An Ontario lawyer called LAWPRO inform us of what appears to be an email hack attempt (similar to what is described here) against his firm and one of his clients, with the goal of diverting closing funds from a transaction into a different bank account. An email to the client appeared to come from this lawyer, and a follow-up phone call was made to the client which displayed the lawyer’s firm number.
Below we have reproduced the steps of the incident and his response, with some edits to remove the firm and client information.
Here is the fraudulent email that the client received (the “From” field showed the lawyer’s real address):
We are in the midst of restructuring our Finance Department and the payment information will be changing. Kindly attend to the wiring of the balance of the purchase price, on Tuesday, to the account listed below:
Wire into the following account the sum of $480,000.00 as follows
[bank information then provided]:
We kindly request that you amend your records to ensure all future payments are credited to our new account. If you have any question at all, please feel free to email me anytime.
The lawyer tells us:
- I had previously drafted an email to my client.
- In that email, I had asked him to wire the said sum of money to the bank account of Vendor’s Alberta counsel.
- I had left my email in drafts. My intention was not to send it until such time as the transaction had been closed and escrow was lifted.
- The transaction was scheduled to close on August 2, 2016.
- [The client] also conveyed to me, when I spoke with him on August 2, 2016 in the morning, that an unidentified individual had called him on his cell phone.
- He looked at the call display on his cell phone and the number registered as xxx-xxx-xxxx, being my office number.
- The person calling him had a somewhat “robotic” voice. The person was following up on the email on August 1st and asking him to proceed to effect the wire transfer to the bank account in Montreal, Quebec.
- Fortunately, my client did not wire the funds to the said bank account.
- Instead, he spoke with me and indicated that he had reviewed my email carefully and that it did not seem to be legitimate.
- The disaster was averted.
- He did not wire the funds to the bank account in Montreal, Quebec.
- Instead, he provided a certified cheque to the vendor and handed it to the vendor in person
In summary, what appears to have happened is the following:
- Without my knowledge or consent, someone perhaps “hacked” into my computer, read my emails, and then drafted a fresh email, purportedly in my name, instructing my client to wire funds to a different bank account.
- The next day someone was able to dial my client and have my office phone number register on call display so as to again give the impression that my client was receiving a communication from my office.
- My client ignored this person’s requests and did not wire the monies to the different bank account, or at all.
Since that time:
- I have spoken with my IT professional and he has given us anti-virus software to download and scan, which we have done.
- We have changed the passwords for each of our programs including for our email provider, Microsoft Outlook.
- We have changed the passwords for each of the four handset telephones in my office as well as for the phone system itself.
- I have made an appointment with my bank account manager to meet with him next week (being the earliest that he is available) to discuss the above and ensure that the bank’s system has not been compromised.
- I have asked my client to follow up with his bank account manager.
- I have alerted the vendor’s lawyer as to the above.
- I have downloaded and will review the LAWPRO Fraud Fact Sheet
This kind of fraud attempt is known as a “spear phishing” scam. Traditional phishing scams involve sending mass emails in the hopes that a few targets will be duped, and are described in the article Would You Take the Bait on a Phishing Scam? from the cybercrime issue of LAWPRO Magazine. A “spear phishing” scam is targeted more specifically and uses the names of people or companies the target knows. You can read more about it in this article by Norton: Spear Phishing – A Scam, Not a Sport.