This month, I will reiterate various cautions about cybersecurity in the light of a few recent incidents.
The Law Society first issued an alert on 10 May to members on the “Goh Keng Law Firm” incident:
Fraudsters Targeting Law Practices
The Law Society has recently received a number of reports from law practices relating to scammers impersonating lawyers in Singapore to cheat unsuspecting members of the public.
In a live matter, the scammers set up a fake law firm called ‘Goh Keng Law Firm’, and use the names and photographs of lawyers practising in other law practices on their website, claiming that these lawyers are practising in this ‘Goh Keng Law Firm’. The website also contains fake lawyer profiles and client reviews taken from other law practices.
The scammers use the real name and photographs of lawyers from other law practices with the intention to dupe unsuspecting members of the public into thinking they are a legitimate law practice, and ask for a commitment fee from the unsuspecting members of the public before they take on the matter.
Members are to take note that there is no law practice called ‘Goh Keng Law Firm’ in Singapore.
Thereafter, following a second incident close in time to the Goh Keng Law Firm incident, we studied the same and discerned a common theme with the earlier example. In a nutshell, mimicry i.e. a bogus law firm website stocked with real life lawyer profiles and using impersonation fraud. This was serious and urgent enough for us to call for a media conference to alert the public. When we do so, it is because of our statutory duties enshrined in section 38(1)(f) of the Legal Profession Act “to protect and assist the public in Singapore in all matters touching or ancillary or incidental to the law”.
There was another reason to sound the alert to the public. The Law Society had engaged Bryan Ghows of Ghows LLC who provided excellent service to the Society in sending out a takedown notice to the domain name registrar, gohkeng.com. Notwithstanding that, the Goh Keng Law Firm was still up and operating. It was precisely because of the continued perpetration of fraud that the public was at risk. Hence, the need for continued education.
Below was the fact sheet we put out on 28 May to the media during the public-facing interface.
The Law Society has observed an increase in scams in recent times involving the setting up of bogus law firms. impersonation fraud and phishing attacks purportedly from lawyers’/law firms’ e-mail addresses. Scams and frauds have also accelerated quantity-wise and are more sophisticated even as more Singaporeans pivot towards online transactions.
Police reported that the number of scams in Singapore reported in 2020 hit a record high, climbing 65.1 per cent from 2019, as scammers fleeced more than $201 million from their victims.
We have set out below some recent examples of scams involving lawyers and law firms that the Law Society is aware of.
Bogus law firms
- In a classic bogus law firm scenario, the scammers set up a bogus law firm called “Goh Keng Law Firm” and used the photographs of lawyers practising in other law practices on their website. They claimed that these lawyers were purportedly practising in “Goh Keng Law Firm”. The website contained fake lawyer profiles. To bolster its “credibility”, the law practice uploaded client reviews taken from other law practices.
- The scammers used the fake name and photographs of lawyers from other law practices with the intention of duping unsuspecting members of the public into believing they were a legitimate law practice. Predictably, they asked for a commitment fee from would-be clients before they took on the matter.
- There is and was no law practice named “Goh Keng Law Firm” in Singapore. A law firm acting for the Law Society has sent a takedown notice to the company hosting the offending website and we are waiting to hear back from them.
- The scammers set up a bogus website purportedly representing the international network of a Singapore law firm (A). The website used the name of A law firm but added the name of a Chinese City. This bogus website wrongfully and fraudulently replicated or purported to replicate the entire contents of the A’s website including photographs and profiles of lawyers in A law firm save that all references in A’s website to “Singapore” were replaced with the name of the Chinese City. This bogus website is no longer accessible.
In one instance, the law practice was instructed by the client company to credit the mortgage loan to the client company’s bank account maintained at a local bank. The e-mail address received by the law practice was [email protected]. The law practice then informed the crediting bank to transfer the money to the bank account at the local bank. The following day, the law practice received another e-mail from the e-mail address [email protected] explaining that due to certain outstanding loans at their local bank account, they wanted to change their instructions and credit the mortgage loan into another bank account. This was a foreign bank account. The law practice called the client company to verify the second set of instructions. The client company confirmed that it did not send the e-mail with the second set of instructions. Fortunately, no money was transferred to the foreign bank account and as such, there was no financial loss.
In another case, the fraudster amended invoices issued by the law practice, changed the payee details to an account other than the law practice’s bank account and subsequently harassed clients for payment. The forged invoice looked identical to the legitimate one because it used the law practice’s name.
TIPS ON PREVENTING AND MANAGING THE RISK OF SCAMS
Scammers can make for convincing white collar professionals, especially online, and are skilled at persuading innocent members of the public that they are legitimate.
The stakes are high with financial and legal scams. You can end up losing your hard-earned savings that can jeopardize your long-term financial stability.
