Payment frauds: the fight goes on

Q. What are the current external fraud risks to which the profession needs to be particularly alert?

A. The profession continues to be targeted by “payment instruction frauds”. This type of fraud has been the subject of regular Marsh risk alerts and articles. Some of these frauds have resulted in very substantial Master Policy claims.

To recap: in this type of fraud, criminals send email instructions to solicitors requesting that payment is made into a bank account, details of which are provided in the email. The criminals are masquerading as the solicitor’s client, or a supplier, or another law firm, or a colleague. Very often, these emails are sent in the context of property transactions and the instruction refers to payment of money due to the solicitor’s client representing the free proceeds of sale. Payments to beneficiaries of trusts and executries have also been targeted.

Q. We are a small rural practice. Is it likely that we could be targeted? Are larger firms in the central belt more likely to be targeted?

A. There is no indication from experience to date of any correlation with firms’ size or location. The perpetrators appear to target transactions rather than firms, and very often the key feature is the fact that payment to the client is being made on a Friday. The term “Friday afternoon fraud” has been coined in relation to this type of fraud. The timing recognises the best opportunity for the stolen funds to be transferred to, and withdrawn from, destination bank accounts before a stop is put on the funds. Criminal activity of this kind has grown significantly across the UK in the last few years.

The consistent common denominators are the fact that payment is being made by bank transfer and that the payment instruction is communicated by email. The perpetrators of these frauds appear to be very skilful in identifying their opportunities.

Q. Does this mean that payment instructions received by email should not be trusted or acted on?

A. It is certainly not safe to conclude that a payment instruction email is genuine just because it appears to come from the firm’s client and looks genuine. Criminals are capable of mimicking the language of genuine emails so that their emails appear authentic. By hacking email accounts, it is possible that the criminal’s email will be, or appear to be, from the genuine email address.

Recent experience also shows that it is not safe to rely on a payment instruction email even if it repeats, in part, a previously verified payment instruction – for example if the email instructs solicitors to remit part of the funds to an already vouched client bank account.

Q. If an email repeats in part a payment instruction which has already been verified to the solicitors’ satisfaction, surely that establishes that the amended instruction is genuine. Why would that sort of instruction need to be verified?

A. Consider the following example:

In connection with a property sale, a solicitor had received a timely, verified, genuine instruction from the client to pay the net sale proceeds, £200,000, into a specified account with Bank A.

Subsequently, on the day of settlement (a Friday), an email was received (purporting to be from the client) in which the earlier instruction was amended. Rather than the entire £200,000 being remitted to the Bank A account previously advised, the solicitor was instructed to pay half of the money, £100,000, into that Bank A account and the other £100,000 into an account with Bank B. The solicitor believed the instruction to be genuine and arranged for the two transfers to be made.

The client quickly realised that only £100,000 had been received into his account with Bank A, and queried this with the solicitor. At that point, of course, it became apparent that the email received on settlement day was not from the client. Immediate action on the part of the firm, and the bank, meant that the £100,000 misdirected to the Bank B account was recovered.

This case demonstrates the sort of techniques criminals use to put victims off guard. It also demonstrates that, with swift action, all may not be lost. The inescapable conclusion is that there should be no exceptions to the requirement for verification of any instruction received by email.

Q. Is it considered sufficient verification to have clients confirm their instructions by telephone?

A. Some firms have adopted the approach that they insist on verified payment instructions at the outset of the relationship or engagement, and will not accept late changes without a meeting. In that event, the risks posed by sending or receiving payment instructions by email are largely avoided.

To the extent that payment instructions by email cannot be avoided, the client’s instruction needs to be verified by some means other than email. A telephone call to the client provides one practical method of verifying the instruction, provided there is a means of being satisfied that the conversation is with the client.

Bear in mind that a telephone conversation may not prove anything if, for instance, the call is received from the “client” rather than made to the client.

Q. What if, in spite of all the steps we take to address this risk, we fall victim to a payment instruction fraud? What steps do you suggest we take?

A. In the worst case scenario, if a firm does fall victim to a payment instruction fraud, activating the firm’s response plan needs to be immediate. Time is of the essence. It may be possible to have payments stopped, but only if the bank and other parties are alerted immediately.

The guidance documents and tools available on the Marsh website for Scottish solicitors include an outline fraud response plan designed to capture contact details and to allocate responsibilities for the firm’s prioritised action plan.

Q. Are there any other actions we should be taking to minimise the risk of exposure to external frauds and scams?

A. It is worth considering making use of guidance, materials and tools available on the Marsh website for Scottish solicitors:

• The self-assessment checklist in the Frauds and Scams section of the website is designed as a gap analysis tool or aide-mémoire to prompt consideration of appropriate risk controls to minimise the risk of the exposure to external frauds and scams.
• The Marsh eLearning module “Frauds and scams – increasing awareness” reflects recent experience of external frauds and scams and the critical importance of ensuring that colleagues maintain their awareness of external fraud risks.
• The Cyber Risk Management Action Plan suggests actions to minimise firms’ exposure to cyber risk, both cyber crime risks and potential loss of data or breach of data security resulting from innocent human error or system failure. The action plan adopts a methodical risk management approach, starting with identification and assessment of the firm’s risk exposure. As with any aspect of risk management, this is not a once only process.
• The Cyber Risks Insurance Gap Analysis is a tool designed to assist firms in carrying out a comprehensive review of the extent to which the firm’s current insurances protect the firm in respect of cyber crime and other cyber risk exposures.

Cyber crime and other cyber risks are dynamic and call for regular review and continuous enhancement of the firm’s risk management.

Alistair Sim and Marsh

Alistair Sim is a former solicitor in private practice, who works in the FINPRO (Financial and Professional Risks) National Practice at Marsh, global leader in insurance broking and risk management. To contact Alistair, email alistair.j.sim@marsh.com

The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.

Marsh Ltd is authorised and regulated by the Financial Conduct Authority.