Fraud alert - intercepted emails to divert payments

As the Scottish legal profession concentrates efforts on protecting themselves, their colleagues, clients and businesses from the unprecedented challenges presented by the coronavirus pandemic, fraudsters are making the most of the disruption.

Perhaps now, more than ever, we need to be on our guard against scams and fraudulent attacks.

As the professional body for Scottish solicitors, we have become privy to a number of email interception frauds in recent weeks.  These have resulted in significant sum cases, in which the fraudsters managed to hack the client’s email account to identify when to target parties to transactions and divert payments

These criminals are opportunistic and often sophisticated, but there are measures you can take to protect yourself and your clients.

What legal firms can do

• Never act on an emailed instruction to change a client's bank account without seeking further verification of that instruction – call the client or speak to them face-to-face (Government restrictions permitting)
• Consider introducing systems and controls regarding payments to bank accounts
• Advise clients that if they subsequently change their payment instructions, your firm will not make any payment until instructions have been verified by alternative means
• Make your staff aware of the threats, raising the issue repeatedly to keep them alert to the risks
  
  

What legal firms can do to help clients protect themselves

• Ask the client to call your office to confirm the firm's bank account details if they receive any communication which requests a payment
• Provide the details of the firm's bank account in your letter of engagement/terms of business
• Include within your letter of engagement/terms of business, a notice to clients stating that the firm's bank account details will not change during a transaction; that the firm will not change bank details via email; and that clients should check details in person if in any doubt. Also include this notice as a footer to all firm emails.
• Don’t deviate from this practice – you are more likely to be held liable, if something goes wrong and you have done something you said you wouldn't do.
• Keep discussing this issue with your clients to ensure that they are alive to the threats and that they know what to expect from your firm.

You can find further information on how to protect yourself against the threats of cyber crime in our Guide to Cybersecurity.