Perhaps now, more than ever, the Scottish legal profession needs to be on its guard against scams and fraudulent attacks.
As our collective efforts are concentrated on recovering from the effects of the pandemic, fraudsters are making the most of the distraction.
As the professional body for Scottish solicitors, we have become privy to a recent attempt to intercept communications between a firm and its client. The email was sent to the client claiming to be from their solicitor and requesting a transfer of funds to a Barclays account. Fortunately the client contacted the firm to verify the instructions and the firm were able to confirm that the email was indeed fraudulent.
A further email was sent to a number of of the firm's clients, purporting to be from the firm and asking the recipient to click on a link to verify documents.
These criminals are opportunistic and often sophisticated, but there are measures you can take to protect yourself and your clients.
What legal firms can do to help clients protect themselves
- Advise your clients of your ways of working, processes and means of communication so they can more easily and quickly identify fradulent emails
- Ask the client to call your office to confirm the firm's bank account details if they receive any communication which requests a payment
- Provide the details of the firm's bank account in your letter of engagement/terms of business
- Include within your letter of engagement/terms of business, a notice to clients stating that the firm's bank account details will not change during a transaction; that the firm will not change bank details via email; and that clients should check details in person if in any doubt. Also include this notice as a footer to all firm emails
- Don’t deviate from this practice – you are more likely to be held liable, if something goes wrong and you have done something you said you wouldn't do
- Keep discussing this issue with your clients to ensure that they are alive to the threats and that they know what to expect from your firm.
What legal firms can do
- Never act on an emailed instruction to change a client's bank account without seeking further verification of that instruction – call the client or speak to them face-to-face (Government restrictions permitting)
- Consider introducing systems and controls regarding payments to bank accounts
- Advise clients that if they subsequently change their payment instructions, your firm will not make any payment until instructions have been verified by alternative means
- Make your staff aware of the threats, raising the issue repeatedly to keep them alert to the risks
You can find further information on how to protect yourself against the threats of cyber crime in our Guide to Cybersecurity.