It’s an unfortunate reality that many businesses are the target of cybercrime and payment fraud.
In recent times, law firms, their clients and associated industries (such as real estate agents), have become frequent targets for online payment fraud, resulting in significant losses of funds alongside heartache, stress, legal issues and professional/ethical implications for lawyers.
A common type of attack is to attempt to divert payments to and from law firms (such as a settlement sum or trust account deposit) to a fraudster’s bank account by supplying false payment instructions to the payer.
Other methods of attack can include:
- obtaining login credentials (usernames and passwords) through phishing attacks
- gaining unauthorised access to email accounts to intercept and modify emails (known as “Business Email Compromise” or BEC)
- sending fake invoices or fraudulent payment instructions and requests
- sending false updates to a payee’s contact or banking details
It is important to recognise that both ends of a transaction may be a target for cybercriminal activity. Accordingly, each party bears responsibility to take steps to safeguard their own security.
Xuveo Legal encourages all businesses and individuals to be vigilant in protecting their payment security and, in particular, to develop an awareness of cybersecurity issues and threats.
Here are some tips to avoid becoming a victim of payment fraud:
Check bank details carefully
- If the bank account details provided on an invoice or payment request differ from the last payment or from those saved in your internet banking, contact the payee by phone to confirm the details before transferring funds.
- For added security, consider adopting a policy to call the payee to confirm the payment details before actioning significant payment requests.
- Consider using PayID and the New Payments Platform (NPP), if the payee and your bank or financial institution supports it. The NPP and PayID system is designed to use additional security measures to verify the account holder.
- Regularly monitor your online bank statements for unexpected transactions and take immediate action if suspicious activity is detected.
Beware of fraudulent communications
- If you receive an email, SMS or instant message advising a change of banking details, payment details or contact details, contact the other party by phone to confirm.
- Be extra vigilant if you receive an unexpected invoice or payment request, or if the request is accompanied by an unusual level of urgency or threats of legal action.
- Just because it looks like an Invoice, it doesn't mean it's legitimate. Be wary of unsolicited ‘invoices’ for services, registrations and renewals (eg domain name, trade mark and business name registration and renewal notices received from someone other than the official government agency or your usual supplier).
- If you receive a suspicious communication that appears to come from a known contact, contact the other person as soon as possible to confirm.
- When contacting a person by phone, use a separately verified phone number (for example, use the phone number previously saved in your contacts or the phone book)
- Don’t rely on a phone number included in an email, instant message or SMS that requests a payment or notifies a change of contact or banking details.
- You can check a Queensland Law Firm's contact details on the Queensland Law Society's Law Firm Database. Law Societies and Law Institutes in other states and territories may have similar databases.
Use good email & IT security techniques
- Use strong passwords (longer is better).
- Don’t reuse the same password across multiple websites or accounts.
- Don’t share passwords or user accounts with others or allow others to share your account.
- Avoid using free public WiFi.
- Consider using a reputable password manager app.
- Where available, set up 2-factor authentication (also known as multi-factor authentication) on your email account and internet banking. This helps to prevent unauthorised access to your account. Check with your email provider or financial institution for instructions and more details.
- Be wary of clicking links or opening attachments, especially if you were not expecting the email, electronic message or SMS.
- Make that your computers, smartphones and devices – and the software and apps you use – are up-to-date with the latest vendor security updates.
The following agencies provide further information and assistance on cybersecurity and payment security:
- ACCC Scamwatch
- ACORN (Australian Cybercrime Online Reporting Network)
- ACSC (Australian Cyber Security Centre)