Facebook-f Google Instagram Linkedin
Email us
Call

Cybersecurity

Law firms across Australia are the target of sophisticated cybercrime, and the legal sector handles two things criminals especially want: confidential personal information, and client money in transit. As a firm practising in Queensland and New South Wales, we take our obligations to protect both seriously.

This page explains:

  1. how we protect the information you entrust to us;
  2. what we will and will not do when handling your money — and what we ask you to do in return; and
  3. the scams currently targeting law firms and their clients, so that you can recognise them.


This page should be read together with our Privacy Policy, Disclaimer, and our Client Cyber Alert (which we provide when you engage us). If you have not received our Client Cyber Alert, please ask for a copy.

1. How we protect your information

Our handling of personal information is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), which require us to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (APP 11).

We maintain administrative, technical, and physical safeguards appropriate to the size and nature of our practice. These include:

  • access controls and authentication requirements for staff systems and email accounts;
  • secure electronic and paper storage of client records;
  • procedures for verifying client identity and instructions, particularly instructions that involve the movement of money;
  • ongoing staff training on cyber-fraud awareness; and
  • incident-response procedures aligned with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).

 

We also operate our trust account in compliance with our regulatory obligations, including those under the Legal Profession Act 2007 (Qld) and the Legal Profession Uniform Law (NSW). Where we become aware of any irregularity in our trust account, including any cyber incident affecting it, we are required to report it to the Queensland Law Society or the Law Society of New South Wales (as applicable), and we will do so promptly.

No system is immune from compromise. Where we become aware of a data breach that is likely to result in serious harm to an individual whose personal information is involved, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

2. Our rules when handling your money

The single most common attack on Australian law firms and their clients is payment-redirection fraud: a criminal gains access to an email account (often the client’s, sometimes the firm’s), monitors correspondence, and at a critical moment sends a convincing email asking that funds be sent to a “new” or “updated” bank account. The funds go to the criminal and are usually unrecoverable.

To reduce that risk, the following rules apply to every matter we handle.

Our bank account details will not change

We will not change our trust or office account details during the course of your matter. If you receive any communication (email, SMS, letter, or phone call) that appears to come from us and asks you to send funds to a new or different account, do not act on it. Telephone us on the number on this website (not a number contained in the communication) and speak to your matter contact before transferring any funds.

What we will not do

If we are acting for you on your instructions, we will not:

  • Contact you using a phone number set out in an email, SMS, or other communication that asks for money or provides account details, without you first verifying that number against our published contact details, prior correspondence, or our website;
  • Transfer money on your behalf without first speaking to you by telephone (on a known number) to verbally verify the account name, BSB, account number, and amount; or
  • Ask you to open attachments, click links, or scan QR codes contained in unexpected emails without you first verifying with us that the email is genuine.

 

What we will do

We will:

  • Telephone you to verbally confirm any change to our bank account details (which, as set out above, will not change in any event);
  • Verbally verify account details before sending or receiving funds on your behalf;
  • Give the same warnings to others involved in your matter (agents, brokers, family members, accountants, or other third parties) who may also handle funds; and
  • Respond promptly to any concern you raise about an email, message, or call that purports to come from us.

 

What we ask of you

To protect yourself, please:

  • Treat any change to payment instructions as suspicious until you have spoken to us on a known number;
  • Read out and confirm BSB and account numbers verbally before transferring funds to us, no matter the amount;
  • Check the sender’s email address carefully — fraudulent domains often differ from the real one by a single character;
  • Use strong, unique passwords and multi-factor authentication on your email account (compromised client email is a very common starting point for fraud);
  • Check your email account for unauthorised auto-forwarding rules from time to time; and
  • If anything feels wrong, stop, do not transfer funds, and call us.

 

3. Scams currently targeting law firms and their clients

Awareness is one of the most effective defences. The following scams are active in Australia and have caused significant losses to clients of law firms.

Payment-redirection (business email compromise). A criminal gains access to a client’s or firm’s email, monitors the matter, and sends a fake email at the moment funds are due, with altered account details. Losses in the hundreds of thousands of dollars per incident have been reported by the Law Society of NSW.

AI-generated voice impersonation. Criminals have used AI-generated voice recordings of clients to telephone law firms and direct payments. If a call to or from us sounds slightly unnatural (odd pauses, unusual phrasing, distorted audio) treat it as suspicious and call back on a known number.

Bank impersonation. Scammers call, email, or message claiming to be from a bank’s “fraud team”, asserting that an account has been compromised and asking that funds be moved to a “safe account”. Banks do not operate this way. If you receive such a call, hang up and telephone your bank on the number printed on your bank card.

Website and domain impersonation. Criminals register domains very similar to a law firm’s real domain (often differing by one character) and may clone the firm’s website. They then approach clients or counterparties from the fake domain. Always check the email address and domain carefully, and if in doubt, call us on the number on our website.

“Urgent” unsolicited matters from abroad. Be cautious of any approach asking us to receive and then forward funds urgently, these are commonly cheque scams designed to draw funds from a trust account before the cheque is dishonoured.

For current alerts, the Law Society of NSW publishes a scam alerts page, the Queensland Law Society’s Proctor publishes regular cyber updates, and the Australian Signals Directorate’s Australian Cyber Security Centre maintains current consumer and small-business advice at cyber.gov.au.

4. If something has gone wrong

If you have transferred funds to an account you now suspect is fraudulent:

  1. Contact your bank immediately and ask them to attempt a recall. Time matters, the first hour is critical.
  2. Contact us on 07 5506 9800 so we can take steps at our end, including notifying our bank, the relevant Law Society (Queensland Law Society or Law Society of NSW), and our professional indemnity insurer.
  3. Report the incident to ReportCyber at cyber.gov.au/report. You will receive a report reference number which your bank and the receiving bank can use.
  4. If your identity documents may have been compromised, contact IDCARE (Australia’s national identity and cyber support service) on 1800 595 160 or at idcare.org. The service is free.

 

If you believe an email purporting to be from this firm is fraudulent, please forward it to office@hqf.com.au and then delete it. Do not reply to it, click any links, or open any attachments.

If you suspect a website is impersonating ours, please let us know so we can take action with the domain registrar and the relevant authorities.

5. Limits of this page

This page describes our general practices and provides general guidance. It is not a guarantee that information or funds will never be compromised, and it is not legal or technical advice tailored to your circumstances. If you have specific concerns about the security of your matter, please contact us directly.

6. How to contact us

For any enquiries about Cybersecurity, please contact:

HQF Lawyers

Suite 2, 82 Marine Parade, Coolangatta QLD 4225

T: 0755 069 800

E: office@hqf.com.au

W: hqf.com.au

16. Changes

We may update this Cybersecurity from time to time to reflect changes in our practices or applicable law.

Last updated: May 2026