At this busy seasonal time, Lockton wishes to advise the profession of the continuing existence of payment fraud.
This is a busy time for many lawyers as they seek to finish off client work before enjoying a well-earned Christmas break. But when solicitors are multi-tasking and working hard to get matters completed, they’re also more likely to let their guard down and potentially get caught by a scammer.
Also, over the winter months, with the plummeting temperatures outside and the rail strikes making commutes impossible, many solicitors and law firm staff might be back to working from home. This could potentially increase the risk of fraud and other types of cyber events.
There have been some high-value payment frauds reported to Lockton in the last few weeks and we would urge you to remind all your colleagues to treat any request to change client bank account details with extreme caution.
It is important to note that law firms that fall victim to payment fraud range from sole practitioners to large multi-national firms so the whole profession needs to be vigilant. The consequences are serious for both firm and client; and for firms, there is the reputational damage to consider as well as the financial loss. Most of these types of claims can be very easily avoided through a simple check, yet we continue to see matters arising.
In these cases, a fraudster will typically send an email to a law firm purporting to be one of their legitimate clients. The email will include an instruction to change the client bank account details, to bank account details that ultimately benefit the criminals.
There is a very simple way to prevent the fraudsters from stealing clients’ money: use a telephone. The payment frauds intimated to the Master Policy over the last few months – and indeed in the years before – could all have been averted by judicious use of the good old telephone.
- Have a firm-wide policy: any email correspondence containing bank details should be assumed to be fraudulent, unless verified by telephone.
- Any concerns regarding the veracity of an email need to be taken seriously and acted on.
- Checking is better than not checking. Always.
- But using email to check instructions received by email is worthless. If the instructions were fraudulent, the response might well be intercepted too, and no comfort can be taken from any confirmation received.
- A phone call to a client or a colleague to check their instructions takes minutes and could save hundreds of thousands of pounds.
- Every member of your staff should be aware that bank account details provided in an email should never be relied on without further (non-email) verification.
- All staff should receive regular training regarding the risk of payment fraud, how it is perpetrated and how it can be avoided.
- Have strong procedures and protocols in place regarding the checking and authorisation of any payments to be made from the client account (or indeed the firm’s own account). Dual signoff for larger amounts is always wise.
- Make sure that clients understand that the bank details provided to you are fixed and that email instructions regarding changes to the account details will not be acted on.
- Clients fall foul of fraudsters too. Make sure they know that you will not contact them by email to advise a change of your bank details.
- If you do fall victim to fraudsters like the firms in these examples, this should be reported under the Master Policy as a matter of urgency. The quicker Master Policy insurers are made aware of matters, the more likely that some of the funds might be recovered.
- Ensure that any move to remote working does not result in any deviation from payment policies
The lead insurer works very closely with the banks and financial institutions in relation to these issues. Many transactions of this nature have been intercepted. However, it can be difficult to recover funds once they have left the country so prompt reporting is critical.
Please don’t hesitate to contact Matthew Thomson at firstname.lastname@example.org or Kenneth Law at email@example.com if you wish to discuss this or any other risk management issue.