Always check with your lawyer if you receive an e-mail (especially from an unfamiliar email address) requesting for funds transfer/payment (by whatever mode) before effecting payment as requested.
Always check with your lawyer if you receive any instruction on funds transfer deviating from your last communication with him or her before taking any action.
There is clearly a discernible present-day trend of bogus law firms (featuring real life profiles) and impersonation fraud. This is not unique to us as the UK experience shows. https://www.legalfutures.co.uk/associate-news/bogus-law-firms-and-identity-theft (Bogus law firms and identity theft, 17 February 2020) reports that “The [UK] legal sector has been bombarded by unscrupulous cyber criminals in 2019. The Solicitors Regulation Authority (SRA) reported law firm losses exceeding 700,000 pounds in the opening half of 2019, attributing them to identity theft and the use of impersonation tactics”. It further commented that “The threat is incessant and unrelenting according to law firm representatives.”
In a succinct and helpful definition of “What is a Bogus Law Firm?”, the Lawyer Checker authored article offers:
“Quite simply, bogus law firms are fakes impersonating genuine law firms or totally fictitious, using the trust of the legal profession to prey on unsuspecting consumers.
Fraudsters will clone websites, steal logos, use the identities of regulated legal service practitioners, and masquerade as a genuine firm using sophisticated social engineering techniques.”
As an education piece this month, let me share and reiterate several practical tips for lawyers. (Some of these pointers were stated during our profession-wide advisory on 10 May and are restated here):
General Alert and Advisory
Tip #1: Be on heightened alert and vigilance at all times. Online scams and frauds exist and are not conjecture. Fraudsters are becoming more sophisticated and devious by trying to stay ahead of the curve. We cannot be complacent about fake or fictitious law firms as some legal practitioners have found to their peril.
Tip #2: Advise clients to make a police report should they receive correspondence from bogus law firms.
E-mails from Firm (Including Purported Payment Instructions)
Tip #3: Advise your clients that if they receive e-mails or correspondence from your firm/any law practice to take steps to verify with you/your firm first. This is optimally done by a telephone call, text or WhatsApp Chat (as appropriate).
Tip #4: Advise your client that if they receive an e-mail request purportedly from you/your firm for funds transfer/payment (by whatever mode), to verify with you/your firm first before effecting such payments. This is best done by a telephone call.
Tip #5: Advise your client that if they receive any instruction deviating from your last communication with them, to re-confirm with you before taking any action.
Clients Who Are Not IT Savvy
Tip #6: When dealing with clients who are not IT savvy (e.g. some elderly clients), please take appropriate steps to clearly communicate payment instructions to them in a language that they are conversant in.
Tip #7: Singapore’s conveyancing process has several rules and timelines. When dealing with foreign clients and permanent residents who are less familiar/unfamiliar with our conveyancing process and timelines (including payment milestones), please take time to explain the same to them (preferably in writing as well).
Verify Doubts on Law Firm’s Existence with LSRA
Tip #8: If in doubt about the existence of a law firm who writes to you, verify e-mails purportedly from a lawyer or the identity of the lawyer/law firm by checking with the official public directory of lawyers and law firms maintained by the Legal Services Regulatory Authority (LSRA) at https://eservices.mlaw.gov.sg/lsra/search-lawyer-or-law-firm/.
Note: Members of the profession performing searches on LSRA’s website are advised to read the search results in totality. For example – law firms that have terminated their law practice licences and are no longer in operation are also captured in the directory to inform the public of the law practice(s)/solicitor(s) that have taken over the files. If a law practice has been terminated, the field “Last Day of Operations” and, if the information is available and applicable, the “Law Practice(s)/Solicitor(s) that took over the files” field will appear at the last two fields of the search result.
Law Society’s IT Scam Updates
Tip #9: In addition, the Law Society updates all scams involving lawyers or law firms that it is aware of on its website to educate all – https://www.lawsociety.org.sg/news-media/email-scams/
Gmail Addresses and Setting Up Website
Tip #10: Avoid using gmail addresses and set up a proper firm website. We made this point strongly recently during our Virtual Business Development Day.
Tip #11: Read our “Guide to Cybersecurity for Law Practices” (at www.lawsociety.org.sg > Members’ Library [login required] > Practice Matters > Cybersecurity and Data Protection) dated 30 March 2020 developed by the Law Society of Singapore’s Cybersecurity and Data Protection Committee. If you have queries or clarifications, please touch base with the Committee Head, Jeffrey Lim or the Committee Members.
Tip # 12: Don’t always believe what you see in cyberspace!
Let’s continue to stay alert, vigilant and watchful to avoid becoming the next victim of deception, trickery and fraud.