Back to top
Article

Payment fraud: take five

17 October 16

Following the latest financial fraud statistics, a reminder of practical risk management points aimed at preventing payment instruction frauds, forming part of a campaign to combat online fraud

by Nada Jardaneh

Between January and June this year, a financial fraud incident happened somewhere in the UK every 15 seconds, a 53% increase compared to the same period last year.

These startling statistics were released last month (20 September 2016) by Financial Fraud Action UK (FFA UK), the organisation responsible for leading the collective fight against fraud in the UK payments industry, as a national campaign led by FFA UK was launched to combat financial fraud. The campaign – “Take Five” – gives advice aimed at preventing financial fraud. The five tips it promotes include two that will be familiar to regular readers of this column:

  1. Never disclose security details, such as your PIN or full banking password.
  2. Don’t assume an email, text or phone call is authentic.

Solicitors are applying these measures to good effect. However, the profession continues to be targeted by criminals attempting to perpetrate payment instruction fraud, and the latest statistics suggest that it may be timely to “take five” for a refresher on payment instruction dos and don’ts.

Payment instruction frauds typically involve a fraudulent instruction being received by email to remit funds to a fraudster’s bank account. Given the risks of such fraud, Marsh has produced a series of Journal articles on this topic this year (see panel). All of these have provided practical measures aimed at minimising the risk of falling victim to a payment instruction fraud.

Email subterfuge

Fraudulent payment instruction emails and their timing are designed to be utterly convincing, so as to cause recipients to assume the emails are genuine. If acted on, fraudsters can succeed in eliciting payment into bank accounts in their names or under their control. Their timing may be such that the funds have been transferred and withdrawn before the banks and police have been alerted to put a stop on the transfer or withdrawal.

Most fraudulent payment instruction emails share two features:

  • the emails are worded so as to mimic the language, layout and “look and feel” of a genuine email;
  • they are perfectly timed so as to be received at a point when payment instructions were awaited/expected by the solicitor (or at least not unexpected).

Risk management points

  • Do not assume email is secure.
  • Do not assume that payment instructions received by email are genuine.
  • Proceed on the assumption that such emails are not genuine unless and until satisfactorily verified.
  • Consider using encrypted emails for bank details and payment instructions.

Verifying payment instructions

To the extent that providing payment instructions by email cannot be avoided, the client’s instruction needs to be verified by some means other than email.

A telephone call to the client is one practical method of verifying the instruction, provided one is satisfied that the conversation is with the client. An incoming call may not provide verification, as there have been instances of fraudsters calling, masquerading as the client, to confirm the terms of payment instruction emails which they (the criminals) have just sent.

In a recent case, the fraudulent email followed an earlier verified genuine instruction from the client. The client had instructed the full amount of the funds to be transferred to Bank A. A subsequent fraudulent email asked that part of the funds be transferred to Bank A with the balance to Bank B. Because the fraudulent email repeated, in part, the earlier verified instruction, the solicitor viewed the subsequent email as genuine and acted on it. If the solicitor had “taken five” and applied the guidance about payment instructions received by email, the fraud might have been thwarted.

Risk management points

  • Always verify payment instructions received by email – no exceptions.
  • If verifying by telephone, make sure that this is reliable verification.

Other approaches

Some solicitors have adopted a practice of eliciting their clients’ payment instructions and bank account details at the outset and hard-coding them into the terms of engagement. As well as providing a record of these instructions, this should serve to alert the client that any (change of) instructions by email will require their solicitors to take steps to verify to their satisfaction the authenticity of the new instruction, which may result in a delay. Some solicitors have adopted the approach that any late change from earlier verified instructions will result either in delay in the client receiving the funds, or payment by cheque.

Risk management points

  • Consider getting payment instructions at the outset of the engagement.
  • Consider hard-coding payment instructions into the terms of engagement.
  • Warn clients of the inevitability of delay in payment if payment instructions are changed later (by email), as the new instruction will require to be verified to the firm’s satisfaction.
  • Warn clients of payment instruction fraud risks.

Clients remitting funds to solicitors

Payment instruction fraud targets clients too. There have been cases of clients being tricked by fraudulent payment instruction emails into remitting to criminals’ bank accounts funds destined for their solicitors.

Some firms are including reference in their terms of engagement to the arrangements for clients remitting funds by direct transfer and warnings about the risk of payment instruction fraud. If this approach is adopted, the terms of engagement typically include details of the client bank account and a statement to the effect that clients should not act on any email received, purporting to be from the firm, advising of a change to those account details.

For completeness, some firms have chosen to include a brief explanation of payment instruction fraud together with a warning to be alert to these fraud risks.

Fraud response plan

Point 5 of FFA UK’s Take Five, “Stay in control – don’t panic and make a decision you’ll regret”, is very sound advice. In the worst case scenario, if a firm does fall victim to a payment instruction fraud, actioning the firm’s fraud response plan needs to be immediate. Time is of the essence.

It may be possible to have payments stopped, but only if the bank and other parties are alerted immediately. In the most recent instances of fraud reported to the Master Policy insurers, swift action has resulted in the banks being successful in stopping or retrieving the funds. The Marsh website for Scottish solicitors includes an outline fraud response plan designed to capture contact details and to assign responsibilities for the firm’s prioritised action plan.

Assessing and addressing the risks

Awareness is key to reducing the risk of falling victim to payment instruction frauds. Ensure that colleagues have read risk alerts on the subject (whether produced by the banks or by Marsh/the Society), and any risk management Journal articles.

A number of free tools and e-learning, available on the Marsh website (www.marsh.co.uk/login/lawscot), can assist with both assessing the risks and implementing or adapting the firm’s risk controls. Some of these are noted below. Please contact nada.jardaneh@marsh.com if you require a reminder of your firm’s username or password.

E-learning resources

  • Self-assessment checklist in the Frauds and Scams section of the website
  • Marsh e-learning module “Frauds and scams – increasing awareness”
  • Cyber Risk Management Action Plan.
  • Cyber Risks Insurance Gap Analysis.

Nada Jardaneh and Marsh

Nada Jardaneh is a former solicitor in private practice, who works in the FINPRO (Financial and Professional Risks) National Practice at Marsh, a global leader in insurance broking and risk management.

The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.

Marsh Ltd is authorised and regulated by the Financial Conduct Authority.

Journal articles on payment instruction fraud

Risk review 2015, risk forecast 2016 (January 2016, 44)
Fraud: A battle of wits (February 2016, 44)
Fraud: raising your game (March 2016, 44)
Payment frauds: the fight goes on
(June 2016, 44) 

Have your say