Law firms and clients are frequent targets of cyber and payment security attacks.
Methods of attack can vary greatly, and are constantly evolving. Common attack vectors are known include attempts to:
fraudulently divert substantial funds, including theft of payments to and from trust accounts of law firms;
intercept emails and other communications, or send out forged communications, through email address spoofing, spear-phishing attacks, and the use of compromised email accounts, social media accounts and computer systems or platforms;
use publicly available information (such as information published in government registries and databases) to create false, misleading, fraudulent or unsolicited correspondence, including fake invoices or requests for payment;
solicit payments for unofficial services (such as international trade mark 'renewal', 'publication' or 'registration' services)
We take our own security and that of our clients very seriously, and we regularly engage in learning initiatives to improve our cybersecurity.
The purpose of this Policy is to outline the measures and procedures that we adopt to mitigate the risk of fraudulent payment transactions.
We will review and update this Policy in line with industry advice and best-practice standards as they develop over time.
Payments we make to third parties (including clients)
Prior to actioning any outgoing payment or transaction (whether or not the transaction involves trust account funds and regardless of the amount of the transaction), we reserve the right to:
seek and obtain independent verification of payment details and client instructions; and
decline to action any transaction if the independent verification is not met to our satisfaction.
In accordance with industry guidelines, for any outgoing payment or transaction of AU$10,000 or above, we will require as a minimum separate telephone verification of all transaction details prior to actioning the transaction.
Requests for Changes to Contact Details or Payment Information
We reserve the right to require independent verification of any request to change contact details or payment information. This may include telephone or in-person verification.
We will never contact you by email only to advise you of a change to our bank account details or payment arrangements or other contact details. If you receive such a notification, we strongly recommend that you contact us as soon as possible via an independently verified telephone number.
We strongly recommend that all third parties (including clients) consider adopting the following measures to enhance their own cybersecurity:
Beware of any unexpected requests for payment of funds in relation to your matter, regardless of the method by which you received it - by mail, email, phone call, SMS, instant message or via social media.
Examples of suspicious activity may include:
'invoices' or requests for payment from third parties in relation to intellectual property rights, business names, domain names and companies;
offers to 'register', 'advertise', 'publish' or 'renew' your trade mark, business name or domain name;
[Read our post, Trade Marks - Don't Get Scammed, for more information about trade mark scams].
notifications that another person has applied to 'register' your trade mark, business name or domain name in another jurisdiction.
We recommend that you treat any such communications with caution and seek independent advice before acting on them - even if the communication appears to be from an official source or seems convincing.
Do not action any transfer of funds (sending, depositing, paying or transferring) without first telephoning the apparent sender to verbally confirm the account number, details and amounts by reading out and reading back the payment details (eg BSB and account number, or other specific payment details where applicable) and confirming any payment instructions.
Do not contact us using a telephone number, email address or other address listed in any communication that asks for money or includes payment details, without first checking the telephone number, email address or other address against our Queensland Law Society Law Firm Directory listing or an independent source.
Do not action any unexpected change of bank account details or contact details, unless you have contacted us by telephone (on a separately verified phone number) to verify the details.
Do not open attachments, or click on links or download buttons, in unexpected emails, SMS messages, instant messages or other communications without first contacting the sender (using a separately verified telephone number) to check legitimacy.
Give these same warnings to anyone else may also be involved in transferring money (eg your accountant, bookkeeper, accounts payable staff, agent, broker, family members or any other third party payers).
Implement robust IT and cyber security measures, including:
ensuring all devices, operating systems, software and apps are regularly updated with the latest available security patches;
implementing 2-Factor Authentication (also known as Multi-Factor Authentication or Multi-Step Authentication) wherever possible and especially on all critical accounts including email, social media and bank accounts;
using unique, complex passwords for each of your accounts - Do not re-use the same password or similar passwords across multiple accounts;
using a reputable password manager app or browser extension to generate and securely store unique passwords for each account;
implementing verification protocols for all significant payments; and
regularly engaging in cyber security awareness training and education.
These measures are by no means exhaustive, and we recommend that you consider taking professional advice in relation to your particular security needs.
If you receive any unsolicited communications or requests for payment in relation to your matter, we strongly recommend that you to contact us immediately (on a separately verified phone number) for verification or further advice.