Ransomware and Gone Phishing

15 May 2017

Over the weekend of 13-14 May 2017 a ransomware cyber attack occurred.  The attack, which locked computers and held users’ files for ransom, hit 200,000 victims in 150 countries.

Although this attack was a new form of ransomware, ransomware and phishing has been an issue affecting legal practitioners for some time.

Here are some recommendations from the Office of Government Chief Information Officer which we strongly recommend all take note of:

  • Be careful when you click on links in your emails.
  • Never click on a link that you do not trust on a web page or access to Facebook or messaging applications.
  • If you receive a message from your friend with a link, ask them before opening the link to confirm, (infected machines send random messages with links).
  • Be wary of visiting unsafe or unreliable sites.
  • Be aware of fraudulent e-mail messages that use names similar to popular services. 

Law practices scammed of $47,632.37

At least two law practices have recently fallen victim to phishing.

Phishing is the fraudulent practice of sending emails, purporting to be from reputable companies, to induce individuals to reveal personal information, such as passwords and credit card numbers.

A simple prevention measure is to make contact with the client through the contact details obtained at the initial interview and to confirm directly with the client via telephone details regarding any proposed funds transfer.

If you believe you may have been targeted through phishing please contact the Legal Practice Board, using the details listed below.

Legal Practice Board 
Senior Trust Account Inspector 
Bruce Bentley
Telephone: 6211 3600 Facsimile 9325 2743
LPB@lpbwa.com     http://www.lpbwa.org.au

Case 1 Beneficiary Payment $42,132.37 November 2016

On 29 November 2016, an estate beneficiary provided to the law practice, consent to release moneys held in trust, a copy of marriage certificate confirming a change of name and bank account details including BSB and Account number.

The amount of $42,132.37 was subsequently transferred from the law practice Trust Account to the beneficiary's bank on 30 November 2016.

On 6 December 2016 it was noticed that there was a difference with the bank account details previously provided.

Contact was made with the fraud team of the bank, and the matter reported to ACORN, Australian Cybercrime Reporting Network.  https://www.acorn.gov.au/ 
Attempts to recover the moneys through a recovery request lodged with the bank were unsuccessful.
Case 2: Return of Trust Moneys $4,500.00 March 2017

The law practice received an email which appeared to be from one of its clients requesting the transfer of $5,800.00 from the funds held in the trust account. the law practice wrote a letter to the client advising there were insufficient funds in trust for this to happen and enclosed a further trust account statement confirming that the funds remaining in the account.

The law practice then received an email on purportedly to be from the client attaching a signed trust authority confirming that the client required the sum of $4,500.00 to be transferred to an account held in the client’s name with a Credit Union.  As the signature on the trust authority  matched the client’s previous  authorities  and  the  email  address from  which  the  email emanated appeared to be the same as the one from which the client usually used, the transfer was completed from funds held in trust on the client’s behalf. The bank account details on the trust authority were different to the client's previous bank details, however it was assumed that the client had simply changed banks or wished to transfer to a different account.

The law practice then received a further email from the client requesting the transfer of the sum of $1,000.00 to the client’s account with a supporting signed trust authority.

The law practice contacted the client advising there were insufficient funds in trust to complete the transaction, and informed her it had received an email from her email address authorising the transfer of funds from the trust account and had transferred the fund accordingly.

The client then informed the law practice that no such email had been sent.

The client advised the law practice that her email account was "hacked” and that someone else had sent the email with the account details.  The client also advised that the email account had not been working for some time and all communications were by mail.  

The request to recover the funds from the receiving bank were unsuccessful.

Case 3 Property Settlement $200,000 March 2017

Department of Commerce Website.