Law Firm Trust Account Fraud Explained — How Melbourne Firms Are Losing Thousands

Trust account fraud targeting Melbourne law firms has increased dramatically. The Law Institute of Victoria has issued repeated warnings, noting that this fraud is increasingly sophisticated and difficult to detect without specific security controls. For small and medium law firms, a single successful attack can result in six-figure losses.

The Anatomy of a Trust Account Attack

Trust account fraud almost always begins with email compromise — either the firm's email or the client's email. Once inside, attackers monitor communications silently, sometimes for months. They learn the details of active matters, the expected settlement or payment dates, and how communications are typically worded. At the right moment, the attacker sends a carefully crafted email appearing to come from the firm, advising the client of new bank account details. In property matters, single incidents have resulted in losses exceeding $200,000.

Why Law Firms Are Particularly Vulnerable

Law firms are prime targets because they combine three high-value factors: large financial transactions, time pressure (court deadlines, settlement dates), and a communication pattern that is almost entirely email-based. The fiduciary relationship between lawyer and client means clients have a very high level of trust in communications that appear to come from their lawyer — making them more likely to act quickly without verification. Small firms are especially vulnerable because they often lack dedicated IT security resources and may not have implemented basic email security controls.

Your Professional Obligations

The Law Institute of Victoria's trust account rules create significant professional obligations around the security of trust money. A law firm that suffers a trust account fraud where reasonable security controls were not in place faces not only the financial loss but potential disciplinary proceedings. The firm may be required to demonstrate to the LIV what controls were in place and why the fraud was not prevented.

The Four Controls That Matter Most

Multi-factor authentication on all email accounts eliminates the most common attack vector. Even if a criminal obtains a staff member's password through phishing, they cannot access the email account without also having the staff member's phone. DMARC configuration on your firm's domain prevents criminals from spoofing your email address. A strict verbal verification policy for any change to payment details prevents most successful frauds even when email is compromised. And endpoint detection on all staff devices identifies malware before it can capture credentials.

Client Communication Policy

Include explicit trust account security language in your engagement letters and update existing clients: "We will never change our trust account details by email. Any communication purporting to provide new bank account details for trust payments should be verified by calling our office directly before any transfer is made." This policy, communicated clearly, significantly reduces the likelihood of a successful attack — because even if a criminal sends a convincing fake email, an informed client will call to verify.

Incident Response

If your firm experiences a suspected trust account fraud, act immediately: contact your bank's fraud team, contact the client's bank, report to Victoria Police, notify the LIV, and engage a cybersecurity incident response specialist. Evidence preservation is critical — do not wipe systems or delete emails before forensic investigation is complete. Contact IntrusionX for immediate incident response support and to put controls in place that prevent future incidents.

Preventing Future Incidents

After experiencing or being informed about trust account fraud, the immediate priority is to understand how the attack occurred and close the vulnerability that enabled it. Was it email compromise — requiring MFA and email security improvements? Was it domain spoofing — requiring DMARC configuration? Was it a lack of verification procedures — requiring policy implementation and staff training? A post-incident security assessment identifies the specific gaps and provides a prioritised remediation plan. IntrusionX can conduct this assessment for Melbourne law firms that have experienced an incident or wish to prevent one — contact us for a free initial consultation. The cost of prevention is a fraction of the cost of a single successful trust account fraud.