Check those bank instructions

You should not accept these instructions without checking that they are genuine. If you receive an email which tells you that a person or company’s bank details have changed, you must take steps to confirm that the instructions are valid.

Financial transactions are now commonly conducted by funds transfer. In these transactions, as in other forms of banking transactions, there is scope for fraudulent activity.

The nightmare scenario is where criminals, having hacked into private email chains, masquerade as the solicitor’s client (or other party) and send email instructions to the solicitor. The email informs the solicitor that bank account details have changed at the last minute and that money should be deposited into a different account. The fraudsters will usually time the email well, ensuring that it aligns with the run-up to the completion of a transaction.

The email instruction might refer to a payment due to the solicitor’s client representing the free proceeds of sale, as these attacks are common in property transactions. However, any transaction might be targeted, including payments to beneficiaries from trusts or executries.

These fraudulent emails are designed to be completely convincing. It is never safe to assume that any email with bank details is genuine. Criminals have the ability to mimic the language used by clients, other firms, suppliers and colleagues. The email might have actually been sent from the hacked email account. In other words, there might be no way of distinguishing a fraudulent email from the real thing.

If acted on, fraudsters can succeed in eliciting payment into bank accounts under their control. Their timing may be such that the funds have been transferred and withdrawn before the banks and police have been alerted to put a stop on it.

Helpful advice is as follows:

• When taking instructions at the start of the transaction, the solicitor should obtain full contact details (including a work telephone number) for the client, together with the client’s account details if it is likely that you will be making a payment to them.
• The client should be informed at the outset that if they subsequently change the payment instructions, the firm will not make any payment until such time as it has been able to confirm those instructions with the client by alternative means.
• Where payment instructions do change, effective steps need to be taken to verify with the client, by means other than email, that the instructions are genuine and correct. Face to face is obviously ideal but, at the very least, picking up the phone and verifying email instructions with a known individual is an essential safeguard.
• For a telephone call to provide satisfactory verification of instructions received by email, it needs to be a call made TO the client. If the client calls you, call them back on a different line.
• Fraudsters can masquerade as solicitors too. Payment instructions/bank details should be in the terms of the firm’s engagement at the outset. Consider adopting a disclaimer warning on your engagement letters and on the footer of correspondence, advising that the firm’s bank account details will not change during a transaction; that the firm will not change bank details via email; and that clients should check the details with the firm in person if in any doubt.
• A forthcoming Society guide will cover issues such as these and other risks associated with working digitally. 

Q & A corner: Solicitors travelling to USA carrying electronic devices

Q. For my family summer holiday we are heading to the USA for three weeks. One or two work issues are likely to arise and I plan to take my laptop so that I can log in to the office system to keep on top of anything urgent. A colleague thinks this is a bad idea as the US authorities take a very tough line on inspecting visitors' laptops and electronic devices, and this could cause serious problems in terms of client confidentiality and access to privileged information. What advice can you offer?

A. Although holidays are not supposed to involve work at all(!), this is a very relevant and serious issue. The US Department for Homeland Security issued a document entitled “Privacy Impact Assessment for the Border Searches of Electronic Devices”, setting out the position very clearly. Put bluntly, if you want access to the USA, access has to be provided to any electronic devices you are carrying. Issues of confidentiality and privilege would be irrelevant in that situation and will fall on deaf ears if you try and challenge officials on inspection.

Our advice is that prevention is better than cure. Any solicitor concerned about the information being accessed on an electronic device should either not take it with them at all or arrange to access it on their UK server using a dial-in facility on their phone or laptop. In practical terms, any app or shortcut used to do that should be deleted before travel and reinstalled on arrival. If US border control officials see the app or a desktop shortcut on a device, they would be entitled to ask for it to be demonstrated before they decide how to proceed.

In addition, it is worth pointing out that taking the information out of the EU is almost certainly a data breach by the solicitor, which calls into question the sense of trying it in the first place.