Conveyancing attorneys have become the latest targets of cyber scammers because of large money transfers taking place between clients and the attorney firms for the purchase of properties.
Private investigator Rick Crouch said he comes across many cases a month. One of his clients was scammed for R2 million.
He was in Europe when he transferred the money into what he thought was a legitimate account.
He said that criminals are using a “spear fishing” technique to target vulnerable employees of law firms.
Once the target has taken the bait, the scammers then have access to the firm’s computer system.
The criminals then create a rule that forwards all e-mails with target keywords in the subject line — such as “invoice” and “statement” into another folder.
Once they receive the e-mails, which usually contain the firm’s bank account information for the client to deposit the money, the fraudsters create a new invoice with all the firm’s information but they change the banking details.
“They then send the e-mail to the client explaining that, for some reason or another, the banking information has changed and the client should use the banking information on ‘this invoice’,” he explained.
The e-mail address is “spoofed” so it will look as if it came from the law firm.
“In addition to the e-mail rule mentioned above, they would have created a second rule that forwards them all e-mail directed to the firm’s e-mail address that they used.
“Not only does this rule forward all those e-mails to the fraudster but it also deletes the original so it is never received by the firm.
The money transfer goes into the fraudsters’ account and is never seen again.
“The banks will deny all liability in these cases even though the accounts are usually new accounts and suddenly a large amount is transferred into the account and almost immediately withdrawn, sometimes in cash.
“You have to ask how no alarm bells started ringing,” added Crouch.
He advised law firms that they must ensure that their anti-virus software is updated regularly and that their firewall is configured correctly.
Crouch also suggests that employers hold training sessions to educate employees on the signs of a phishing e-mail and how to avoid falling victim.
He advised clients that if they receive an e-mailed request to change banking information, they should call the law firm to verify the information.
“Do not call any number that appears on the e-mail but use the number you have on file for that law firm,” he cautioned.