This Div is a JS Trigger
Issue 55 | January 2019


This newsletter includes information to help lawyers reduce the likelihood of being sued for malpractice. The material presented is not intended to establish, report, or create the standard of care for lawyers. The articles do not represent a complete analysis of the topics presented, and readers should conduct their own appropriate legal research.
Protect yourself and your insurance coverage from social engineering fraud

What is social engineering? In the context of information security, social engineering is when someone uses deception to get someone else to give up confidential information. A similar scenario occurs when someone uses deception to cause another to give up money. In a recent case, a law firm fell victim to such a fraud and sustained a loss of $1.7 million of client funds. In Dentons Canada LLP v. Trisura Guarantee Insurance Company, a breach of the client’s email enabled the fraud to take place because the emailed instructions the lawyer received to transfer funds, though appearing to be from the client, were in fact from the fraudster.

This scenario is not that rare and in fact, last year, there was a similar situation in Nova Scotia. Fortunately, for that lawyer and his firm, shortly after the wire transfer, the lawyer’s assistant noticed that one of the emails related to the transfer had been altered. When the client was contacted, it became obvious that a fraud had occurred and the banks in the wire transfer chain that were in Canada, the U.S. and the destination country of the wire were alerted. As the bank in the recipient country received the alert before the fraudster withdrew the funds, they were able to reverse the transaction all the way back to the law firm’s trust account. Had the fraud alert gone out after the fraudster withdrew the funds in the destination country, the law firm would have sustained the loss as Denton’s did.

We bring this to your attention for several reasons. First, and we do not want to scare you, but you should take appropriate steps to confirm, perhaps by phone, that emailed fund transfer instructions you receive from a client, especially if they seem odd or are significantly different from your original instructions, (which could include a wire transfer to a foreign country) are correct. Second, social engineering fraud is not part of the cyber coverage we offer in our policy. In the Denton’s case, one of their cyber insurer’s arguments to deny coverage is that Denton’s did not have the social engineering rider on its commercial cyber policy. Third, depending on the facts, there may not be coverage for such a fraud under the professional liability part of your insurance policy either. Accordingly, a lawyer falling victim to such a fraud who lacks appropriate insurance coverage could be in the position of having to reimburse their trust account for the loss.