The last decade has seen an increase in cybercrime related attacks on the legal profession. One of the main types of cybercrime attacks involve fraudulent emails purporting to be an instruction to change the banking account details of the parties to whom funds are due to be paid. In this case, the fraudster usually creates a new email address which looks like the legitimate email address of the client and/or the attorney. There is usually a very small change to the email address and unless special attention is paid to the communication, the recipient will be induced into believing that the fraudulent email constitutes legitimate email correspondence from the trusted sender.
The fraudster will then contact the attorney either telephonically or by way of the fake email address pretending to be the trusted client and will instruct the attorney to transfer the proceeds available on trust to a banking account that is different to the one that the attorney has on record. The attorney, under the impression that he/she is acting on the instructions of their client then makes payment into the new banking account belonging to the fraudster.
In the face of this cybercrime, as set out above, it appears that both the attorney’s firm and their client are victims of the scam however, it is important to note that if your firm falls victim to cybercrime related losses, it may be held liable to indemnify the third party involved for the damages suffered.
Rule 54.13 of the Legal Practice Act 28 of 2014 places an obligation on all attorney firms to pay any amount due to a client, unless otherwise instructed, within a reasonable time. Prior to making any such payment, the firm shall take all adequate steps to verify the bank account details provided to it by the client for the payment of the amounts due. Any subsequent changes to the bank account details must be similarly verified.
It is of utmost importance that legal practitioners ensure that they have adequate internal controls in place. This is because clause 16(o) of the Legal Practitioners Insurance Indemnity Fund Policy, which came into effect on 1 July 2016, expressly excludes claims arising out of cybercrime, which includes payments made into an incorrect and/or fraudulent bank account where the insured or any other party has been induced to make any payment into the incorrect bank account and has failed to verify the authenticity of such bank account.
Clause 16(o) furthermore sets out how the attorney firms are to verify banking account details given to the firm by a client and/or any other recipient of funds. “Verify” in terms of the policy requires the legal practitioner to have a face-to-face meeting with the client and/or any other intended recipient of the funds. The client and/or any other recipient of funds must provide a signed and duly commissioned affidavit confirming the instruction to change the recorded banking account details and attach to the affidavit an original stamped document from the bank confirming the ownership of the banking account.
It appears that Clause 16(o) has two exclusionary elements to it. It firstly excludes all claims arising from cybercrime which causes monies to be paid into an incorrect and/or fraudulent banking account and secondly, and more importantly, it excludes claims where the legal practitioner fails to verify the authenticity of banking account details. There, therefore, does not have to be evidence of hacking for the exclusion to apply in the second instance.
If you have fallen victim to a cybercriminal and/or have lost monies due to the same, contact us.