Social Engineering Fraud

Social Engineering Fraud

Cybercriminals targeting Alberta law firms with deceptive tactics hope you will let them in your virtual front door  

Fraudsters continue to employ social engineering techniques to target lawyers and law firms in Alberta, enticed by the confidential client information stored in their computer systems and the frequent movement of money through their trust accounts. Social engineering fraud is a scheme designed to intentionally mislead individuals in organizations into taking steps that would enable fraudsters to gain financial benefits.

In a law firm setting, social engineering fraud commonly arises where a fraudster misleads a lawyer, an employee of the law firm, or a financial institution into releasing money or property to the fraudster through altered transfer instructions. ALIA has received many reports of both successful and attempted social engineering scams in the last several years.

Illustration of a cybercriminal with a magnet trying to attract confidential files from a laptop

How does social engineering fraud in law firms occur?

A common scenario for social engineering fraud begins with a cyber breach or business email compromise at a law firm, client company, or financial institution. Often, the fraudster uses stolen email credentials to infiltrate the organization’s systems. They can then use information they find to convince an individual to redirect the payment of funds to the fraudster.

For example, a fraudster may create an email address that resembles a trusted address by slightly altering the letters in the domain or using a sub-domain. The fraudster may use the fake email address to intercept an existing email chain with a client, financial institution, or other trusted source, and provide transfer instructions that will redirect funds or property to the fraudster’s account. Fraudsters may even attempt to manipulate an invoice from a trusted source to include alternative pay instructions.

Some sophisticated social engineering scams may target individuals to gain their trust by using personal information, such as their name and phone number, or by using voice or video technology to impersonate someone else in the organization.

Be vigilant against social engineering fraud attempts

By paying close attention throughout the transfer process, social engineering fraud may be detected before it’s too late. Red flags that may indicate a social engineering scam include:

🚩 Last-minute revisions to payment instructions:

Receiving an email purporting to provide a “revised” payout statement or a different bank account than was previously provided.

🚩 Changes to email addresses:

Inconsistencies in the email address of the sender, such as a few letters swapped, including where the email appears to be in reply to an existing email chain, and a different name for the sender when hovering over the email address.

🚩 Recipient does not match:

A recipient of funds that has a different name than the intended recipient, such as a numbered company.

🚩 Out of jurisdiction transfer:

Requests for funds to be paid to an out-of-province or out-of-country location.

Illustration of a cyber criminal Phishing for passwords in a computer

What can lawyers do to protect themselves against social engineering fraud?

Lawyers and law firms can be proactive to prevent losses from social engineering fraud, including taking these steps:

  • Establish clear transfer protocols to be used by all law firm staff and lawyers that contemplate what to do if there is a request for a change in payment instructions (either internally or externally).
  • Use multi-factor authentication protocols such as out-of-band verification, which requires a secondary verification method through a separate communication channel and does not rely on contact information provided in the instructing correspondence.
  • Follow-up with an independent communication to confirm the transfer of funds has occurred.
  • Provide employee training on how to spot social engineering attempts.

There are also many ways to protect against cyber breaches more generally:

  • Be mindful of attachments from unknown sources, particularly attachments that request sign-in information.
  • Be vigilant in public. Avoid connecting to public, unsecure Wi-Fi and do not access private or confidential information.
  • Perform penetration testing to the firm’s cyber network.
  • Increase cyber security at the firm in other ways:
    • Avoid password recycling.
    • Use multi-factor authentication for accessing secure resources.
    • Introduce email quarantine for correspondence that appears suspicious.
    • Restrict log-in attempts.
    • Monitor changes to logging and configuration. 
    • Ensure all legacy protocols are disabled (IMAP & POP).
    • Consider investing in anti-phishing software.
    • Provide anti-phishing training to employees.
    • Update software regularly.

Coverage for social engineering fraud

The Universal Cyber Coverage Program, provided by Beazley Canada Limited (“Beazley”),
offers coverage to Subscribers for the costs associated with cyber breach response, data recovery, and cyber extortion, and third-party coverage for claims against Subscribers or their law firms for data or security breach, subject to the terms, conditions, exclusions and limits of the policy. More information on the Universal Cyber Coverage Program may be found on ALIA’s website: Universal Cyber Coverage Program – ALIA.

There is no coverage for social engineering fraud under the Alberta Lawyers’ Professional Liability and Misappropriation Indemnity Group Policy or the Universal Cyber Coverage Program. We recommend lawyers and law firms speak with their brokers about what options are available and appropriate to their circumstances, such as a social engineering fraud endorsement to an existing property or commercial policy, or a separate crime or cybercrime insurance policy.

Resources

We recommend lawyers and law firms review further resources and information to protect against social engineering fraud:

Business Email Compromise | beazley

Social engineering – ITSAP.00.166 – Canadian Centre for Cyber Security

Deceptive and manipulative: social engineering techniques – Office of the Privacy Commissioner of Canada

Social engineering: how cyber scams trick us – Get Cyber Safe

Safeguard your organization from cyber risk


ALIA does not provide legal advice. ALIAdvisory newsletters, ALIAlert warnings, ALIAction notices, and the content on ALIA’s website, notices, blogs, correspondence, and any other communications are provided only for the general information of members who participate in the indemnity program and do not constitute legal or other professional advice or an opinion of any kind. This information is not a replacement for specific legal advice and does not create a solicitor-client relationship. If you think you would benefit from legal advice, please contact an Alberta lawyer directly.

Links to third-party websites are provided for convenience only; ALIA does not vet or endorse the information contained in linked websites or guarantee its accuracy, timeliness, or fitness for a particular purpose.

Your policy is the contract that specifically and fully describes your coverage, and nothing stated herein revises or amends the policy.

The views and opinions expressed in this article are solely those of the author and do not necessarily reflect the official policy or position of ALIA. If you have any comments on this ALIAdvisory or any suggestions for future ALIAdvisory articles, please contact ALIA.