this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

The LIV is currently closed to all visitors.

We are working remotely to deliver member services. For more information visit our 

COVID-19 Hub
Select from any of the filters or enter a search term

Beware of email hacking risk regarding electronic funds transfers

Beware of email hacking risk regarding electronic funds transfers

By Legal Practitioners' Liability Committee

Finance Securities Technology 


LPLC advises that there has been a dramatic increase in the theft of money from law firms and clients by cyber-criminals masquerading as either the client or the lawyer and sending fake emails. No firm is immune from this risk and many are being caught out.  

It is no longer a future threat. It is happening to firms like yours now. It can happen to you too!

Typically, it occurs in property, estate, family law or litigation matters where money is being electronically transferred from a firm’s trust account to their client as part of a transaction or a settlement. The email received from the client with the bank account details looks authentic in every way. Inevitably the firm transfers the money to the fraudster’s bank account thinking it is the client’s account, only to discover to their horror later that the email instruction was not in fact from the client.

The best risk management solution is for your firm to introduce a strict protocol for double checking all email instructions (and any changes of instructions) for EFT’s. You cannot verify an email instruction by a return email! The only foolproof way to safely double-check is either face-to-face or by telephoning the client (or other party to the transfer) and orally confirming the account details to which funds are to be sent. Write the details down exactly as the client confirms them and then check that against the previous instructions you have received. Use a telephone number you know is the client’s number and not the number on the email–you want to avoid ringing the fraudster who is on the other end of a fake telephone line as well.

This telephone verification needs to be recorded in a file note and sent with the requisition to the accounts department for the transfer to be effected. Personnel in the accounts team should check that authenticity of payment instructions has been verified.

Clients are also at risk of being duped by the fraudsters from fake emails purporting to be from their law firm directing money to a different account number. You should warn clients of the risk that any email system is potentially open to being hacked, and that just as lawyers can no longer rely on email instructions alone regarding money transfers, clients should not do so either. Warn clients that if they receive an email which appears to be from your firm providing bank account details for electronic funds transfers (or any change to the account details) they need to telephone your firm to confirm the payment directions before sending the EFT.

Ensure all staff are aware of the risks and know the procedures to follow.


Download and put LPLC’s poster on display in your office with the 5-step process to be followed for all EFT requests. You can find the poster here

Views expressed on (Website) are not necessarily endorsed by the Law Institute of Victoria Ltd (LIV).

The information, including statements, opinions, documents and materials contained on the Website (Website Content) is for general information purposes only. The Website Content does not take into account your specific needs, objectives or circumstances, and it is not legal advice or services. Any reliance you place on the Website Content is at your own risk.

To the maximum extent permitted by law, the LIV excludes all liability for any loss or damage of any kind (including special, indirect or consequential loss and including loss of business profits) arising out of or in connection with the Website Content and the use or performance of the Website except to the extent that the loss or damage is directly caused by the LIV’s fraud or wilful misconduct.

Be the first to comment