Durban - A long-standing email scam targeting law firms in order to defraud them of funds has resurfaced.
Recently, several law firms were contacted by hackers claiming to be clients or members of legal insurance or trust funds. They either requested a refund or payment of funds.
In one incident, a fraudster tried to scam uMhlanga attorney Narisha Hansraj.
The fraudster pretended to be a representative of the Legal Practitioners Fidelity Fund and initially contacted Hansraj to confirm her business bank account details.
He went under the name Eric A Molefe.
Under the impression that he was from the fidelity fund, she complied with the request.
She then received an SMS that R79 995 was paid into her account via a cheque deposit.
When Hansraj checked her account, she found that the money had not cleared and her balance remained the same.
“I immediately contacted my personal banker to inform him of the incident. I was advised to await a telecon from an individual pertaining to this matter.”
Hansraj was soon called by Molefe, who said he was a representative of the fund and explained to her that the money was deposited as part of a refund following the auditing of her firm.
He said the wrong amount was deposited and that Hansraj should retain only the intended R7 999.50 and a further R900 for any bank charges incurred.
“Eric had then informed me to transfer the balance (R71 095.50) of the money into a certain bank account.
“I requested Eric to transfer me to the representative I normally deal with in order to discuss this matter. However, he informed me that he is calling from the head office in Cape Town, therefore that person will not be available to communicate with me.”
Hansraj then asked for the relevant banking details via email, which Molefe sent.
Sensing something was amiss, Hansraj contacted the fund.
“I'm well aware of all money being transferred into my trust and business accounts. Furthermore, the transaction in question appeared suspicious.
“In addition, I operate a straight and professional practice, therefore I advise all my clients to make payments via EFT. In the event that a client effects payment in cash, I attend to write out a respective receipt and hand it over to my client.”
Two days later, the correspondence proved to be a scam as the money failed to clear.
The fund also confirmed this and advised that she sever all contact with the purported representative.
The fund later issued a statement warning legal practitioners not to fall prey to the scam.
In a separate incident, a fraudster pretended to be Tony Pillay, the acting executive director of the Law Society of South Africa (LSSA), requesting via email that a certain amount of cash be refunded into Pillay’s bank account.
A warning was quickly sent out by the society, urging practitioners to keep a look-out and warn their bookkeepers not to reply to the email.
The email address, though similar, was incorrect and the email did not have the law society branding.
Commenting on the matter, Pillay said these types of social engineering had plagued the legal profession for years.
“The Legal Practitioners Insurance Indemnity Fund has, over the past number of years, issued guidance to the profession. The LSSA has also been issuing guidance over the past few years, as the fraudsters use the same tactic with some slight changes to their modus operandi.”
Thomas Harban, the Legal Practitioners Insurance Indemnity Fund general manager, said that in July 2016, the fund amended its policy on the cybercrime dubbed "Business Email Compromise", to exclude such claims.
“The exclusion was introduced after extensive communication with the legal profession over a 6-year period, on the implications of cybercrime in general, and the various payment scams and purported changes in banking details in particular.”
Harban said legal practitioners needed to take adequate steps to verify banking details. Those who did not were in breach of professional obligations.
He said that since the amendment, 189 claims had been made, amounting to more than R120 million.
In October last year, a Pretoria law firm was taken to court by one of its clients after one of its attorneys erroneously transferred R1.7m of the client's funds out of the law firm’s trust account and into several bank accounts held by one or more unknown hackers.
The firm was ordered to pay the client, the judge citing that is was important to verify banking details before performing transactions.
Meanwhile, the South African Banking Risk Information Centre (Sabric) announced last week that Experian, a consumer, business and credit information services agency, had experienced a breach of data which had exposed the personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.
The breach was reported to law enforcement and the appropriate regulatory authorities.
Banks have been working with Experian and Sabric to identify which of their customers may have been exposed to the breach and to protect their personal information, even as the investigation unfolds.
Sabric chief executive Nischal Mewalall said: “The compromise of personal information can create opportunities for criminals to impersonate you, but does not guarantee access to your banking profile or accounts. However, criminals can use this information to trick you into disclosing your confidential banking details.”
Mewalall said should a breach be suspected, members of the public should immediately alert the Southern African Fraud Prevention Service by emailing [email protected].
POST