Practical tips to protect your firm from scams
Scams and cyberthreats have become a fact of life across all economic sectors and for individuals. Solicitors and their clients are no exception. Firms are being targeted with bogus phone calls and emails by scammers attempting to steal money from client accounts or steal confidential data. Firms of all sizes are vulnerable.
Apart from theft of data, the greatest risk to law firms is the theft of monies. Criminals try to persuade parties to a transaction (including property-purchaser clients) that the recipient's account details have changed.
Recent telephone scams have concerned impersonation of:
- bank officials, regarding the security of client accounts
- beneficiaries with instructions for change of receiving-bank details for expected payments, for example, in relation to conveyancing or pension payments, and
- fraudsters informing a solicitor that one of their clients is a beneficiary of a substantial legacy and asking for fees/ taxes/ bank details in advance of sending more information or the release of funds
Listed below are some non-exhaustive common-sense measures that partners and employees in your firm can adopt to avoid and/or minimise the risk of successful attacks by fraudsters. These address reducing the risk of human error and safeguards to technology.
Everyone in your firm needs to be aware of the techniques used by criminals and that fraudsters adapt their strategies, so that advice on prevention can quickly become out of date. You should ensure that everyone in your firm keeps their risk awareness under review and up to date.
- If you find or suspect that your firm has been the victim of a scam, you should engage with the following organisations without delay in order to limit the damage and bring about the best possible result in rectifying it:
- Your bank - contact your bank immediately if you suspect there has been an unauthorised or suspicious withdrawal from your client account. Delays in contacting the bank could lead to further loss of funds from the client account and reduce the opportunities to make recoveries. Ask your bank's relationship manager and its fraud department to help you contain the losses, secure and protect the account and records, and assist where possible in recovery of funds taken through criminal activity. While each bank may react differently and according to the individual circumstances, your bank can be expected immediately to freeze the client account to prevent further losses. The bank can also be expected to contact the receiving bank without delay to attempt to recover lost money, if the fraudsters have not yet taken it out from the receiving bank account.
- The police - you must inform the police straight away that your client account has been compromised. To report the incident and to receive a police crime reference number, contact Action Fraud at the National Fraud and Cyber Crime Reporting Centre on 0300 123 2040, or via the business section of its website.
- Professional indemnity insurer - you must inform your insurer under the terms of your PII policy of any claims or circumstances that may give rise to a claim. Loss sustained to the client account triggers a claim under your PII policy. When notifying insurers of the claim, you should also consider your duty of client confidentiality. Client confidentiality and legal privilege can only be waived with the express consent of the client. As a precaution, in order to expedite a claim in the event of being scammed, consider adding to your terms of engagement wording to the effect that, if the firm has to make a notification under the terms of its professional indemnity policy, information about the client and your file may be seen by your insurers. Your files may, therefore, be seen by an assessor or another person unconnected with the firm in the future, unless the client has notified you that it does not agree to this.
- The SRA - you must inform the SRA promptly on 0121 329 6827 or email at firstname.lastname@example.org. The SRA will work closely with you to safeguard your client's interests. Funds stolen from the client account will amount to a breach of the SRA Accounts Rules 2011 because the rules impose absolute liability regardless of personal fault. If you are a compliance officer for legal practice (COLP) or compliance officer for finance and administration (COFA), you have additional reporting duties. These are set out in rule 8.5 of the SRA Authorisation Rules for Legal Services Bodies and Licensable Bodies 2011.
- Informing affected clients - please refer to our practice note (below).
- Further information can be found in our practice note on protecting your firm if you fall victim to a scam.
Handling client money: verifying bank account details
- Ensure you provide your client account banking details to clients in a secure manner at the outset of a transaction. Consider providing client account details at a face-to-face meeting with the client or by letter, which is not sent by email.
- Alternatively, or in addition, consider providing this information at the time the client receives your client care information, perhaps on a stand-alone document warning clients to be aware of and alert to scams.
- Make clear to clients that your firm will not be changing its bank account details during the course of the transaction. As a contingency, clarify with the client the verification process that you will carry out if unforeseen circumstances make changing the bank account necessary.
- Consider including a phrase at the end of the email signature block of all members of staff along the lines of 'Please be aware that we do not notify changes to important business information, such as bank account details, by email'.
- Inform clients that if they receive any communications suggesting that the firm's bank account details have changed, they should contact the firm via the number on the firm's website or headed notepaper.
- Ask the client whether they intend to change their bank account details at any point during the transaction and discuss the checks you will both make to verify whether an instruction to change the account is genuine. For example, consider using security questions to which only the client would know the answer.
- Treat any instructions to change bank account or payment details with utmost caution, regardless of how much information the person asking for the change may know about you or a particular transaction, and confirm the instructions by telephone or ideally in person. Consider asking for original bank statements for the new account which you can copy and retain on the file once inspected.
- Consider requiring written (as opposed to email) authority for payments to reduce the chances of fraud.
- Remember that banks are not obliged to check the name of an account when they receive electronic instructions for payment - only the account number and sort code - so check these carefully yourself before accepting or giving new instructions for payment.
