Fraud alert – email interception

What’s the scam?

We have been alerted to fraudsters intercepting emails between a solicitor and their clients in an attempt to scam clients out of significant funds.

The fraud being attempted is highly sophisticated, with fraudsters monitoring, intercepting and controlling the emails that the solicitor and its clients received from each other.

The emails claiming to be from the solicitor asked the clients to transfer funds to a bogus bank account in order to complete the purchase of a property.

In communicating with the clients, the fraudsters replicated the look of a staff member’s emails exactly, using the same font, colours and logos. They included the firm’s correct office telephone numbers, as well as its cyber crime email footer advising clients to verify its bank account details in person or by telephone. The email address used by the fraudsters looked exactly the same as the staff member’s, except for an additional letter added to the name of the firm.

What should I do?

These criminal are opportunistic and sophisticated, but there are measures solicitors and clients can take to protect themselves.

What legal firms can do to help clients protect themselves

• Ask the client to call your office to confirm the firm's bank account details if they receive any communication which requests a payment.
• Provide the details of the firm's bank account in your letter of engagement/terms of business.
• Include within your letter of engagement/terms of business, a notice to clients stating that the firm's bank account details will not change during a transaction; that the firm will not change bank details via email; and that clients should check details in person if in any doubt. Also include this notice as a footer to all firm emails.
• Don’t deviate from this practice – you are more likely to be held liable, if something goes wrong and you have done something you said you wouldn't do.
• Keep discussing this issue with your clients to ensure that they are alive to the threats and that they know what to expect from your firm.

What legal firms can do

• Never act on an emailed instruction to change a client's bank account without seeking further verification of that instruction – call the client or speak to them face-to-face (Government restrictions permitting).
• Consider introducing systems and controls regarding payments to bank accounts.
• Advise clients that if they subsequently change their payment instructions, your firm will not make any payment until instructions have been verified by alternative means.
• Make your staff aware of the threats, raising the issue repeatedly to keep them alert to the risks.

You can find further information on how to protect yourself against the threats of cyber crime in our Guide to Cybersecurity.

Where a fraud is suspected or taken place, it should be reported directly to Police Scotland. Find out more about reporting online crime in Scotland here.