Notice to Members: Beware of Email Fraud and Scams

Lawyers in all areas of practice continue to be the frequent targets of bad cheque scams. These scams involve debt collections, business loans, IP licensing disputes or spousal support payments. Don’t be complacent and think you will never be fooled. These frauds are getting more sophisticated. The matters will look legitimate, the fraudsters will be very convincing and the client ID and other documents you receive will look real. The fake cheques will be printed on real cheque stock and in the past have fooled bank tellers and branch managers. There are often two or more people collaborating to make the scenario even more convincing (e.g., the lender and the debtor, the lender and the borrower, both ex-spouses, etc.). Here you will also find a list of names associated to the various types of email scams which continue to be circulated to our members.

The “bad cheque” scam is one type, but there are others. Social Engineering fraud is becoming more prevalent.

Social engineering is a type of malicious attack that relies on individual human interaction and our trusting human nature to trick people into breaking normal security procedures where fraudsters pretend to be an existing client or someone genuinely authorized to give instructions on the client’s behalf. Spoofing and phishing are both techniques used by scammers to mislead e-mail recipients. Both involve posing as a different sender to trick the recipient into carrying out an action. Spoofing is a technical measure used to change the apparent sender details on an e-mail, while phishing is an attempt to make the recipient hand over sensitive information such as log-in details. The two techniques may be used either separately or simultaneously: in simple terms, spoofing refers to what a scammer does, while phishing refers to what a scammer is trying to achieve.

Some examples:
1) a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware. A fraudster might hack the email of a lawyer’s vendor client or related party the realtor, or even the lawyer themselves. This hacking allows the fraudster to monitor the account, and acquire the information necessary to assume the identity of one of the parties. The fraudster waits until the lawyer receives the purchase proceeds and then, cloaked with the fraudulent identity, emails the lawyer with directions to wire the funds to a different bank account. The email appears to come from the real party, but any replies go to the fraudster’s email that appears as the party’s true email address but with just one small change, such as an extra letter.

Another example refers to the recent email we circulated to members on behalf of John Hogan from the law firm Wadden Peddigrew Hogan Law, advising members not to open an e-mail from John Hogan with an attachment labeled WPHLaw.pdf because it was a virus.

2) a fraudster “spoofs” a senior staff member’s email address, making it appear that the email is actually sent by a senior partner or other law firm staff, asking staff, usually the accountant or controller, to send funds or divulge bank account information. As the spoof involves using the staff member’s real email address, readily available on the Internet, the fraudster tries to craft a message that discourages any reply. On the pretext of a need for extreme sensitivity and relying on a staff member not questioning the instruction of someone senior in the firm, sent to them personally, the fraudster tries to convince staff to ignore normal protocols and simply send the funds as directed in the email.

Alberta Lawyers’ Insurance Programme just alerted us to the newest type of phishing scam that involves what looks like legitimate emails with a Dropbox attachment or link. Appearing to be sent from a known contact, this phishing scam email works in several ways by exploiting the popularity of the file sharing service:

• It will try to steal your Dropbox password with an order request that looks like it’s from a company or contact with whom you do business.
• It will try to steal your email password with a fake file sharing request.
• It will try to lure you into downloading a virus attached to or linked from the email.

The email will have some obvious signs of a phishing scam. First, it does not address you personally and instead uses your actual email address. Also, the email will sound urgent, trying to get you to react quickly and to click on the button, link and/or attachment without thinking.

Good risk management practices to safeguard your firm against email scams include:

• Look at the “Sender” information. Most email services still show you the actual address that the email was sent from.
• Look at the contact information carefully. If you hover over the link – BUT DO NOT CLICK – a different email or website appears.
• Always verify suspicious requests using previously known contact information, or found through independent research, and not contact information provided in the request.
• Do not open attachments that come from unknown senders or that come unexpectedly.
• Train employees. Make sure they know what to look for regarding email scams.
• Never give out sensitive information over the phone or via email.
• Pay attention to details. Grammatical or spelling errors in the email are red flags.
• Independent research. Do not rely solely on the information from the email.
• Protect your computer systems and your data. Change passwords regularly and recommend that your clients and other parties to a transaction do so, as well.
• Obtain professional technical expertise to help you protect confidential information through security measures including antivirus software and strong passwords, and to detect potential security breaches.

A Canadian website that you can view to inform yourself generally about scams and new trends, as well as information and resources on how to protect yourself is the Government of Canada’s Canadian Anti-Fraud Centre’s (CAFC) website at