- Faster Payments is a payment mechanism which enables payments (or batches of payments) of up to £250,000 to be processed instantly, 24 hours a day, seven days a week. This facility has been used by criminals to move immediately account monies stolen in a successful scam and to forward it onward to a third bank. This makes it more difficult for banks to freeze an account in time and to call back the stolen money. It is vitally important you are sure the recipient is genuine - particularly if you are paying someone for the first time or if the account details have changed since you last paid that person.
- If you use Faster Payments to send large-value payments as part of your business, it's a good idea to contact your bank or building society directly for further information, as most types of accounts have a daily limit on the total amount you can send in a single day.
- Beware of 'invoice fraud', where a criminal obtains details of a firm's suppliers (eg IT suppliers) and emails the finance department purportedly as the supplier asking for invoice remittances to be sent to a new bank.
Monitoring your firm's bank accounts
- Check the firm's bank statements regularly for any transactions that you do not recognise.
- Check your bank's policy for monitoring unusual activity on accounts.
- Consider highlighting in your client care letter that email is not a secure method of transmitting sensitive or personal data (and highlight to the client, perhaps at an initial meeting, the need to be aware of and alert to scams perpetrated by email sent to the client).
- Avoid conducting entire transactions via email. Where time allows, meet and speak or consider corresponding via letters.
- Where electronic communication is essential, encrypted emails offer a much greater level of security.
- Have an email security policy that is actively communicated to all staff and regularly reviewed.
- Emails containing or requesting sensitive information and in particular bank details should be treated with utmost caution. See our advice in the section Handling client money: verifying bank account details. Consider verifying by telephone to a number already held by the firm (ie one not contained within the email in question) any financially sensitive information given by email.
- Treat with utmost caution emails (or phone calls) from another solicitor in a property transaction which inform you of a change of a bank account, particularly if these are received just before you are due to send the proceeds from a sale.
- Be careful of clicking on any link in an email purporting to be from a bank, in case this triggers malware. If in doubt, type the bank's website address into your browser by hand.
- If you receive an email request purporting to be from a bank that is unexpected or unusual, contact the bank or building society by phone and ask to speak to your firm's regular contact at the bank.
- If the email looks as though it is from a client, bank, or even senior individual within the firm (so called 'CEO fraud'), is this exactly the same address from which you have received previous correspondence? Fraudsters often make a very slight change to the email address such as adding an extra letter or changing the email address from a '.co.uk' to a '.com' address.
- If the email looks suspicious, do not follow any links, open any attachments (as they may contain malware), or respond to the email. Trojan virus or malware can be used to facilitate holding a firm to ransom or else to harvest confidential data on the IT system. You may wish to contact your firm's IT service provider to check the authenticity of the email. If in doubt, call the sender on a trusted telephone number to verify the email is genuine.
- Check the SRA's scam alert pages regularly - these list bogus emails being sent to firms.
- Consider including a phrase at the end of the email signature block of all members of staff along the lines of 'Please be aware that we do not notify changes to important business information, such as bank account details, by email'.
- Recent telephone scams have concerned impersonation of:
- bank officials regarding the security of client accounts
- beneficiaries with instructions for change of receiving-bank details for expected payments, for example, in relation to conveyancing
- 'advisors' offering investments for pension monies, and
- fraudsters informing a solicitor that one of their clients is a beneficiary of a substantial legacy and asking for fees/ taxes/ or bank details in advance of sending more information or the release of funds
- As with emails, treat with utmost caution any unusual telephone calls purporting to be from a bank or related to your client account and online security. As with all sensitive data, do not give away any details relating to the firm, its employees and its clients.
- Be aware that scammers often try to induce a sense of urgency in their victims, trying to make them think that something bad will happen if action is not taken straight away.
- Be suspicious of any call purporting to be from a bank, the police, other official or company in a position of trust, telling you that something is wrong, that you need to transfer money, or asking for details of bank accounts, including PIN numbers.
- Be aware that knowledge of recent genuine transactions on your account is not a guarantee that the person you are speaking to is actually from your bank. They may have acquired these details through criminal activity (eg hacking emails, malware/cyber theft or even from an insider within your firm).
- Never give out any authentication or account details (including usernames, passwords, or other details that can be used to log into networks or your bank accounts) over the phone (either verbally or by typing into your phone).
- The advice of the majority of banks (PDF) is that banks will never call you to:
- ask for your bank security information such as your password
- withdraw or transfer your money from your account to a new account for safekeeping
- ask to undertake a transaction to protect money held by the firm from fraud
- There is no such thing as a 'safe' account into which your bank would transfer funds to protect your account - your bank would simply disable your account if it is being attacked.
- If you have a phone with a caller display, do not assume that the call is legitimate just because you recognise the number. Criminals abuse caller display technology which allows callers to pass themselves off of as, for example, a bank, by displaying the bank's telephone number and the criminal may ask you to check that the number showing on your telephone display matches the bona fide organisation's registered telephone number.
