Risk: Client account fraud – an ongoing issue

As solicitors are aware, the “client account” is the bank account of a law firm that is used for holding client funds. Any money received for clients, and any money coming from clients (unless in payment of a fee note which has been rendered) must be paid into the client account.

The role that solicitors play in client transactions, and the fact that solicitors often have control over substantial sums of client money, makes the profession an attractive target for fraudulent activities. Some of the fraudsters involved in these scams are opportunists, but many of them are well organised criminals, with very sophisticated hacking techniques. The capabilities of some of these fraudsters are considerable, enabling them to engage in “social engineering” and to commit tricks to overcome barriers and risk controls.

In this regard, there have been a number of client account frauds reported to Lockton in the last few months and we urge you to remind all your colleagues to treat any email containing bank account details with extreme caution.

It is important to note that law firms that fall victim to payment fraud range from sole practitioners to large multinational firms, so the whole profession needs to be vigilant. The consequences are serious for both firm and client; and for firms, there is the reputational damage to consider as well as the financial loss. Most of these types of claims can be very easily avoided through a simple check, yet we continue to see matters arising.

Regular readers of the Journal will recall that Lockton has written about this subject previously, and the advice that the telephone is the best single weapon a solicitor can deploy in the war against the fraudsters (Journal, January 2021, 44) is worth restating. The payment frauds that have been intimated as Master Policy circumstances over the last few months – and indeed in the years before – could all have been averted by judicious use of the telephone.

The typical scenario

In many of these cases, a fraudster will send an email to a law firm purporting to be one of their legitimate clients. The email will often include an instruction to change the client bank account details, to bank account details that will ultimately benefit the criminals. The fraudsters will usually time the email well, ensuring that it aligns with the run-up to the completion of a transaction. As transactions often complete on a Friday, these frauds are often referred to as “Friday afternoon frauds”. But they can happen at any time.

The email instruction might refer to a payment due to the solicitor’s client representing the free proceeds of sale, as these attacks are common in property transactions. However, any transaction might be targeted, including payments to beneficiaries from trusts or executries.

Sophisticated email hacking techniques

Increasingly these frauds are targeting individuals. We have seen cases where there is nothing about the fraudulent emails that would have caused the firm any concern. Criminals can now mimic the language used by clients, which means that, in some cases, there is nothing unusual or inconsistent in the language that is used. The emails themselves can also be sent directly from the hacked email account. As such, the email address is often correct, the instructions make sense, and the email is completely convincing. In other words, there might be no way to distinguish between a fraudulent email and a genuine email.

Therefore, in all cases where a bank account is provided over email, effective steps need to be taken to verify with the client, by means other than email, that the details are genuine. Face to face is obviously ideal but, at the very least, picking up the phone and verifying email instructions with a known individual is an essential safeguard.

Bank account details on file

We have also seen cases where the bank account details do not actually change and it is the initial email that provided the bank details that was fraudulent.

In these circumstances, there is the risk that law firm staff use the bank account details that are stored on the file, assuming that their colleagues will have already verified the details when they were obtained. However, unless the account verification has also been recorded on the file, these bank details should never be relied on.

As outlined above, where a party requests that they wish to change their bank account details, that is an obvious red flag. However, it is never safe to assume that any email containing bank details is genuine, regardless of when those bank details are received during a matter.

Where the client or third party initially provides their bank account details/instructions, it is always essential that these are verified either by telephone or in person. A contemporaneous note should be made of this verification and recorded on the file.

Telephone calls from “the bank”

As well as email fraud, criminals will sometimes telephone solicitors, masquerading as a member of the bank’s fraud investigation team.

It is important that firms remind their staff never to give any security credentials over the phone. The banks will never ask them to disclose security credentials and any request should not be answered.

Please also note that fraudsters can remain on the line, even when the telephone has been put down. If staff are calling the bank back, they should do so from a different telephone and a different line and they should use the telephone number they usually use to call the bank (rather than any number that might have been provided by the fraudster).

Always report early

If you do fall victim to fraudsters, this should be reported under the Master Policy as a matter of urgency. RSA, the lead insurer, works closely with the banks and financial institutions in relation to these issues. Many transactions of this nature have been intercepted. In some cases, RSA can take immediate steps towards recovery – this can sometimes involve a disclosure order and an arrestment of funds. However, it can be extremely difficult to recover funds once they have been dissipated or have left the country, so prompt reporting is critical. The quicker Master Policy insurers are made aware of matters, the more likely that some of the funds might be recovered.

Some tips:

• Have a firm-wide policy: any email correspondence containing bank details should be assumed to be fraudulent, unless verified by telephone.
• Any concerns regarding the veracity of an email need to be taken seriously and acted on.
• Checking is better than not checking. Always.
• But using email to check instructions received by email is worthless. If the instructions were fraudulent, the response might well be intercepted too, and no comfort can be taken from any confirmation received.
• A phone call to a client to check their instructions takes minutes and could save hundreds of thousands of pounds.
• When contacting a client to verify bank details, practitioners should use the phone number that was originally provided by the client (i.e. don’t use a phone number that might have come from a potentially fraudulent email).
• Every member of your staff should be aware that bank account details provided in an email should never be relied on without further (non-email) verification.
• All staff should receive regular training regarding the risk of payment fraud, how it is perpetrated and how it can be avoided.
• Have strong procedures and protocols in place regarding the checking and authorisation of any payments to be made from the client account (or indeed the firm’s own account). Dual signoff for larger amounts is always wise.
• Make sure that clients understand that the bank details provided to you are fixed and that email instructions regarding changes to the account details will not be acted on.
• Clients fall foul of fraudsters too. Make sure they know that you will not contact them by email to advise a change of your bank details.
• Ensure that any move to remote working does not result in any deviation from payment policies.