When never means NEVER

Not again, I hear you say. Give it a rest. Don’t you have anything else to write about?

Of course, we do, but in these articles, we try to bring to you what is topical in the world of risk management and address areas which are pertinent to Master Policy claims. I am very sad to say that payment instruction fraud is currently very much on our radar, so I make no apologies for bringing it into focus again. It may only be seven months since our last Journal article on the topic, four months since our last fraud bulletin and a month since our article on fraud in a global pandemic, but the subject bears repetition.

Another reason why I am writing yet another article on this subject is that these are some of the most avoidable types of claim we see under the Master Policy, yet we continue to see a regular flow of matters arising.

And to make matters worse, the COVID-19 global crisis will bring the fraudsters out in force, using the pandemic as a route to perpetrate yet another ingenious fraud. This could, for example, take the shape of bogus emails on the topic of the virus, perhaps purporting to be from official sources, which will be the fraudsters’ route in either to install malware or to gain access to information on transactions.

Solicitors’ firms as targets

You know why you’re being targeted – you’re the trusted recipient of all sorts of confidential data and, most importantly, you hold large amounts of client money. You’re in the firing line and you need to be aware of that every day and do all you can to protect yourself, your firm and your clients.

Traditionally, it has been conveyancing transactions which have been the target for these frauds, but we are seeing this broaden out into other areas like executry matters and commercial share sales.

Whilst we are not in danger of payment fraud claims overtaking residential conveyancing as the number one source of claims against the profession any time soon, that is no reason not to take these issues very seriously.

Firms should prioritise this risk, even if they have never been targeted. Don’t put your head in the sand: this isn’t going away. I speak to firms that have fallen victim to these scams and they are sick to their stomach when they realise they have been duped. The recent examples and advice here relate to client account payments which were made on the basis of email instructions. You should however, also continue to be aware that telephone scams are still going on, as well as the fact that your clients may also be targeted by these fraudsters.

Fraudsters rely on people to help their scams succeed. This is social engineering at a very sophisticated level, well planned and resourced.

Recent experience

At the time of writing, we have had reported two separate frauds in as many weeks, each with their own alarming characteristics.

The first was a firm acting for a client in the sale of a property. The client lived some distance away and all correspondence on the matter was carried out over email. When the firm emailed the client with details of the proceeds of the sale and a request for bank details, an email came straight back providing those details. There was no indication that the email containing the bank details was anything other than genuine. There were none of the usual telltale signs like an amended domain name or bad grammar or spelling mistakes. Based on this email the firm then paid over the proceeds of the sale to the bank account detailed. It wasn’t until they’d sent an email with a receipted fee note that the client contacted them to say that they had not received funds. Nor had they received the initial email requesting bank details, and of course had not sent an email advising said bank details.

A six-figure sum was paid away to fraudsters with little or no hope of recovery.

The second case was a more unusual one in that it involved fraudsters sending emails from within a solicitor’s email account directly to the cashroom, requesting payments to be made. It concerned the payment of residue from a late client’s estate and it was uncovered when the solicitor spotted emails in her email account which she herself had not sent.

In the email to the cashroom the case reference given in the email was correct and the wording of the email was such that it could easily have been genuine. However, it was not and the instruction was actioned and money was paid into the fraudster’s account. The amount was not as large in this case but the firm were equally as distressed at having fallen victim to these frauds.

How to avoid falling victim

What actions can firms take to avoid falling for these sophisticated frauds?

As far as client account payment fraud is concerned I can answer that in a single sentence:

NEVER ACCEPT NOR ACT ON BANK ACCOUNT DETAILS PROVIDED OVER UNENCRYPTED EMAIL

Fraudsters rely on the fact that you will act on these hoax emails, but if you don’t and you insist on further verification that does not involve email, then you will thwart their attempts to get their hands on your client account funds. You might also introduce other procedures which do some or all of the following:

• Always take the client’s bank details from the client in person or by telephone at the time of initial instructions – you can then use that information as verification should you receive email correspondence with bank details in the future.
• Always call or meet with the client to verify that the bank details they have advised over email are in fact correct. At the moment that meeting may be a video call, but that would still work. This verification could be for either an initial notice of bank details or a change in bank details during a transaction. If telephoning the client, do so from a secure line and using a trusted telephone number.
• For internal payment instructions, make use of encrypted email or “off-network” systems for such instructions.
• Ensure that all staff in the firm are aware of these issues and trained in how to spot potential frauds. Ideally, you would update and refresh this training regularly.

What insurance protection do I have?

Where a firm has paid away money from the client account other than on the explicit instruction of their client, the Master Policy professional indemnity cover will respond to that claim and will seek to do so quickly to allow you to conform with the rules around management of client funds. The firm will still be liable for the self insured amount in respect of the claim, and of course the claim will count against their record and will have a potential impact on future
PI premiums.

While the Master Policy will respond to client account fraud, if the fraudsters target a firm’s own bank account or assets, the Master Policy would not come into play. There are other insurances, like crime or cyber insurance, which would provide more appropriate protection for that situation. If you need advice on those covers, you should contact Lockton or your usual insurance broker for further advice.

In conclusion

There is much I could have included in this article on fraud – we haven’t mentioned in any detail “reverse frauds”, i.e. where your clients are the ones receiving fraudsters’ emails (purporting to be from your firm) inducing them to make payments to the incorrect bank account. Nor have we expanded on the telephone scams that still exist, where fraudsters pretend to be calling from your bank persuading you to move money to a new account or reveal your passwords and security information so that they can move it themselves.

We have highlighted the client account payment frauds because that is where we see the activity at the moment. As we have mentioned, they are also the easiest of the frauds to thwart, to frustrate fraudsters’ attempts to persuade you to pay away clients’ funds.

Frauds of this nature cause chaos and leave a trail of financial and reputational destruction in their wake, to say nothing of the emotional damage they wreak on those individuals involved.

I would implore all firms to take these potential risks seriously and to introduce controls in their firm. But if you do nothing else, please NEVER ACCEPT NOR ACT ON BANK ACCOUNT DETAILS PROVIDED OVER UNENCRYPTED EMAIL.