Recent warnings and risk management guidance about "Friday afternoon scams", issued by Master Policy co-insurer, Zurich, to solicitors in England & Wales, are equally relevant in Scotland
Readers will be aware of the banking scam which has been affecting solicitors in recent months, whereby fraudsters contact firms impersonating staff from banks and attempt to elicit information to enable them to steal money from firms’ client accounts.
This scam is not going away. It has been estimated that this so-called “Friday afternoon scam” (the most common time to attempt it, being completion time for many conveyancing transactions) has cost firms and their insurers in excess of £5,000,000 in the past three months alone.
A firm acted for Mr & Mrs X in the sale of a property in Essex. Completion was to take place on 27 January 2015. The balance of the proceeds of sale (a little under £100,000) was to be sent to Mr & Mrs X’s bank account in the usual manner. Throughout the transaction, the solicitor had been communicating with Mr & Mrs X by email; the firm’s terms and conditions stated that email was the preferred option for correspondence and the provision of an email address by the client was confirmation that the client was happy for the firm to communicate with them by email.
As part of the client care/due diligence exercise, Mr & Mrs X provided bank statements for the bank into which the completion monies were to be paid. However, two days before completion the firm received an email from Mr & Mrs X providing new bank account details (account number, sort code and account name), and requesting that the completion monies be paid into this account instead. This was duly done.
It transpired that Mr & Mrs X’s email account had been hacked and cloned by fraudsters, and it was the fraudsters who had sent the email with the new bank account details. The firm telephoned and left a voicemail for Mr & Mrs X confirming that completion had taken place and the monies had been transferred to them. Shortly afterwards, Mr X telephoned to say that he had not received the monies. When informed of the email with the new account details, Mr X said that he had not sent this email and knew nothing about it. The firm contacted the bank into which it had paid the monies. The bank confirmed that the account in question was not in the name of Mr & Mrs X but had only been opened a few days previously in the name of a limited company based in South London. The monies had been withdrawn from that account immediately on receipt.
It is anticipated that the bank will defend any claim for return of the monies on the basis that it only has a responsibility to check the sort code and account number for payments being received, and not also that the name of the account is correct.
This is a very sophisticated fraud and it is currently unclear how and why the email account was targeted. Was it just luck that the fraudsters came across someone who was shortly to receive a large amount of money from a conveyancing transaction into their account? Was it the firm’s IT system which was targeted? We do not yet know, but investigations are continuing.
It is particularly worrying that, not only did the fraudsters seem to be able to intercept incoming and outgoing email correspondence, but they were also able to emulate the language used by Mr & Mrs X to convince the firm that the emails were from them. Readers will be aware that a large number of email scams emanate from overseas, but there is usually an obvious language barrier which, for anyone with a reasonably healthy suspicion of such matters, is easy to detect. It is particularly unfortunate that the solicitor at the firm spoke on the telephone to Mr X just after receipt of the email with the new bank account details, but did not mention it. Had she done so, this fraud would likely have been stopped in its tracks. However, hindsight is of course a wonderful thing.
What should you do if your client provides new bank account details part way through a transaction? As these types of fraud are on the increase, this should raise an immediate red flag. You should call, speak to your client (preferably on a land line telephone number) and request an explanation for the need for the change. As demonstrated by the above, if emails can be intercepted, so can letters, faxes and other forms of written communication (even write-protected electronic documents can be hacked and altered), so you should also request and obtain evidence that the new account details are genuine.
One option would be to ask for original bank statements for the new account which you can copy and retain on the file once inspected. Alternatively, check with the bank itself to make sure that the account details are correct (in particular, check that the account name is correct and matches what you have been told). Some banks will be reluctant to provide this information without the client’s consent, but will usually confirm if the account name you have told them does not match what they have on their system.
Risk management tip – do you encrypt emails to clients?
You should seriously consider encrypting all electronic client communications. Certainly, any emails which include any sensitive personal information (and definitely any which include your firm’s or your client’s bank account details) already ought to be encrypted according to guidance from the Information Commissioner’s Office.
Alternatively, if facilities and resources exist, consider the possibility of setting up a secure online portal within which to conduct electronic communications with clients. This will dramatically reduce the risks of your firm suffering these types of fraud.
Cyber security risks
Solicitors will no doubt be aware of the increasing prominence of cyber security for the legal profession. With the proliferation of fraudsters sending out emails impersonating law firms, phishing, vishing, and the so-called Friday afternoon scam, it has become clear that the legal profession is seen as a particularly attractive target for these types of scams.
In respect of the Friday afternoon scam, it appears that the firms which have been targeted (both successfully and unsuccessfully) have had their banking sign-in credentials phished by malware having been installed onto the firms’ computers. This has enabled the fraudsters to log in to firms’ accounts and obtain details of genuine transactions in order to gain the confidence of those they speak to when they call the firm.
Risk management tip – check for malware
You should ask those who deal with your firm’s IT regularly to check for the presence of malware on your firm’s computers and, once checked and removed if necessary, change your banking password and other details. Even if you have not yet been targeted, the fraudsters may already be in possession of your details.
About the author
Michael Blüthner Speight is a solicitor and risk manager for professional and financial lines at Zurich Insurance plc. Prior to joining Zurich, he was a partner at national law firm BLM LLP, specialising in defendant professional negligence, with a particular emphasis on defending claims against solicitors and other legal professionals.
The material does not establish, report or create the standard of care for solicitors nor does it represent a complete analysis of the topics presented or constitute legal advice. It is intended to highlight issues which may be of interest to our customers. Readers should conduct their own appropriate research on how to act in any particular case.
Zurich Insurance plc is incorporated in Ireland, registration no. 13460. UK branch registered in England & Wales, registration no. BR7985; head office: The Zurich Centre, 3000 Parkway, Whiteley, Fareham, Hampshire PO15 7JZ.
Zurich Insurance plc is authorised by the Central Bank of Ireland and subject to limited regulation by the Financial Conduct Authority. Details about the extent of our regulation by the FCA are available on request, and can be checked on the FCA’s Financial Services Register via www.fca.org.uk or t: 0800 111 6768 (firm reference number 203093).