said the seminar was a timely reminder of the form and scope of these attacks, and the risk that all lawyers and business owners face daily.

“An active cyber-attack could bring your practice to an absolute halt, ignore this threat at your peril!” he said.

For those unable to attend a session, below is some useful information on what to look for and how to prevent becoming a victim of a fraud or scam.

About scams

Scams are on the rise and are increasingly complex in nature with the majority starting online, via social media and search engines, including through paid and promoted content.

• $1.026 trillion in financial losses from scams globally.
• 62% of New Zealanders encounter a scam once a month.
• Only 41% of people reported scams to law enforcement in 2023.

What to look for

The Law Society has previously provided guidance to lawyers about scams and how to recognise them:

• lawsociety.org.nz/professional-practice/practice-briefings/email-scams-which-target-lawyers and;
• lawsociety.org.nz/professional-practice/practice-briefings/how-to-recognise-an-email-scam.

However, as the techniques scammers are using constantly evolve, it’s important to keep up to date.

There are two key fraud and scam scenarios that are currently seen in the legal profession. These are:

Email spoofing

Email spoofing is a deceptive technique to make an email’s display name and address appear that it is from a trusted source. This could look like a lawyer receiving an email from a senior leader in their firm, urgently requesting a funds transfer for a client’s emergency settlement. Closer inspection reveals small discrepancies revealing the email is fake.

Email hijacking

This scheme involves fraudsters penetrating a law firm’s IT system. One way a fraudster might do this is by claiming they are interested in buying a house and intend to use the law firm to do the conveyancing. Emails are exchanged and eventually the fraudsters send an email with “important documents” attached. These are locked and access requires the lawyer to enter their email address and password. The law firm’s information is then harvested giving the fraudster access to the lawyer’s email account. The fraudster then emails the client from the lawyer’s email address to explain that their account details have recently changed, or they send an invoice where the bank account details have been altered. The client then makes payment, and the money goes to the fraudster’s bank account.

Key activities to watch for

• The initial contact is out of the blue.
• They ask you to enter your email address and password to access their documents.
• They are unavailable on the phone because of time differences or because they are travelling.
• They are not located in New Zealand. They are working in another country (“on assignment” is one commonly used phrase).
• They put pressure on you to act quickly, sometimes late on a Friday afternoon.
• They change bank account details just before a settlement or payment is due to be made.
• They make overly intrusive requests for personal information.
• They don’t pay a retainer or fees in advance.

Prevention is the best protection

There are a number of measures both in processes and technology that lawyers can take to try and prevent scams and frauds including:

“Lawyers need to adopt a balancing act between being available to act, with a healthy amount of skepticism”

Processes

• Implement and regularly review multiple payment approvers.
• Double check any suspicious payments and report them.
• Ensure effective reconciliation processes and timely detection of any issues.
• Validate all modified/new beneficiary requests with a trusted source, particularly if it comes from email or a phone call.
• Adopt Two Factor Authentication (2FA) and other available security controls.
• Have a robust call back procedure when your customer changes bank account.
• Update important passwords regularly.

Technology

• Use approved software only (whitelisting).
• Update software quickly.
• Disable untrusted Microsoft macros.
• Block risky web browsing/ firewalls.
• Restrict who has administrator rights.
• Apply updates to operating systems.
• Use multiple forms of proof before allowing access (2FA).
• Backup files offline and test it.

And

• Ensure people are trained to identify potential scams.
• Create and invest in a strong culture that encourages positive behaviours around cybersecurity and encourage employees to take action if they see/hear anything unusual.
• Work together across key areas including Finance, IT, Risk.
• Be prepared with a rapid response process.
• If you’re not expecting a phone call, and don’t know the person, don’t give out or confirm any information. Don’t give out phone numbers or any other identifying information.

Ethical and professional considerations

The Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 and the Privacy Act 2020 requires lawyers to protect and hold in strict confidence all information concerning a client acquired during the professional relationship. Chapters 8 and 11 of the Rules of Conduct and Client Care outline lawyers’ fundamental obligations in protecting confidentiality.

What are your professional obligations if you think it’s a scam?

Rule 4.1 of the Conduct and Client Care Rules (refusing instructions) lists when a lawyer has good cause to refuse instructions. When faced with a potential scam, a lawyer may wish to inquire first about the basis of the introduction – given that the approach will have been unsolicited.

Lawyers need to adopt a balancing act between being available to act, with a healthy amount of skepticism, to avoid becoming a victim of an email scam.

Learn more

Here are some useful resources:

• Scam Watch – scamwatch.govt.nz
• CERT NZ – cert.govt.nz
• CERT NZ Own Your Online Business online security assessment tool
• CERT NZ Own Your Online Keeping Secure Online
• Netsafe – netsafe.org.nz

ANZ offer via Law Society app

One of the many benefits members of the Law Society can access is discounted mortgage rates through ANZ. The ANZ benefits are available on the Law Society’s app along with many other benefits to save you money. Not a member? Want to find out more? Join anytime by visiting lawsociety.org.nz/membership.