Fraud: raising your game
Risk management systems and procedures which might be adopted to minimise the risk of a payment made through direct funds transfer ending up in a fraudster’s bank account
In last month’s article, two scenarios were discussed where an email was sent to a firm purportedly from a client (but actually from a fraudster), providing or amending the client’s bank account details and instructing payment to that account. The bank account was in reality the fraudster’s account and unfortunately in each case payment was made into that account of the net free proceeds of sale of a property.
It was stressed in that article that:
- it should never be assumed that such an email is genuine; and
- verification of payment instructions from a client should always be sought and, if carried out by telephone, the call should be an outgoing call to the client rather than an incoming call from the client (who, in one of the scenarios, turned out to be the fraudster masquerading as the client).
It is apparent from these and other cases of email “spoofing” that some firms may have no, or insufficient, risk management controls in place to minimise the risk of becoming a victim of these frauds and scams or, if they do, that such controls may not be applied consistently across the firm.
For most, if not all, firms it will be impracticable to avoid or even perhaps minimise the use of direct funds transfers. Therefore initial risk management controls might concentrate on avoiding or minimising the use by the client of emails for transmission. At the outset of a transaction, firms might consider obtaining bank account details face to face from the client at a meeting when instructions are being taken. Those bank account details could then be recorded in the terms of engagement issued to the client, which would include a warning that if the client wishes to change these details, verification of the changed instruction would be required and that might take some days, resulting in possible delays.
Firms might also wish to consider reviewing their payment processes in general, and in particular their procedures for sign-off and validation of electronic payment instructions to the bank. In particular, firms might wish to consider:
- separating request, approval and processing of payments in order to ensure that there is segregation of responsibility within the firm for these functions;
- adopting effective payment controls: obtaining payment instructions and bank details at engagement has already been mentioned above. Firms might also review their sign-off procedures, for example, requiring second or even third signatures depending on the amount of the payment. It is important that such procedures should not be viewed as a “tick box” exercise, however, and the firm’s procedures should identify what information and documentation a second or third signatory should see before approving the relevant payment;
- using payment request/cashroom forms which not only have to be physically signed by the relevant fee earner but also require a point by point confirmation that the firm’s procedures have been followed;
- ensuring that all colleagues are aware of the firm’s procedures;
- implementing an audit process to check adherence to the firm’s procedures.
Validation and verification
Often firms will give out their own bank details to clients so the clients can make payment by bank transfer, for example to put firms in funds to settle a property purchase. Cases have arisen where these details have been sent to clients by email but a fraudster has intercepted the email and substituted details of the fraudster’s own bank account. To mitigate the risk that clients of the firm might make payments to a fraudster rather than the firm, firms could consider adopting the following procedures:
- as with client bank details, hard code the firm’s bank details into the engagement documentation;
- provide bank details on a secure part of the firm’s website via a secure portal;
- if communication of the firm’s bank details requires to be made by email to the client, make sure that the email is encrypted.
Advise clients (by means other than email) that if the firm’s bank details are given or changed by email, they need to validate or verify the information given in the email by speaking to the relevant fee earner. As in the case of verification of clients’ bank account details and payment instructions mentioned earlier, this should be done by way of an outgoing call to the fee earner and not by accepting an incoming call from the fee earner or someone else purporting to be calling from the firm.
Clients should be given an explanation of the reason why these validation and verification procedures are required, so that they do not take the view that they need not bother with procedures that they might see as unduly bureaucratic or unnecessary.
Cases have arisen where partners have given instructions by email to the cashroom for transfer of firm money to a bank account, details of which are set out in the email. On enquiry, and sometimes quite by chance, it has been discovered that the email was fake, having been sent purportedly by a partner but actually by a fraudster using the partner’s email address, the firm’s email stationery and language identical to that which the partner would have used.
As with external emails, never assume that such an email is genuine. Obtain validation or verification of all internal payment instructions given by email from the relevant partner or colleague, either by telephone or in person. Consider adopting payment controls requiring a second or even third sign-off (depending on the amount) before the payment is actioned.
Similar risk management controls to those mentioned above should be considered for electronic payments made to suppliers and where new suppliers are engaged.
Russell Lang and Marsh
Russell Lang is a former solicitor in private practice, who works in the Finpro (Financial and Professional Risks) National Practice at Marsh, a global leader in insurance broking and risk management.
The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.
Marsh Ltd is authorised and regulated by the Financial Conduct Authority.