For client retainers involving the provision of legal services, this Policy also forms part of our Terms of Retainer and Costs Agreement.
Law firms and clients are frequently targeted by cyber criminals.
Methods of attack can vary greatly, and are constantly evolving. Common attack vectors are known to include attempts to:
- steal money — including misppropriating funds transferred to or from trust accounts of law firms;
- gain access to sensitive information by compromising email accounts, computer systems and mobile devices;
- intercept emails, SMS, instant messages and other communications;
- use publicly available information (such as information published in government registries and databases);
- send false, misleading, fraudulent or unsolicited correspondence and fraudulent "invoices" or requests for payment;
- request payments for unofficial or illegitimate ‘services’ (such as trade mark 'renewal', 'publication' or 'registration' services).
We take our own security and that of our clients very seriously, and we regularly engage in learning initiatives to improve our cybersecurity.
The purpose of this Policy is to outline the measures and procedures that we adopt to mitigate the risk of fraudulent payment transactions.
We will review and update this Policy in line with industry advice and best-practice standards as they develop over time.
We have adopted a range of security measures to reduce the risk of fraudulent transactions.
In particular, we will:
- never contact you by email only to advise a change of bank account details, payment arrangements or other contact details;
- require additional telephone, or in-person verification of the payee's bank account details prior to making any trust account payment, refund or funds transfer to you or a third party;
- require additional telephone or in-person verification for any change of bank account or contact details.
Credit Card payments are processed by an external payment gateway supplier. We do not store credit card details, but may receive and store partial cardholder information for transaction verification purposes.
Payments we make to third parties (including clients)
Prior to actioning any outgoing payment or transaction (whether or not the transaction involves trust account funds and regardless of the amount of the transaction), we reserve the right to:
- seek and obtain independent verification of payment details and client instructions; and
- decline to action any transaction if the independent verification is not met to our satisfaction.
In accordance with industry guidelines, for any outgoing payment or transaction of AU$10,000 or above (or equivalent), we will require as a minimum separate telephone verification of all transaction details prior to actioning the transaction.
Requests for Changes to Contact Details or Payment Information
We reserve the right to require independent verification of any request to change contact details or payment information. This may include telephone or in-person verification.
We will never contact you by email only to advise you of a change to our bank account details or payment arrangements or other contact details. If you receive such a notification, we strongly recommend that you contact us as soon as possible via an independently verified telephone number.
Do not pay any money or action any transfer of funds (sending, depositing, paying or transferring) without first telephoning the apparent sender to verbally confirm the account number, details and amounts by reading out and reading back the payment details (eg BSB and account number, or other specific payment details where applicable) and confirming any payment instructions.
Do not contact us using a telephone number, email address or other details listed in any communication that asks for money or includes payment details without first checking the telephone number, email address or other details against our website or the Queensland Law Society Directory Listing (at https://www.qls.com.au > Directory).
Do not action any changes of bank account details or contact details, unless you have contacted us by telephone (using a separately verified phone number) to verify the details.
Be suspcious of any unexpected communications (email, SMS, telephone, mail, instant message, etc) — especially if payment is requestedor the communication asks you to open a document or click a link to access a document.
Examples of suspicious activity may include:
'invoices' or requests for payment from third parties in relation to intellectual property rights, business names, domain names and companies;
offers to 'register', 'advertise', 'publish' or 'renew' your trade mark, business name or domain name;
notifications that another person has applied to 'register' your trade mark, business name or domain name in another jurisdiction.
We recommend that you treat any such communications with caution and seek independent advice before acting on them - even if the communication appears to be from an official source or seems convincing.
Do not open attachments, links or downloads in any email, SMS message, instant message or other communications without first contacting the sender (using a separately verified telephone number) to check legitimacy.
Give these same warnings to anyone else may also be involved in transferring money (eg your accountant, bookkeeper, accounts payable staff, agent, broker, family members or any other third party payers).
Implement robust IT and cyber security measures, including:
ensuring all devices, operating systems, software and apps are regularly updated with the latest available security patches;
implementing 2-Factor Authentication (also known as Multi-Factor Authentication or Multi-Step Authentication) wherever possible and especially on all critical accounts including email, social media and bank accounts;
using unique, complex passwords for each of your accounts - Do not re-use the same password or similar passwords across multiple accounts;
using a reputable password manager app or browser extension to generate and securely store unique passwords for each account;
implementing verification protocols for all significant payments; and
regularly engaging in cyber security awareness training and education.
These measures are by no means exhaustive, and we recommend that you consider taking professional advice in relation to your particular security needs.