Canadian Lawyer

20 J U N E / J U LY 2 0 1 9 w w w . c a n a d i a n l a w y e r m a g . c o m A lawyer's email can be both the front door through which clients enter and the back door through which thieves sneak. Distin- guishing them has become increasingly difficult since those initial requests from the rich Nigerian prince desperately seeking help to move money out of the country and the poorly composed missive from a service provider instructing that changes need to be made to an account. You really didn't have to look too far to see that something in those notes wasn't quite right. Enter today's spear phishing scams. While American analytics company 250ok reports that 91 per cent of cyberattacks begin with a phishing email, a realistic-looking yet sinister email can be the product of a very targeted approach that begins with a breach and is followed by sometimes lengthy surveillance of an individual's email correspondence. Law firms — targets for PHISHING FOR VICTIMS Cybercriminals can use complex technology but rely on old-fashioned human error to succeed By Marg. Bruineman L A W O F F I C E M A N A G E M E N T DUSHAN MILIC the valuable client information they harbour — are also particularly appealing to digital bandits for the trust accounts firms keep to safeguard clients' money. A scam in which a Dentons Canada Van- couver associate was tricked into transferring more than $2.5 million of client money held in a trust account to a fraudster's account in Hong Kong is serving as a reminder to the profession to beware. Details of the ruse were revealed in an Ontario Superior Court of Justice hearing for an advisory opinion in December in which Dentons tried to get its insurer, Trisura Guarantee Insurance Com- pany, to cover the $1.73 million the law firm was unable to recover. The Dentons Vancouver associate was working on the sale of a property, from which a portion of the proceeds was to be paid to the mortgage holder as the 2016 Christmas holidays approached. Wire instructions were sent on Dec. 28 and the transaction was com- pleted two days later. The following business day, Jan. 3, another email arrived instructing the associate to wire the funds to an inter- national account since the Canadian account of the mortgage holder was being audited. The firm included letters of authorization before the money was wired. It gradually became clear over the next two weeks that the funds had been misdirected. Earlier this year, Dentons also filed suit against the mort- gage company in the B.C. Supreme Court to recover the lost money. Leveraging the human factor has become a more successful approach for cybercrim- inals than using "brute force" to penetrate accounts, says Daniel Tobok, chief executive officer of Cytelligence Inc. in Toronto. He describes a determined and precise approach in which the criminal infiltrates the inbox "When you get right down to it, I think people are going to have to get used to slowing down a little bit when we're working on things." Rob Walls, Boughton Law Corporation

• Cover