Scammers are becoming more and more sophisticated in how they steal money.
Impersonating banks, government organisations and family members – these types of scams were among the top trends identified by Scamwatch in 2022.[1] Scams that were reported to government agencies in 2022 caused financial losses to Australians in excess of $3 billion, which is an 80% increase from total losses reported in 2021.[2] The Australian Competition and Consumer Commission (ACCC) reported that losses are increasing because scams are harder to spot, and anyone can be caught.[3]
Legal practitioners, especially law practice principals, are reminded to stay vigilant and updated on scam trends. Law practices should have in place a clear policy and procedure for reporting scams when they happen.
What should I do if my law practice has been scammed?
- Notify your bank immediately.
- For crisis assistance under the Lawcover Group Cyber Risk policy call 1800 BREACH (1800 273 224) or email [email protected].
- If the scam relates to trust money, report the incident to the Law Society’s Trust Accounts Department by calling (02) 9926 0337 or emailing [email protected].
- It is recommended that all cybercrime, cyber incidents and vulnerabilities are reported to the Australian Cyber Security Centre via ReportCyber.
Scams to look out for
A recent scam reported to the Law Society of NSW involved a scammer using the voice of a woman (a client of a law practice) in order to impersonate her in a call to the law practice. The scammer directed the law firm to pay over $1 million from a deceased’s estate into the scammer’s bank account. It is likely the scammer used artificial intelligence [AI] software to replicate the woman’s voice. AI scams are reported to be on the rise and are likely to continue to increase they are easy for people with little technical skill to use.[4]
Another scam that is increasingly common is impersonation of cyber fraud and security personnel from banks and other financial institutions. The ACCC published an article in March 2023 warning consumers to be wary of phone calls and text messages from their bank. In one case reported to Scamwatch, a man was conned out of $38,000 in what the ACCC Deputy Chair Catriona Lowe described as an elaborate scam. The man received a scam text message about a suspicious transaction, which appeared in the same conversation thread as legitimate messages from his bank. He called the number in the text and was put through to a scammer posing as a member of the bank’s fraud team.[5] The ACCC has expressed concern over these types of scams because “they can be so convincing, [yet] they are very hard to detect.”[6]
Businesses have also reported falling victim to bank impersonation scams. In June 2023, there was a report of property professionals in Western Australia (a real estate and two settlement agents) losing tens of thousands of dollars to scammers who had posed as an authorised person from NAB. The scammers told the unsuspecting business that a recent payment made from the agent’s trust account had been blocked due to suspicious activity and that the account needed to be reset.[7] The scammers then said that they needed a code sent to them to unlock the account, but instead used the code to withdraw funds from the trust account.[8]
Phishing scams – where the scammer sends a message to a person soliciting personal or sensitive information through the guise of a legitimate business or reputable person – were the most reported types of scams in 2022.[9] ‘Payment redirection’ phishing scams (also known as business email compromise) were identified as having the most impact on businesses.[10] This is a scam that involves the scammer intercepting email communications between a client and their advisor (such as their real estate agent, solicitor, conveyancer) and providing false bank account details to the client, leading them to transfer funds into the scammer’s account.
This is the most common scam currently affecting legal practitioners. It is recommended that a law practice telephone their client using details they have on file (not the details contained in an email providing a payment instruction and EFT banking details) to confirm the payment instruction, BSB and account number prior to making large payments. It is important to note that an email from within an organisation (internal email) is just as likely to be fraudulent as an external email. As such, internal emails should be treated the same as externally received emails that provide instructions to pay trust money.
Fraudsters continue to use technology to assist in their scams and there has been an increase in the use of AI voice cloning technology to replicate the voice of another party, such as a client. Be wary during phone conversations, look for signs that you may not be talking to the person you believe you are talking to by listening for unnatural pauses, or a slightly distorted voice quality which may be a sign of voice synthesis software. Verify the credentials of the other party by asking challenge questions. You could for example ask for personal details that a scammer may not have access to, such as a middle name, or date of birth that you may have on file within your “know your client” documents. You could text a four-digit number to the mobile number held on file and ask for confirmation of the number sent to verify you are dealing with your client. If you are suspicious, say you will call them back and use the number you have for them on file. Be wary of acting on instructions received during an incoming call as fraudsters can manipulate the number they are calling from to make it appear to the receiver that it is coming from the number associated with your client.