This article is an updated version of an article that was first published in the Law Council of Australia’s Law Management Hub incorporating the Australasian Law Management Journal on 13 March 2022.

What is Business Email Compromise?

An increasing risk exposure for lawyers and law firms involves business email compromise (BEC). BEC typically occurs where an email account (either the law firm’s or the client’s) is hacked, or where an email address is “spoofed.” Spoofing occurs when a cybercriminal disguises an email address or display name to deceive the victim into believing they are interacting with a trusted source. It frequently involves changing a single letter in the email address so the reader is lured into thinking the communication is genuine. Both forms of BEC enable a fraudster to falsify payment directions via email.

Business email compromise is a serious risk for all businesses – but this is especially the case for law firms and other businesses that act as trustees in large transactions and investments.

The following list contains eight reasons why the risk of BEC is something your business should seek to mitigate now.

1. Business email compromise is a leading cause of scams in Australia

According to the ACCC’s Scamwatch, in 2020 Australians made more than 216,000 reports to Scamwatch and reported losses of around $178 million. Between January and September 2021, this figure had jumped to 226,000 reports with reported losses of over $222 million. Business email compromise scams caused the highest losses across all scam types in 2019 costing businesses $132 million, according to the ACCC’s Targeting Scams report.

Scamwatch reports that around a third of people who have been scammed never tell anyone, so the true numbers are almost certainly much higher.

2. Three important changes have led to massive growth in financial crime

There have been three significant changes over the last decade or two in the way business is done which has facilitated financial crime. These are the use of electronic funds transfers for even the largest transactions, many of which occur almost immediately, widespread access to the internet globally, and the use of email as the preferred mode of business communication across all sectors of the economy. Email was originally designed to be a short message tool, rather than a means of exchange of confidential information such as payment details, and unfortunately the vulnerabilities associated with using email for more than which it was originally designed are significant, particularly where login credentials have been compromised.

3. In August 2021 the Australian Cyber Security Centre (ACSC) issued a special alert regarding BEC in property transactions

This alert noted that the ACSC had observed a growing trend of cybercriminals targeting the property and real estate sector to conduct business email compromise scams in Australia, and that conveyancing lawyers, their clients and mortgage lenders were particularly at risk.

4. Professional bodies have issued repeated warnings about payment redirection fraud

For several years, lawyers’ and conveyancers’ professional associations and insurers, and property settlement platform PEXA have issued warnings about the risk of email-enabled funds transfer fraud making it difficult to argue this risk is not foreseeable.

5. Where a trustee pays money to the wrong person there is a breach of trust, even where the trustee is also the victim of fraud

Two of the most important duties of a trustee are to protect the trust property and to only pay money out of trust when it has been appropriately authorised. The fact that a trustee was deceived into paying money out of trust does not prevent a finding of breach of trust– one of the very duties of a trustee is to protect the beneficiary from fraud.

6. Actions for breach of trust are difficult to defend

While a defence of contributory negligence or apportionment of liability can apply to an action based on a breach of duty, where the trustee's liability is not predicated on a failure to take reasonable care, but on other breaches, such as a failure to account or payment from a trust account without authority, a statutory apportionment defence is unlikely to be available (George v Webb & Ors [2011] NSWSC 1608).

Further, while trustee legislation may include provisions enabling a trustee to be excused for the breach of trust where s/he has acted honestly and reasonably, this relief is rarely granted in the case of professional trustees and the defence is unlikely to assist a legal practice or professional advisor that has failed to take reasonable steps to prevent the fraud occurring, given the number of warnings that have now been issued by professional bodies, insurers and government.

7. Actions for breach of trust are not protected under limited liability schemes

The Professional Standards legislation under which limited liability schemes operate specifically exclude breaches of fiduciary duty and breach of trust from protection under these schemes.

8. Breaches of statutory obligations can lead to civil, criminal and disciplinary consequences

Lawyers’ obligations in relation to trust money are regulated by statute and the general law. In NSW and Victoria, for example, the Legal Profession Uniform Law (LPUL), regulates the obligations of lawyers and others in relation to trust accounts.

Section 138 of the LPUL (NSW) provides that a law practice must disburse trust money only in accordance with a direction given by the person on whose behalf it was received. Under section 148 of the LPUL (NSW) there is also a duty to avoid any deficiency in any general trust account or trust account ledger. Where a law practice or legal practitioner causes a deficiency in any trust account or fails to pay or deliver trust money a criminal penalty provision applies – this is either 500 penalty units ($55,000), imprisonment for five years, or both.  

Lastly, section 154 of the LPUL (NSW) requires the reporting of irregularities in trust accounts, including a duty on the part of a legal practitioner of one law practice to report any suspected irregularity affecting another legal practice. 

The extent of trustees’ obligations means that any trustee, particularly a professional trustee such as a law practice, is especially vulnerable in the event a client loses funds as a result of BEC. It is important to note that many scams involve no computer or account intrusion, and that educating all staff about email fraud and trustees’ duties and implementing appropriate accounts payment processes is key to preventing these scams from succeeding.