Assisting Lawyers
03-2698 4511

Have a query? Call the Helpdesk
PII & RM: +603-2698 4511
General Line: +603-2050 2050
Font size
  • small text
  • medium text
  • large text

The Bait In A Phishing Scam

"Phish" is pronounced the way it is spelled, just like saying the word "fish" — the analogy of a fisherman throwing a baited hook in the open sea and hoping for a catch.  Phishing occurs when a crook impersonates an entity, like the bank or service provider, to dupe a user into opening an email message.  The email will typically direct the user to visit a website to update their personal information  It could be for a user’s password, credit card or bank account number.  The website, however, is bogus and will capture and steal any information that is entered.

Crooks do their best to make phishing messages look genuine.  They recreate content that mimics closely the official websites and emails by using the same details (eg layout, written matter and fonts).  Often the recreation will include corporate logos and links to the alleged sender’s real website.  Their emails state ‘urgent’ as a way to lure you to:
  1. reset your password because your account has been compromised or need updating; or
  2. login to your account to review an invoice for an unauthorised payment.
Phishing may also occur when hackers manage to break into your network and remain undetected.  Hackers will snoop on your information while waiting for the right time to strike.
In a claim notified to the PII Scheme, the lawyer received an email purportedly from his client.  The email provided the lawyer with a link to retrieve documents of which the lawyer had requested earlier from his client.  After clicking the link, the lawyer was redirected to his email login page.  It prompted him to re-enter the user name and password for his account.  However, once entered, the email account was locked and he could no longer access the account.  By now the lawyer realised that his client’s email was probably hacked, and subsequently used to phish for his information.  The next day, the lawyer was informed by his clients and friends regarding an email purportedly sent from his email account requesting for friendly loans and payments for legal fees to be transferred to a local bank account which did not belong to him[1]
In another case, a hacker had intercepted and hacked the email accounts of a legal firm and their client.  The hacker then posed as the client with instructions to transfer the money to a local bank account.  The hacker also provided information believed to have been extracted from previous email correspondence between the firm and the client, to bolster credibility as the purported client.  This led the firm to believe that it was dealing with its actual client.  The actual client later called the firm to enquire about their money.  When the client found out what happened, they asserted that no instructions had been given to transfer the money.  Obviously the client had not received any money[2].
When communicating for instructions to change or provide sensitive information belonging to clients, it is crucial for firms to keep a proactive approach.  Ensure lawyers and staff don’t fall victim to such scam by creating awareness.  Have in place strict processes and procedures to verify all instructions especially when it involves financial transactions.  Don’t bypass these processes simply because it’s ‘urgent’.  Be in the lookout for red flags such as:
  • confirm the link provided by placing your mouse over it.  The taskbar in your window should match the company’s usual website you are asked to visit.
  • the email address is the sender’s usual email address.  Look out for variables in spelling, eg and
  • spelling and grammar mistakes.
  • a sense of urgency – instructions to update or change personal information immediately or instructions to transfer or release funds quickly without the usual checks and balances.
  • anyone asking for money, or more importantly, when a client purportedly instructs you to pay or release money or valuable documents urgently.
Most importantly, be sceptical when responding to electronic communications.  When in doubt, call and speak personally to the person responsible making the request.  Ensure that your firm’s computer system is protected with updated security tools and software.  This way, you can avoid phishing threats and shut down one of the most common methods of identity theft.
[1] “Cyber Crimes – L:awyers Are Not Spared”, Praktis (13 June 2016),
[2] Practice Alert: Legal Firm Scammed into Releasing Client’s Money to Fraudster (Circular No. 137/2014) (1 July 2014),

 [mys1]Maybe we amend the name of the bank to Miracle Bank or something