Fraud alerts - 2015

Warning over 'Domain Slamming' fraud - 3 December 2015

A recent bulletin from CIFAS (Credit Industry Fraud Avoidance Service) has warned of scams involving 'domain slamming' which they describe as an 'attempt by third parties to obtain money by pressurising individuals or companies into paying for domain name renewals or similarly named domains.'

This is something which could be targeted at law firms.

You can read the full CIFAS bulletin for details and potential proventative measures.

 

'UK data control' scam - 1 December 2015

We have been made aware that at least one Scottish firm has been receiving scam letters from a company called 'UK Data Control' who claim to be based in Hamburg. 

In one case, the letter and accompanying form ask for the Law Society’s VAT number, but in the small print it explains there will be a £800 annual charge for adding you to their system.  An internet search of this company shows that it is a scam.

Solicitors and firms are reminded to be on the lookout for suspicious letters or emails seeking payment or the transfer of money and to report these where necessary.

Information for firms following increased fraud activity - 16 November 2015

The following is important information about protecting your business from fraudsters who continue to target the solicitor profession and its transactions.

Currently, there is a concerted campaign by criminals to dupe solicitors in to acting on fake bank transfer instructions.

Typically, these instructions are provided in emails which appear to be genuine emails from clients or other solicitors or colleagues – but which are in fact very cleverly designed emails from criminals. These criminals have the ability to monitor email correspondence and have the expertise to be able to create email instructions which are capable of convincing most recipients they are genuine. In some cases, the email will appear to come from an email address identical to the genuine address.

Preventing your firm falling victim to this type of fraud calls for:

• Bank transfer instructions to be subject to careful scrutiny and, potentially, a process of verification.
• All colleagues to be fully alert to the risks and the appropriate risk controls.

In order to help firms, advice and information is provided by the Law Society and by Marsh in a series of risk alert emails, tweets and on our Frauds and Scams page. Additionally there is a regular risk management column in our Journal magazine.


As a minimum, risk controls need to address the following points:

• Whenever a client or another firm or a supplier provides bank account details/instructions for the first time (or changes any details/instructions), it’s essential that these are verified.
• If bank details/transfer instructions have been supplied by email, when contacting the client or solicitor or supplier to verify the information, be sure to do this by a different form of communication, e.g. by telephone. This minimises the risk that a fraudster who has provided a fraudulent payment instruction is also in a position to provide false validation by intercepting your email request for confirmation.
• If bank account details need to be sent by email, if possible send them by encrypted message with a password.
• If in any doubt do not proceed with a transfer of funds until you have established, reliably, that the communication and funds transfer instructions are genuine.

Risk awareness by all colleagues (both fee earners and support staff) is critical to preventing your firm falling victim to this type of fraud. Please ensure all colleagues are made aware of risk alerts from the Law Society and Marsh and warnings and guidance from banks and other sources.

Additionally we urge firms to consider making the free online awareness training available from Marsh, aimed at Scottish solicitors, mandatory for all your staff. The training takes just one hour and can be completed online which means individuals can complete the training at a time to suit them and your business. The training counts as verifiable CPD for solicitors. Further information about the training is available in Marsh’s October bulletin.

Information on who to report fraud and cyber crime to is available on our Fraud and Scams page, where you and your colleagues can also sign up to our fraud alert emails.

Urgent fraud alert following unprecedented levels of scam activity - 7 October 2015

Fraud attempts against law firms are at unprecedented level.

We would urge all firms to review our recent fraud alerts and make sure that all relevant personnel and clients are aware of them.

Bogus Bank Calls & emails

Please revisit previous fraud alerts on the following fraud methods:

  • Bogus calls from Banks
  • Bogus emails purporting to be from senior people within the firm – attempting to instruct fraudulent accounts transfers
  • Bogus firm emails being sent to genuine clients of the firm advising them that the firm has a new bank account and instructing them to send payments to that accounts which is controlled by the fraudster

Malware

In addition, there is currently a heightened risk of malware attacks against firm systems to enable the processing of fraudulent payments from client and firm accounts.

Please review our alert of March 2014 “Cyber fraud and scam emails” for sources of guidance on how firms can protect themselves against these risks. Your IT supplier should also be able to assist. 

