Lockton revisits the topic of client account fraud with some advice and accounts of real cases reported under the Master Policy

What is the best single weapon a solicitor can deploy in the war against the fraudsters determined to steal your clients’ money and leave you carrying the can?

Answer: the telephone. While it would be lovely to roll out a new and dynamic risk management tool to the profession, any one of the payment frauds intimated to the Master Policy during this time of COVID – and indeed in the years before – could have been averted by judicious use of the good old telephone.

No comfort

Take, for example, the following situation.

The firm had acted for commercial clients for many years, who although based in Jersey had long been active in the Scottish property market, buying up rather dilapidated commercial properties, doing them up and selling them on. So receipt of instructions to act in the sale of a warehouse unit with yard and access road was no surprise.

The transaction proceeded uneventfully and was heading quietly towards settlement when the world blew up in March 2020. Like office staff all over the country and the world, the firm’s team were dispatched with laptops and mobiles, and set up the virtual operation with hardly a blink.

With settlement just days away, an email was received from the clients. COVID-related challenges to the business model had impacted on cash flow, and the proceeds from the sale could not now be used as had been intended for further projects. So could the funds please instead be paid into the following account?

Nothing about the email caused the firm any concern. There was nothing unusual in the language, the email address appeared correct, and the instructions made sense. The cashier, though, had read all about fraud risks in the papers, so she wasn’t going to take any chances. She emailed the partner responsible for the client to check that she was content for the payment to be made as instructed. On receipt of confirmation, again by email, she transferred the sale proceeds – a little over £500,000 – to the account instructed.

Unfortunately, the fraudsters who had sent the original email requesting payment of funds to a new account were also able to intercept the cashier’s email to the partner. So the comforting confirmation received from the responsible partner had in fact come straight from the fraudsters – with the result that the funds were paid not to the clients, but into the fraudsters’ bank account.

There was no answer at all to the clients’ subsequent claim against the firm alleging, rightly, that they had paid away client funds without instructions to do so.

Attorney sale hack

In another case, the nephew of an elderly client, acting under a power of attorney, instructed the firm in the sale of his uncle’s house. The firm had acted for the elderly gentleman for many years, and had details of his bank account on file.

It was not, though, considered unreasonable or unexpected when his nephew asked if the sale proceeds could instead be paid into his own account. Uncle’s only bank account, he reminded the firm, was an old fashioned deposit account, and it would be much easier to exercise his obligations under the power of attorney if he had easy access to the funds.

So it was no surprise when, a few days later, an email was received from the nephew with details of the account into which the proceeds should be paid. When the transaction settled, the free proceeds were paid into the account purporting to belong to the nephew, and the firm considered the transaction concluded.

It was therefore something of a shock when the nephew contacted the firm a few days later. Following the sale, he was keen to move uncle’s money into an income-generating fund to provide for his expenses. When could he expect receipt of the proceeds?

Following initial panic, a full investigation ensued, and it was discovered that a member of staff’s emails had been hacked. Fraudsters had then been able to intervene at will, and the email providing details of the destination bank account had not come from the nephew. Again, there was no answer to the claim then pursued against the firm for reimbursement of the client’s funds which had been paid away without proper authority or instructions.

Executry sting

Fraudsters are constantly on the lookout for opportunities to steal client funds. And those opportunities don’t only arise in conveyancing situations.

As a small private client practice in rural southern Scotland, the firm did not consider itself particularly attractive to high-end fraudsters, nor then especially vulnerable to the sort of problems the senior partner had heard about at Law Society of Scotland events.

The first few weeks following the announcement of the national lockdown had been hard going. The firm was a traditional one, and the move to laptops and kitchen tables had not been easy for partners or staff. But as spring moved towards summer, the senior partner felt that the worst was behind him. Everyone was working away quite well, and things seemed to be going relatively smoothly, barring the occasional wi-fi related emergency.

Client matters, though, were proceeding generally unaffected. In particular, the executry paralegal was working away at his home, and finishing up the administration of the fairly small estate of a local gentleman who had died the summer before. Knowing the case, and in fact having known the gentleman, the cashier was not especially surprised to receive an email from her colleague instructing her to make a payment out of the executry account, and providing payment details. She was, though, surprised to see that the amount she was told to pay exceeded the balance available.

In ordinary times, the cashier would have taken the opportunity to step away from her desk, wander up from the cashroom, and have a word with her colleague. But these were not ordinary times, so email had to suffice. She fired a quick note to her colleague: “insufficient funds for payment – please advise”.

On receipt of a response – “just pay the whole balance, same account details please” – she proceeded to make the payment as instructed. And thought no more about it.

It was several weeks before the executry paralegal next worked on the case. Checking his email sent box for his correspondence on the case, he was surprised to see an exchange of emails to and from the cashroom. He had no recollection of instructing the payment, and on looking at it carefully it made no sense in the administration of the estate. He immediately raised the alarm.

Following investigation, it was discovered that the email account had been accessed and manipulated. The instruction to make the payment had been made by a fraudster, who had then also received and replied to the cashier’s query. Here again, client funds were paid away on the strength of fraudulent instructions, and without proper authority.

Rules for safety

So what can we learn from these sorry tales?

  • Always treat email instructions with a degree of suspicion.
  • Any concerns regarding the veracity of an email need to be taken seriously and acted on.
  • Checking is better than not checking. Always.
  • But checking by email into instructions received by email is worthless. If the instructions were fraudulent, the response might well be intercepted too, and no comfort can be taken from any confirmation received.
  • A phone call to a client or a colleague to check their instructions takes minutes and could save hundreds of thousands of pounds.
  • Every member of your staff should be aware that bank account details provided in an email should never be relied on without further (non-email) verification.
  • All staff should receive regular training regarding the risk of payment fraud, how it is perpetrated and how it can be avoided.
  • Have strong procedures and protocols in place regarding the checking and authorisation of any payments to be made from the client account (or indeed the firm’s own account). Dual signoff for larger amounts is always wise.
  • Make sure that clients understand that the bank details provided to you are fixed. Email instructions regarding changes to the account details will not be acted on.
  • Clients fall foul of fraudsters too. Make sure they know that you will not contact them by email to advise a change of your bank details.
  • If you do fall victim to fraudsters like the firms in these examples, this should be reported under the Master Policy as a matter of urgency. The quicker Master Policy insurers are made aware of matters, the more likely that some of the funds might be recovered.


The Author

Matthew Thomson is a client executive in the Master Policy team at Lockton. He deals with all aspects of client service and risk management for solicitor firms in Scotland.

Share this article
Add To Favorites