Over the last six months we have heard of seven legal practices losing client money through fraud, with more than £2.4million of office and client money stolen.
Four of the frauds were as a result of social engineering - the act of tricking people into divulging personal or financial information, which can then be used to access their bank accounts or accounting software. The people carrying out these frauds are very clever, professional fraudsters, and they do their homework on practices and their staff.
Vishing is the term used to describe scenarios where a fraudster calls a practice (often on a Friday afternoon) claiming to be from their bank, credit card provider or the police and tells them that there is a problem. They then ask them to provide or confirm confidential information in order to solve the problem.
Several of the major banks have put together recordings of calls from fraudsters, based on real-life transcripts, and they are incredibly convincing. At no point do the fraudsters ask anyone to confirm any bank details (they already have them), nor any login details, passwords or secret words. In some cases they also use software to disguise their voices and change the telephone numbers that appear on the caller display to help convince the people at the other end that they are genuinely calling from a bank.
Malware is the term used for software designed to gain unauthorised access to computers and other connected devices, where it then disrupts normal operation, collects sensitive information or spies on the user.
Two of the frauds that we have heard about resulted from fraudsters gaining remote access to the practices’ accounting software, and then processing hidden transfers out of client account to accounts overseas. We do not know for certain, but it is believed that access was obtained via some kind of Trojan virus, possibly uploaded onto their systems when someone clicked on an email attachment from an unknown source.
The final fraud resulted from an intercepted email, where a fraudster managed to gain access to the client’s email account, and then sent an email to the practice instructing funds to be transferred to a different account.
We have recently heard that fraudsters are getting better at accessing lawyers’ work email accounts and sending internal emails with fraudulent account details, so don’t take anything at face value.
WHY ARE SOLICITORS BEING TARGETED?
Legal practices are prime targets for fraud, as they often hold substantial amounts of client money, and high value transactions tend to be the norm, particularly for practices that deal with conveyancing and probate matters. Also, it is not uncommon for clients to live or be based a long way away from their solicitor, and as a result, more and more correspondence is sent via email.
Transactions are often time critical, meaning that there can be increased pressure on accounts staff to process payments and transfers quickly. Fraudsters know this, and know what to say to make you think that your account will be locked or frozen unless you do as they say.
WHAT HAPPENS IF YOU FALL VICTIM TO A FRAUD LIKE THIS?
The Law Society has recently published a new Practice Note, “Protecting your firm if you fall victim to a scam”, which explains the regulatory and legal requirements that apply in this situation. Practices are advised to contact their bank, the police, the SRA and their insurer as soon as possible, and may also need to inform their clients too.
Rule 7.2 of the SRA Accounts Rules requires any missing client money to be replaced promptly, from the partner/member/director’s own resources if necessary,
regardless of whether a claim is subsequently made on the firm’s insurance or the Compensation Fund. If the client account shortage continues, the SRA may deem the practice to have committed serious regulatory breaches.
Whilst there is a shortfall, the SRA is unlikely to permit practices to operate their client account as normal, because any withdrawal will be a breach of the Accounts Rules – by paying some clients their full entitlement, the amount left for other clients reduces. Also, until the missing money is replaced practices should not take money for costs from client account.
From an insurance point of view, our understanding is that theft of client money will in some cases be covered by a practice’s professional indemnity policy, on the grounds that a client will have suffered financial loss. However, the impact on a practice’s future insurance premiums could be significant.
Any theft of office money would probably not be covered by the PII policy, but may be covered by the practice’s office insurance, if they have fidelity cover in place.
Other potential implications include the impact on the practice’s reputation, the amount of time spent investigating and rectifying the fraud, and the impact on staff morale.
WHAT CAN YOU DO TO PROTECT YOURSELF?
First of all, banks will never email or call you to ask you to confirm your login details, and they will never ask you to transfer money to a different account. If you do receive a call like this, hang up straightaway and contact your bank. Make sure that you use a different phone to call your bank (ideally use your mobile phone), as fraudsters are able to keep a telephone line open even after you hang up. If you are unable to do this, wait for at least five minutes before you make call, and call someone else (whose voice you recognise) first. To help protect against malware you should ensure that your anti-virus software is up to date and switched on.
Don’t be tempted to disable it to speed up your computer systems.
Finally, whenever you receive an email from a client or from someone within the practice with new account details, make sure that you verify that the email did in fact come from them.
Much more information and advice on all of this is available at www.getsafeonline.org
Get Safe Online is a public and private sector partnership, supported by the UK Government and leading organisations in banking, retail, internet security and other sectors, such as Barclays Bank, Lloyds Bank, Tesco, Camelot and the Charity Commission. Their website includes tips and advice on protecting both yourself and your practice, including:
- Protecting your computer and other hardware
- Smartphones and tablets
- Online safety and security
- Shopping, banking and payments
- Safeguarding children
- Social networking
- Information security
Also, the SRA has created a dedicated “Scam Alert” section on its website, warning about people who call themselves solicitors but are not.