Please ensure that all staff are aware of the risks posed by suspicious emails and do not click on any links on such emails as this may infect your systems with malware.

Invoice Redirection Fraud

The Royal Bank of Scotland have also reported seeing an increase in fraud against the legal sector, specifically highlighting the risk of invoice redirection fraud.

In this fraud, the firm will be contacted by a fraudster pretending to be a genuine supplier or client and will request that the bank account details held for that suppler or client are to be changed.  If this change is made, payments intended for the genuine supplier or client will be redirected to an account controlled by the fraudster.

The Royal Bank of Scotland have provided an information sheet which contains advice on how to prevent the fraud.

Cyber security funding for your business

If you are interested in improving the cyber security of your company then you can apply for up to £5,000 of Government funding, through Innovate UK, which is only available until the 20th of October 2015.

If your business has under 250 employees and has a turnover of less that £50 million then you are eligible to apply for funding.

View more information on the funding

 

Bogus banks calls targeting firms - 1 October 2015

A number of Scottish firms have today reported that they have been contacted by phone by a male person claiming to be from the 'Fraud Department' of their bank.

These calls appeared to be bogus.

Cashroom Managers are reminded to ensure that all relevant staff are made aware of this threat and how to minimise risks.

Attempted frauds on client accounts - September 2015

Recent attempted frauds on client accounts have involved the cashroom receiving emails, apparently from the most senior person in the firm, enquiring into how to initiate a bank transfer.

A second email instructs a transfer to a bank account in Leicester (London personal address noted) and follow up emails are received pushing for the transfer to be processed promptly. The emails still appear to come from the most senior person in the firm but some come from a gmail account.

In a separate case, a bank has made a firm aware of attempts to initiate a large transfer and to set up a standing order on the strength of mandates/instructions containing forged solicitor signatures.
Cheque books and statements have also been diverted to a London PO Box following the forging of the solicitor’s signature on a request.

Please make cashroom teams and solicitors aware of these attempted frauds. Transfer requests should be fully checked and verified. Firms should also pay particular attention to monitoring of transaction activity and ensuring that thorough bank reconciliations take place in good time. Firms should also ensure that any delay in receiving bank statements is followed up with the bank as soon as possible.

Police Scotland have confirmed that all of these issues should be reported to the Police Scotland Economic Crime Unit and through the Action Fraud website.

False bank account details

We’ve also been made aware of a scam where members of the public have received emails claiming to be from solicitors, providing false bank account details.

Clients who have instructed a genuine firm of solicitors, often during the purchase of a new property, have received emails claiming to be from their genuine firm of solicitors reporting that the firm's bank account details have recently changed. The fraudulent emails, sent from a very similar email address to that of the genuine solicitor, ask the recipient to pay into the new bank account, often the deposit or completion payment for the purchase of their new home.

We have updated our scam alerts page for members of the public and are advising they contact their solicitor to verify their firm’s bank account details if they have unexpectedly received new details

If you have any questions, please do not hesitate to contact the Society's financial compliance team.

Bogus banks calls targeting firms - September 2015

We have been made aware of  'bogus bank calls' currently being received with the following features:

  • Caller claims to be from the Fraud Dept of the bank (this may not be the bank you are with)
  • Caller suggests that he is following up on two problem transactions through the account earlier in the day
  • If advised that you are not with the bank mentioned, the caller confirms that he meant to advise that the payments were going out to that bank and he actually works for your bank
  • Caller will invite staff to provide their name

Cashroom Managers are reminded to ensure that all relevant staff are made aware of this threat and how to minimise risks.

Bogus banks calls - April 2015

Bogus bank calls

We have been made aware of a number of recent 'bogus bank calls' which coincides with the release of a further warning from the SRA to solicitors in England & Wales.

Cashroom Managers are reminded to ensure that all relevant staff are made aware of this threat and how to minimise risks.

Funds transfer instructions received by email

Marsh have recently issued a risk alert regarding funds transfers instructions received by email. 

The alert from Marsh states “we have been made aware of thefts and attempted thefts of client funds and firm’s own money where, believing them to be genuine, law firms have acted on an email providing bank details or payment instructions for funds transfers”.