Across Australia, ANZ is seeing cyber criminals take a more targeted and deliberate approach when attacking businesses that manage sensitive financial transactions. Fraud is no longer opportunistic. It is designed to exploit urgency, authority and trust.
Law firms sit squarely within this risk landscape. As custodians of trust accounts, legal practices are responsible for holding and transferring client funds under strict regulatory obligations, often within tight timeframes. This exposure, combined with high professional responsibility, has made law firms an increasingly attractive target.
One of the fastest growing threats ANZ is observing is bank impersonation scams. For trust account holders, the consequences can extend well beyond financial loss to include regulatory scrutiny, professional exposure and reputational damage.
Understanding bank impersonation scams
A bank impersonation scam occurs when a cybercriminal contacts a business while pretending to represent its bank. The caller claims to be from a fraud or security team and raises concerns such as suspicious transactions, an alleged account compromise or an online banking issue.
The objective is to create urgency and prompt action before the request can be verified or escalated. These approaches are increasingly convincing. Calls may appear to come from legitimate bank numbers. Text messages can arrive within existing message threads. Emails often mimic official branding and tone.
For legal practitioners managing settlements, court deadlines and client expectations, this pressure can feel credible. The instinct to act quickly to protect client funds is strong, and scammers deliberately rely on that response.
Responding without verification can have serious consequences, not only financially but through regulatory attention and long term damage to client trust.
Why trust account holders are being targeted
ANZ is seeing similar scam patterns across industries that operate trust accounts, including law firms, conveyancers and real estate agencies.
These businesses manage large, time sensitive transactions involving third party funds. For law firms, this risk is amplified by the ethical and professional obligations attached to trust money.
Industry bodies are already warning members about the rise in impersonation scams. At ANZ, there has been a corresponding increase in both attempted and successful impersonation attacks involving legal trust accounts.
What makes these scams particularly dangerous is the psychological manipulation involved. Scammers exploit authority and fear, posing as bank staff and insisting urgent action is required to protect funds. In some cases, firms are instructed to transfer money or provide access to devices as part of a supposed security response.
It is important to be clear. These are never actions a legitimate bank will ask a law firm to take.
What ANZ will never ask a law firm to do
ANZ encourages all customers, particularly those operating trust accounts, to be cautious of unsolicited contact claiming to be from the bank.
ANZ will never ask a law firm to:
- Share one time passcodes, PINs or card details
- Transfer trust or operating funds to another account to keep them safe
- Open a new account at the request of a call, text or email
- Provide remote access to a computer or mobile device
- Download software as part of a fraud investigation
If a request feels urgent, unusual or inconsistent with established processes, pausing before acting is critical.
Pause. Verify. Protect.
Legal practices manage a high volume of calls, emails and messages every day. Scammers rely on workload pressure and instinctive responses.
If a firm receives an unsolicited call, message or email claiming to be from its bank, ANZ recommends:
- Hanging up the call
- Closing the message or email
- Contacting the bank using trusted contact details already on file
Taking control of the interaction removes the scammer’s advantage and restores verification.
Client education is equally important. Law firms are increasingly being impersonated directly, with fraudulent emails sent to clients advising that trust account details have changed, often timed around settlements.
To reduce this risk, firms should clearly communicate that trust account details do not change and encourage clients to save verified details in their internet banking platform. Clients should also be advised to pause unexpected payment requests and verify them using trusted contact information already held.
Reinforcing this guidance through engagement letters and settlement communications helps reduce the risk of funds being misdirected.
Culture matters as much as controls
Strong cyber security is not achieved through technology alone. Effective protection relies on clear processes and consistent behaviour across a firm.
For law firms, this means empowering staff to slow transactions down, question unusual requests and escalate concerns, regardless of urgency or seniority.
ANZ has seen how effective this approach can be. In one instance, a firm received a call claiming its trust account had been compromised and funds needed to be urgently moved. Because appropriate maker checker controls were in place, the request was independently verified using trusted contact details. The call was confirmed as fraudulent and no funds were transferred.
Outcomes like this depend on sound controls supported by a culture that encourages verification, even under pressure.
Practical steps include:
- Regular scam awareness training
- Clear procedures for verifying payment or banking detail changes
- Dual authorisation for trust account transactions
- Defined escalation pathways when something does not feel right
Cyber Security Awareness Month each October is a reminder, but vigilance for trust account holders must be ongoing.
If the worst happens
If a firm believes it has been targeted by a bank impersonation scam, shared sensitive information or transferred funds, ANZ should be contacted immediately. ANZ’s Customer Protection Team is available 24 hours a day, seven days a week.
Firms are also encouraged to report incidents to Scamwatch and the Australian Cyber Security Centre. Reporting helps protect both individual firms and the broader legal profession.
Protecting client trust
Trust underpins legal practice. Cybercriminals understand this and actively seek to exploit it.
By strengthening verification practices, embedding awareness across teams and educating clients, law firms can continue to manage trust accounts confidently and securely.
Protecting client funds is not simply a compliance obligation. It is a professional responsibility and a defining feature of a well governed practice.
Share this article