Don't get fooled again

Despite all the warnings and publicity surrounding frauds against solicitors’ firms, we are all still faced with the threat of falling victim to frauds and scams, particularly as fraudsters and their methods become ever more sophisticated.

As one of the panel solicitors for the Law Society of Scotland Master Policy insurers, I am regularly instructed by them to represent their interests and those of the insured solicitor firms, and I have dealt with numerous and varied cases of fraud perpetrated against solicitor firms.

I am increasingly seeing claims where it is the firm’s client who is the primary target and of a fraud perpetrated during a transaction being dealt with by the firm for the client, and by way of a hack of the email correspondence exchanged between solicitor and client.

The consequences of fraud are serious and devastating for both firm and client; and for firms, there is the reputational damage to consider as well as the financial loss.

The hazards of email

In my experience, email payment fraud, sometimes referred to as email instruction fraud or email modification fraud, continues to be the most common form of fraud perpetrated against solicitor firms and their clients, but it is not the only trick up the fraudsters’ sleeves.

The common scenario is where the email correspondence between the solicitor and client is hacked. The fraudsters place malware into the computer system and it can lie dormant until it recognises specific keywords that it is programmed to pick up relating to a request for funds or a deposit to be paid. The fraudsters can then intercept the emails and alter them as they please, which inevitably includes changing bank account details, if they are given, or adding in bank account details to the email. The fraudsters are often sophisticated and knowledgeable enough to be able also to add comments about the ongoing transaction, thus giving the fraudulent emails a degree of credibility and duping the recipients into believing they are genuine.

The result is either that the firm authorises payment out of their client account to the fraudsters by acting on the fraudulent email, or the client pays money to the fraudsters instead of to the firm, acting on the fraudulent email.

Usually the client has paid away a large deposit towards the purchase of their dream home. The latter is devastating for the client but both scenarios are potentially devastating for the firm and can have serious implications.

Thankfully, firms nowadays are cognisant of the risk of email payment fraud and are taking steps to minimise their exposure to this risk, but the ways in which fraudsters are perpetrating frauds are ever-changing and sophisticated.

While it is difficult to be able to eradicate the risk of fraud altogether, there are things you can do to try to minimise the chance of it happening to you or your clients. Here are some of my top tips to avoid this happening to you:

1. Do not send bank details by unencrypted email. In fact, don’t send by email at all. It is now common, though not universal, for firms to issue their client account details only by post or encrypted email at the beginning of a transaction, with notice given to the client (and reinforced in email footers) that the account details will not change during the life of the transaction. That is perhaps the best way to seek to minimise your and your client’s risk to being the victim of an email payment fraud. If both firm and client know bank details will never be sent by unencrypted email then one party is less likely to act on an email containing bank details – or if they do, they only have themselves to blame.

If you send bank details by unencrypted email, you leave yourself open to creating the opportunity for fraudsters to defraud you or your client out of money.

2. Perhaps more fundamentally, if you say in your initial engagement or email footer that you are not going to issue bank details by email, don’t proceed to do just that. I have experience of claims involving solicitors who did precisely what they said they would not do – confirm bank details by email – and, needless to say, that is not the best position to start from.

3. It’s good to talk! Bank details can be confirmed or provided over the telephone at the time needed, as required. Even bank details sent or confirmed by text or WhatsApp are far less easily intercepted than those sent by email.

Other modes of fraud to watch out for

1. “Friday frauds” 

Email modification fraud is not the only method the fraudsters are using. There is still the risk of what has been termed the “Friday frauds”, the call to the cashroom on a Friday afternoon from someone saying they are calling from the bank to check a suspicious transfer or to check a payment, and conning the recipient of the call into disclosing PIN numbers and passwords, giving the fraudsters access to the firm’s client account.

Again, there is good awareness of the risk of a “Friday fraud” and firms are taking steps to minimise their risk to exposure by making sure all staff are informed of this type of fraud. However, it is worth reinforcing the message internally in the firm on a regular basis, particularly where there is the inevitable turnover of staff from time to time.

Also, it is worth considering limiting access to client account details and client money only to those staff in your organisation who need it.

2. Services outsourced to third-party providers

If you outsource services, beware. This is another opportunity for fraudsters. It is becoming more common for firms to outsource certain functions, for example, the cashroom function, to independent third-party providers. I have seen an example of this recently where the fraudsters hacked the third-party provider’s computer system and were able to intercept emails and documents passing between the third party and the solicitor firm. The fraudsters intercepted and altered the bank account details on a document, resulting in the firm paying funds out of their client account to the fraudsters as opposed to the intended legitimate payee.

Here, even where the firm’s computer systems were not compromised, they were the ultimate victim of the fraud and were the party who ultimately authorised the release of client funds on the basis of a fraudulent instruction. There may be grounds for redress against the third-party provider, but in the first instance it is the firm, and not the third party, which is liable to account to the client for the funds it has paid away wrongly. Again, this scenario has serious implications for a firm.

3. Firms with more than one office

Again, if you have more than one office, beware. I have recently seen an example of a fraud perpetrated on a firm by fraudsters intercepting email communication sent within the firm from one office to another. In this example, an email was sent from a solicitor in one branch office to their cashroom based in their head office with a CHAPS payment document attached. The fraudsters intercepted the email and altered the bank details in the attached document, resulting in the firm’s cashroom acting on the altered details and authorising the transfer of client funds out of the client account to the fraudsters’ account.

Awareness of these issues is probably higher than it has ever been, but it is critical that staff are reminded regularly of the threats posed by these fraudsters. I would also add that making clients aware, through letters of engagement, email footers and in general discussion is also an advisable course of action.