Scam alert: invoices sent to clients for payments to third-party companies (update) - Victorian Legal Services Board + Commissioner

Scam alert: invoices sent to clients for payments to third-party companies (update)

December 15, 2017

The Board and Commissioner are aware of a new sophisticated scam using the credibility of large law firms to try to extract money from companies.

The scam involves an invoice being sent to the accounts department of a company via a fake email address of one of the company’s staff members (for example, the CFO). The email instructs the accounts department to pay an invoice for legal work purportedly provided by a reputable law firm. The bank account details provided do not relate to the law firm named on the invoice.

While this scam targets companies which are not necessarily the clients of the law practice named on the invoice, the use of a law practice’s name is of concern. Although it is perhaps beyond the control of a law practice as to how a scammer might misuse their name and/or branding, it is timely to remind all law practices that they should exercise care when dealing with clients via email.

Scammers have also been known to commandeer the email accounts of law practice staff, leading to significant losses. A recent article published in the Brisbane Times revealed that two Queensland law firms lost several million dollars to scammers who tricked law practice staff into revealing email account logins, giving them access to client payments.

Inform your clients

Cyber security must now be foremost in the minds of all lawyers when dealing with clients over email.

To protect both the client’s interests and your law practice’s reputation, it is important to inform clients that scams do happen. The Board and Commissioner encourage law practices to clearly articulate to their clients at the outset of a retainer how and when any payments are to be made. Clients should be encouraged to telephone your law practice if they have any concerns about the legitimacy of any invoice or payment instructions they have received via email, purportedly from your practice. Taking these steps may help prevent other scams from targeting your law practice.

Risk management

Lawyers are also reminded of the LPLC bulletin on cyber security published in June of this year, our blog post on email scams from September and the our RPA News bulletin from January 2016.