Fraud alerts - 2015
Information for firms following increased fraud activity - 16 November 2015
The following is important information about protecting your business from fraudsters who continue to target the solicitor profession and its transactions.
Currently, there is a concerted campaign by criminals to dupe solicitors in to acting on fake bank transfer instructions.
Typically, these instructions are provided in emails which appear to be genuine emails from clients or other solicitors or colleagues – but which are in fact very cleverly designed emails from criminals. These criminals have the ability to monitor email correspondence and have the expertise to be able to create email instructions which are capable of convincing most recipients they are genuine. In some cases, the email will appear to come from an email address identical to the genuine address.
Preventing your firm falling victim to this type of fraud calls for:
• Bank transfer instructions to be subject to careful scrutiny and, potentially, a process of verification.
• All colleagues to be fully alert to the risks and the appropriate risk controls.
In order to help firms, advice and information is provided by the Law Society and by Marsh in a series of risk alert emails, tweets and on our Frauds and Scams page. Additionally there is a regular risk management column in our Journal magazine.
As a minimum, risk controls need to address the following points:
• Whenever a client or another firm or a supplier provides bank account details/instructions for the first time (or changes any details/instructions), it’s essential that these are verified.
• If bank details/transfer instructions have been supplied by email, when contacting the client or solicitor or supplier to verify the information, be sure to do this by a different form of communication, e.g. by telephone. This minimises the risk that a fraudster who has provided a fraudulent payment instruction is also in a position to provide false validation by intercepting your email request for confirmation.
• If bank account details need to be sent by email, if possible send them by encrypted message with a password.
• If in any doubt do not proceed with a transfer of funds until you have established, reliably, that the communication and funds transfer instructions are genuine.
Risk awareness by all colleagues (both fee earners and support staff) is critical to preventing your firm falling victim to this type of fraud. Please ensure all colleagues are made aware of risk alerts from the Law Society and Marsh and warnings and guidance from banks and other sources.
Additionally we urge firms to consider making the free online awareness training available from Marsh, aimed at Scottish solicitors, mandatory for all your staff. The training takes just one hour and can be completed online which means individuals can complete the training at a time to suit them and your business. The training counts as verifiable CPD for solicitors. Further information about the training is available in Marsh’s October bulletin.
Information on who to report fraud and cyber crime to is available on our Fraud and Scams page, where you and your colleagues can also sign up to our fraud alert emails.