What Every Law Firm Should Know About Payment Redirection Scams

Online scams have been an ongoing problem for years. With the world digitising and businesses going online, scams are getting more sophisticated and costlier than ever. One of the most damaging scams affecting small businesses, government agencies, large corporations, banks, and even law firms is payment redirection scams. In fact, ACCC's Targeting Scams report shows that Australian businesses suffered a combined loss totalling $128 million to payment redirection scams in 2020. While small enterprises witnessed increased instances of losses, larger firms experienced higher losses.  

Every business is a potential victim, including law practices. Law firms hold confidential data such as clients' personal and financial information as well as intellectual property, making them lucrative targets for hackers. Understanding how payment fraud works is crucial in protecting your firm and clients from cybercrime.  

What Is a Payment Redirection Scam?

A payment redirection scam is also known as a business email compromise scam. It is where scammers intercept communication and payments between law practices and their clients. This often occurs through email. First, the fraudsters access your email or place malware on your computer. They will lie low and monitor your activities and keywords, especially those associated with payment schedules and billing processes. Once the scammers get the information they need, they attack.

Before issuing your invoices, the hackers will use your email address or one with a slight variation to contact your clients, asking them to redirect payments to a different bank account. Seeing the message is from your email address, the unsuspecting clients will think of it as a legitimate update and send money to the scammer's bank account instead.  

So, How Does This Affect Law Firms?

Law practices have access to tons of information, including corporate data, intellectual property information, and personal details. They also deal with millions of dollars in financial transactions, making them valuable targets for cybercriminals. Unfortunately, some law firms don't invest in modern cybersecurity measures to protect themselves and their clients. This makes them vulnerable to the data breach, causing law practices financial loss in multiple ways, especially payment redirection fraud.

Here are some common ways your law firm can fall into a payment fraud trap:

Purchase Orders and Invoicing

Invoice fraud can take various forms within a law firm. For instance, scammers can impersonate your suppliers through email and request payment of a non-existing or altered invoice, hoping it escapes scrutiny.

In addition, hackers may pose as your law firm and target existing and potential suppliers. They may send a purchase order resembling your own to the supplier and make a few changes to the delivery address. If they use your existing law firm address, they may redirect the delivery once the dispatch is confirmed. You may later get an invoice for goods you did not order or receive.

Payment fraud also occurs when cybercriminals impersonate senior attorneys using an email address similar to the genuine one. They may request junior staff to transfer money to them or make payments on behalf of the practice to a fraudulent account. There are also reports of fraudsters posing as staff members and requesting their salaries to be paid in "new" accounts.

Matters and Class Action Payments

Scammers can also target law firm clients, especially well-publicised cases and transactions. They may use emails to redirect class action payments, making them appear to be coming from your law firm. They can also intercept clients' bill payments by changing banking details.  

What to Look for in a Technical Product to Solve This Issue

Today, scammers are super savvy and can make everything seem legitimate. Successful payment fraud can lead to high losses to your law practice, clients, and suppliers. You may face professional negligence lawsuits for failing to protect client confidentiality, harming your law firm's reputation. Fortunately, there are various tools you can use to protect your law practice and customers from business email compromise scams.  

Single Sign-On and Multi-Factor Authentication

Single Sign-on (SSO) refers to where different users can log in to various applications using the same credentials. The authentication process allows your attorneys to share user identity information instead of individual credentials to access other law firm apps and websites. You will have to enforce password policies to reduce the risk of exposure to your organisation's assets.

You can also reduce the security risks of SSO by integrating it with Multi-Factor Authentication (MFA). Sometimes, username and password authentication may not be enough to protect your firm. Your solution must allow for the integration of SSO and MFA to prevent hackers from exploiting the system. Additional security such as biometrics identification, one-time password, and auto generated key tokens makes it almost impossible to breach the system

Delegations of Approval

Scammers often target new or junior employees unfamiliar with the firm's payment processes. Employees with administrative positions are also easy targets because they may not know if other law firm departments have placed an order for products or services. Simple practices like delegating approval of different budgets to specific departments may save your organisation from losing huge amounts of money. You must have a set of fresh eyes to review invoices before making large payments. Your fellow attorneys and the staff will also know who handles what in the organisation, reducing the chances of invoice fraud.  

Automated Check Against Duplicate Invoices, ABNs, BSB, And PO Numbers

Cybercriminals usually use Purchase Order Numbers, Bank State Branch Numbers, and Australian Business numbers that slightly differ from the genuine ones. This makes it difficult to notice the difference without scrutiny. Your solution must be able to carry automated checks against duplicate emails, invoices, BSB, ABN, and PO numbers. Any suspicious numbers or activities are flagged, allowing your IT team to deal with the potential security issue.

Take Away

Payment redirection scam is a major concern across industries, especially with the shift to a hybrid workplace approach. It also takes many forms, with scammers persistently finding ways impersonate enterprises or their employees, resulting in increasingly costly losses. Cybersecurity is no longer a luxury but a necessity to keep your law firm safe from hackers.

Alii is a solution designed to protect your law firm with integrations that fit into your existing software. Using Alii saves you operation costs and streamlines workflows. This fully automated and digitised platform also audits your invoices, detecting potential payment fraud. Plus, it's fast to install and easy to use.