ALMJ
8 reasons why business email compromise is a risk for trustees
Business email compromise is an insidious and increasingly common means of fraud that poses a threat to any businesses, especially law firms, that act as trustees in large transactions, writes Simone Herbert-Lowe.
An increasing risk exposure for lawyers and law firms involves business email compromise (BEC).
BEC typically occurs where an email account (either the law firm’s or the client’s) is hacked, or where an email address is ‘spoofed’. Spoofing occurs when a cybercriminal disguises an email address or display name to deceive the victim into believing they are interacting with a trusted source. It frequently involves changing a single letter or number in the email address so the reader is lured into thinking the communication is genuine. Both forms of BEC enable a fraudster to falsify payment directions via email.
BEC is a serious risk for all businesses, but this is especially the case for law firms and, indeed, any businesses that act as trustees in large transactions. The following list contains eight reasons why the risk of BEC is something your law firm should seek to mitigate now.
1. BEC is a leading cause of scams in Australia
According to the Australian Competition & Consumer Commission’s Scamwatch, in 2020 Australians made more than 216,000 reports to Scamwatch and reported losses of about $178 million. Between January and September 2021, this figure had jumped to 226,000 reports, with reported losses of more than $222 million. BEC scams caused the highest losses across all scam types in 2019, costing businesses $132 million, according to the ACCC’s Targeting Scams report.
Scamwatch reports that about a third of people who have been scammed never tell anyone, so the true numbers are likely to be much higher.
2. Three important changes have led to massive growth in financial crime
There have been three significant changes during the past decade or two in the way business is done which has facilitated financial crime. These are the use of electronic funds transfers for even the largest transactions, many of which occur almost immediately; widespread access to the internet globally; and the use of email as the preferred mode of business communication across all sectors of the economy. Email was originally designed to be a short message tool, rather than a means of exchanging confidential information such as payment details. Unfortunately the vulnerabilities associated with using email for more than which it was originally designed are significant, particularly where login credentials have been compromised.
3. Property transactions expose law firms
In August 2021 the Australian Cyber Security Centre (ACSC) issued a special alert regarding BEC in property transactions.
This alert noted that the ACSC had observed a growing trend of cybercriminals targeting the property and real estate sector to conduct business email compromise scams in Australia, and that conveyancing lawyers, their clients and mortgage lenders were particularly at risk.
4. Professional bodies have issued repeated warnings about payment redirection fraud
For several years, lawyers’ professional associations and insurers have issued warnings about the risk of email-enabled funds transfer fraud making it difficult to argue this risk is not foreseeable.
5. Trustees’ duties leave them vulnerable
When a trustee pays money to the wrong person there is a breach of trust, even when the trustee is also the victim of fraud.
Two of the most important duties of a trustee are to protect the trust property and to only pay money out of trust when it has been appropriately authorised. The fact that a trustee was deceived into paying money out of trust does not prevent a finding of breach of trust – one of the very duties of a trustee is to protect the beneficiary from fraud.
6. Actions for breach of trust are difficult to defend
While a defence of contributory negligence or apportionment of liability can apply to an action based on a breach of duty, where the trustee’s liability is not predicated on a failure to take reasonable care, but on other breaches, such as a failure to account or payment from a trust account without authority, a statutory apportionment defence is unlikely to be available (George v Webb & Ors [2011] NSWSC 1608).
Further, while trustee legislation may include provisions enabling a trustee to be excused for the breach of trust where s/he has acted honestly and reasonably, this relief is rarely granted in the case of professional trustees. In addition, the defence is unlikely to assist a legal practice that has failed to take reasonable steps to prevent the fraud occurring, given the number of warnings that have now been issued by professional bodies, insurers and government.
7. Actions for breach of trust are not protected under limited liability schemes
The Professional Standards legislation under which limited liability schemes operate specifically exclude breaches of fiduciary duty and breach of trust from protection under these schemes.
8. Breaches of statutory obligations can lead to civil, criminal and disciplinary consequences
Lawyers’ obligations in relation to trust money are regulated by statute and the general law. In NSW and Victoria, for example, the Legal Profession Uniform Law (LPUL), regulates the obligations of lawyers and others in relation to trust accounts.
Section 138 of the LPUL (NSW) provides that a law practice must disburse trust money only in accordance with a direction given by the person on whose behalf it was received. Under section 148 of the LPUL (NSW) there is also a duty to avoid any deficiency in any general trust account or trust account ledger. Where a law practice or legal practitioner causes a deficiency in any trust account or fails to pay or deliver trust money, a criminal penalty provision applies – this is either 500 penalty units ($55,000), imprisonment for five years, or both.
Lastly, section 154 of the LPUL (NSW) requires the reporting of irregularities in trust accounts, including a duty on the part of a legal practitioner of one law practice to report any suspected irregularity affecting another legal practice.
The extent of trustees’ obligations means that any trustee, particularly a professional trustee such as a law practice, is especially vulnerable in the event that a client loses funds as a result of BEC. It is also important to note that many scams involve no computer or account intrusion, and that educating all staff about email fraud and trustees’ duties and implementing appropriate accounts payment processes is the key to preventing these scams from succeeding.
Simone Herbert-Lowe is a Director of Law & Cyber. She acts for businesses and individuals impacted by cyber events, has provided written expert opinion in legal proceedings and is the author of the online, CPD-eligible courses Cyber Risk for Law Firms and Cyber Risk in the Property Industry.