In 2019 a Brisbane CBD practice with a 100-year history found that its ASIC registration had been altered, the new directors apparently living in a PO box in Western Australia.
A suburban firm found it was “acting for” a borrower it had never heard of in a string of fraudulent mortgage transactions.
Both organisations were the target of business identity theft, a relatively new and annoyingly pernicious form of cyber-enabled fraud.
The digital economy means we act for and transact with people and organisations we have never met, and often never will. This remote service model is fertile ground for scammers who no longer need to put on an Oscar-level acting performance to fool solicitors into assisting them with fraudulent schemes: all that is required is some basic website skills and to put together a few convincing emails impersonating the law firm.
Attack methods vary – fraudulent mortgage and asset sales, fake bills, debt collection, employment scams, phishing email and malware distribution; but all rely on exploiting the trust reposed in solicitors.
Website cloning and business identity theft has been a significant problem for law firms for some time, especially in the United Kingdom:
- (todaysconveyancer.co.uk) sophisticated law firm email domain impersonation fraud
- (law.com) four firms impersonated in one week (paywall)
- (legalcheek.com) SRA issues alert after fraudsters impersonate city law firm partners
- (legalfutures.co.uk) crime agency adds online lawyer impersonation to hit list
Law firm policies and procedures need to mitigate two risks: ensure you are not dealing with a cloned firm, and detect attempts to clone your practice early.
For guidance and some practical measures to avoid this embarrassing (and potentially expensive situation) see the QLS business identity theft resource.