Lawyers and law firm staff should ensure they check and verify all payment instructions received by email, the New Zealand Law Society says.
There are now many instances of fraudsters and hackers using internal email in law firms to attempt to steal money through fake transfer requests.
The Law Society says it is vital that all instructions which involve the payment or transfer of money should be verified by a means other than email, such as phone or personal contact.
One recent example received in a New Zealand law firm shows how the fraud operates. All names of those involved in the law firm have been changed. The attempted fraud was detected from the email address showing in the third email which purported to come from the requesting lawyer.First email
From: Sarah Youngblood [a partner in the firm]
To: Rory Older [a member of the accounts team]
Are you in office?
From: Rory Older
To: Sarah Youngblood
Subject: RE: International
Rory Older, AccountantThird email
From: Sarah Youngblood [mailto:firstname.lastname@example.org]
To: Rory Older
Subject: Re: International
I need a transfer payment to be processed today. Can you handle that now?
At this stage it became clear that the two emails which appeared to come from Sarah Youngblood did not. The email address was wrong - but there are instances where this has been overlooked, and - certainly in some overseas jurisdictions - money was transferred (and lost) through staff acting purely on the emailed "instructions". The next step is usually an instruction to immediately transfer a sum of money to a specified bank account (always outside New Zealand).
Similar frauds have been used in the name of clients, requesting a lawyer to transfer money from a transaction to a bank account. All highlight the importance of always verifying emailed instructions through another means, the New Zealand Law Society says.