Photo: Diego M. Radzinschi/ALM

The Canadian arm of global legal giant Dentons fell prey to a sophisticated scam that resulted in the inadvertent transfer of $2.5 million in client funds to a fraudster's Hong Kong account, according to a court ruling in Canada.

A description of the elaborate con, which affected Dentons Canada in early 2017, came in a Dec. 11 decision by Judge Carole Brown of the Superior Court of Justice for Ontario. Brown is considering a dispute between the law firm and insurer Trisura Guarantee Insurance Co. over whether Trisura must cover a little more than $1.73 million in losses that Dentons claimed after the cyber incident. The judge ultimately found that she didn't yet have enough information to determine the proper insurance coverage and pushed for further proceedings.

Dentons Canada spokeswoman Neetisha Seenundun said in a statement Tuesday that the insurance case arose from “a subrogated claim brought by one of our insurers against another.” As for the breach, Seenundun said, it “was caused when a third party's computer system was breached, arming the fraudsters with knowledge of the details and timing of the underlying transaction, and allowing them to impersonate employees of the third party.”

Dentons was affected by the breach amid a real estate transaction that members of the firm's Vancouver office worked on, according to the Canadian court ruling. In early 2017, after the real estate deal closed, associate Wilfred Chan was supposed to arrange for some $2.52 million to move from Dentons' trust account to Timbercreek Mortgage Servicing Inc., which held a mortgage on the property that was sold.

Before the transfer, however, Dentons received emails from people who appeared to be affiliated with Timbercreek. The emails indicated that one of Timbercreek's accounts was subject to an audit and asked for Dentons to send the money to an international account in Hong Kong, held by a third-party called Yiguangnian Trade Co. Ltd., according to Brown's decision.

Following that, the Dentons side attempted to verify, leaving a voicemail at Timbercreek and seeking letters of authorization from the mortgage servicer and the Yiguangnian entity. Although Dentons didn't receive a phone call back, it did receive what appeared to be authorization letters from Timbercreek and Yiguangnian. The law firm then went ahead with the transfer, sending the $2.52 million to the Hong Kong account, according to the court ruling.

A couple weeks later, Chan heard from the real representatives of Timbercreek wondering what happened to the wired funds, and the Dentons lawyer realized the money had been misdirected into a scam account. The law firm managed to recoup about $785,000 on its own, but then put in an insurance claim with Trisura to cover a remaining amount of about $1.73 million. The insurer, however, denied coverage on the grounds that the situation didn't fall under a computer fraud rider to Dentons' insurance policy.

Seenundun, the Dentons Canada spokeswoman, said Tuesday that the firm has not been targeted by the phishing scheme at any other point, and provides “extensive training” to its lawyers and employees on cybersecurity issues.

“The training is updated and repeated annually,” she said. “Participation is mandatory by all Dentons partners and employees. Although no firm policies were breached, we have however adjusted the training to highlight the hallmarks of this kind of fraud.”

Dentons is not the first large law firm to be impacted by a cyber breach. In June 2017, DLA Piper suffered a ransomware attack that took down phones and computers at the firm's offices in multiple countries.

Around the same time as the DLA hack, IT security provider LogicForce released survey results showing that more than 200 firms had been the targets of attempted hacks between 2016 and 2017. About 40 percent of the firms in the LogicForce survey weren't even aware of breaches that affected their computer systems.

Read More:

DLA Piper Isn't Alone—40 Percent of Law Firms Unaware of Breaches

Ransomware Attack on DLA Piper Puts Law Firms, Clients on Red Alert

5 Cybersecurity Habits Law Firms Should Kick in 2019