Circular No 159/2020
Dated 18 May 2020

To Members of the Malaysian Bar

ALERT: Members Must Be Vigilant to Avoid being a Victim of Cybercrimes

We have been informed by the Broker for the Malaysian Bar Professional Indemnity Insurance (“PII”) Scheme, Jardine Lloyd Thompson Sdn Bhd (“JLT”), of a notification involving a possible hacking of a law firm’s email account.  The incident took place just before and during the Movement Control Order (“MCO”) period; at a critical time when law firms and most businesses were closed, making it difficult to confirm instructions given during this time.

In the notification, a law firm acting for a purchaser (“Purchaser’s Solicitor”) in a sale and purchase agreement of a property nearing completion, had obtained an extension of time to pay the balance purchase price.  One day before the MCO took effect, the Vendor’s Solicitor emailed the details of their firm’s clients accounts to the Purchaser’s Solicitor.  Later in the evening, the Purchaser’s Solicitor received another email purportedly from the Vendor’s Solicitor, with instructions to transfer the funds into a different bank account which is not under the name of the Vendor.

The Purchaser’s Solicitor tried calling the Vendor’s Solicitor’s office to confirm the change of bank account details, but there was no answer as their office was closed due to the MCO.  The Purchaser’s Solicitor then emailed the Vendor’s Solicitor expressing concern over transferring funds to a third-party account, and requested for a signed letter on the Vendor’s Solicitor’s letterhead, confirming such change of bank account details.  The Purchaser’s Solicitor then received an email reply assuring that all is in order and attaching the requested confirmation letter, which had the signature and letterhead similar to previous letters received from the Vendor’s Solicitor.

During the MCO period, both parties exchanged various emails requesting payments and exchanging updates of the same.  The Purchaser’s Solicitor then made the fund transfers in various instalments, and forwarded proof of the same to the Vendor’s Solicitor.  Days later, the Purchaser’s Solicitor received a call from the Vendor’s Solicitor following up on the transfer and was shocked to learn that the Vendor’s Solicitor claimed not to have sent such emails on the purported change of bank account details.

All parties have since lodged police reports on this incident.

From the facts available, we can see the following:

(1) The email exchange had the same email trail that started from the beginning of the agreement;
(2) During the course of email communication, there was a change to the email addresses — some email addresses were slightly different, but the name attached to the email, remained the same;
(3) The email address belonging to the Vendor’s Solicitor’s email address looked similar, albeit a slightly different domain name;
(4) The email received by the Purchaser’s Solicitor had intimate details of the file, including the constraint of time and pressure on the Purchaser to pay the balance purchase price within the extended completion date that fell within the MCO period;
(5) Emails from the Vendor’s Solicitor had the law firm’s sign-off, that included the law firm’s logo; and
(6) The letterhead used was similar to the ones received by the Purchaser’s Solicitor prior to the MCO period.

We know when this alert is issued, Members will have questions.  However, we only have these brief facts.

We urge Members to exercise great caution when receiving instructions, especially via emails, and especially when it differs from agreed terms, eg with regard to transferring funds to a third-party account!

When there is a change request, minor or otherwise, every additional caution must be taken.  If the lawyer you called to make verifications failed to answer his office or personal phone, reconsider whether to proceed with the instructions and the risks involved if you choose to act upon such instructions.

PLEASE take all necessary steps to avoid being a victim of cybercrimes.

(1) If you are in doubt of instructions received by email:

(a) Call the solicitor or client to confirm the instruction.  If you are unable to reach the solicitor, ask your client to call the vendor directly to confirm the change of instructions.  Later, confirm the conversation in writing immediately after you have spoken to the right person;
(b) Forward the email to the solicitor or client to confirm the instructions.  This way, you will need to type in the email address of the recipient and not rely on the “reply” or “reply all” function; or
(c) Fax or courier a copy of the instructions to the solicitor or client, seeking a confirmation of the instructions.

(2) Check email addresses in full even when you click “reply” or “reply all”.  Hackers can imitate a person’s name so that it appears the same, but would have set a different email address to it.

 (3) Change your email password frequently and include a combination of font, cases, symbols and numbers.  Avoid using birth dates and favourite names as your password; and do not share your password with anyone.

To know more about cybersecurity risks, read Circular No 125/2020 dated 27 Apr 2020 and Jurisk! July 2019 entitled “Cybersecurity: Ignorance = Risk”.

Members are reminded to be constantly vigilant, and to notify JLT if you think you have become a victim of cybercrime, that could lead to a possible claim against your law firm.  Make a notification as soon as possible within 60 days of awareness to JLT at:

Jardine Lloyd Thompson Sdn Bhd
Level 42-01A (West Wing), Q Sentral
2A, Jalan Stesen Sentral 2, KL Sentral
50470 Kuala Lumpur, Malaysia
Telephone: 03-2723 3388
Email: mbar@jltasia.com

Should you have any enquiries, please contact Mysahra Shawkat, Legal Risk Junior Counsel, Bar Council PII and Risk Management Department, by telephone at 012-237 1300 or by email at pirm@malaysianbar.org.my.

Thank you.

A G Kalidas
Secretary
Malaysian Bar