- Make sure you take additional steps to verify if you are at all uncertain. Even if you consider a call to be genuine, do not deal with the query there and then. Criminals also exploit telephony technology by keeping a line open for several minutes after you have terminated the call. They make it appear that the call has been disconnected but stay on the line, so that when you call back on what you believe is the genuine telephone number, you speak to one of the criminal gang.
- Take down the details of the call and caller. After you have hung up, wait five minutes to clear the line before calling them back (or contacting anyone else). To be doubly certain that the line has been cleared, you could call another number known to be genuine first, for example the speaking clock on 123. Ring back the alleged caller on a number which you have on file for them, or which you can verify independently.
- Alternatively, use a different phone line (not just a different extension) or a mobile phone to call them back on an independently verified number.
- If the caller requests payment(s) to be made using Faster Payments, before actioning, refer to the advice on Faster Payments in the section Handling client money: verifying bank account details.
- If you have concerns about a potential scam, report it to a senior member of staff immediately. The firm should then report the incident to the police's Action Fraud, the national fraud and cyber-crime reporting centre on 0300 123 2040, and the Solicitors Regulation Authority (SRA) on 0345 850 0999.
Your firm's security policies and training
- Have clear and up-to-date policies and procedures in place for dealing with the risk of scams, including the risk of 'insider' activity.
- Ensure that all staff, including support staff such as payroll staff and those dealing with accounts who may be the first point of contact for fraudsters, and new members of staff, are made aware of the risks and are trained on and understand the firm's policies and safeguards.
- Fraudsters may try to dupe junior members of staff by claiming to be someone important, even claiming to be a senior partner from the firm. Firms should ensure staff are confident in dealing with this and that they are supported when following processes correctly in the face of such behaviour from the caller.
- Consider covering in your security policy the use of technology for remote working purposes and the risks posed by unencrypted devices, USB sticks and use of personal phones, computers and tablets.
- Mobile devices should use ad-blocking software to protect against the threat of being infected by malware in the course of internet browsing.
- Personal devices should never be used for business purposes. If you are Lexcel accredited, version 6 includes a module on security of electronic storage of information. If staff are permitted to use mobile devices, consider restricting access on them to essential data and systems only.
- Consider having a centrally controlled system giving the IT department the ability to wipe lost or stolen devices remotely.
- Consider making staff aware of the dangers of using public Wi-Fi networks. Public Wi-Fi networks cannot be considered secure as the integrity of the Wi-Fi access point and the internet connection can be easily compromised, allowing criminals to intercept and read any data transmitted. Mobile data services such as 4G should be used in preference to public Wi-Fi wherever possible. Firms should consider using a VPN - a virtual private network - to enable secure connections to be made to their offices, and to use this whenever connected to public Wi-Fi, before doing anything else over the connection. While on a public Wi-Fi network, staff should never install any updates to computer programs or access sensitive information, including online-banking services.
- Remind staff that, when using work phone or laptops in public areas, they should be mindful of their surroundings and ensure sensitive information cannot be seen or heard.
- Inform staff not to open unusual emails until they are cleared by the IT department or the firm's IT provider.
- Consider running periodic internet searches against the name of the firm and its partners to ensure that fraudsters have not set up a website purporting to be that of your firm.
- Restrict knowledge of the firm's bank accounts and payments made to a small number of people within the firm who need to know.
- Impress on staff the need to come forward immediately if they have been approached by telephone scammers or if they have left documents, laptops or USB sticks containing sensitive information in a public place.
- Consider printing off and displaying around the firm (particularly for those people who deal with client money) posters issued by the police on how to avoid and report fraud attempts, and by banks, which set out the instructions banks would never give over the phone and provide advice on what to do if you receive a call purporting to be from a bank. Consider changing or moving around these posters on a regular basis to prevent them becoming part of the scenery.
- Ensure that confidential waste is disposed of correctly. Information pertaining to the firm, its clients, banking accounts or details of suppliers can be used to facilitate fraud.
- Regularly review all preventative measures so that they reflect current best practice, are applied consistently across the firm, and are effective.
- Put in place a simple crisis-management process, specifying who will take what action in the event of a successful scam.
- Friday is a popular day for firms to be targeted due to the large number of conveyancing transactions which complete that day, but be aware that scams can occur at any time.
- To increase your firm's awareness of cyber threats and how to combat them, the Law Society can sponsor firms to join the Cyber Security Information Sharing Partnership - a free, collaborative initiative between industry and government for sharing cyberthreat and vulnerability information. Information can be shared on an anonymous basis. See our Cybersecurity webpage for further details.
- Keep up to date with the risks posed by fraudsters, including the latest identified scam techniques, by regularly consulting the available information, including:
Technical preventative measures
- Ensure that your firm's security software, including antivirus, anti-spam, and firewall software, is sufficient and regularly reviewed and updated to identify and remove malware.
- Consider full disk encryption for your computers and mobile devices.
- Check if your mobile devices can be wiped remotely if lost, and keep a note of the procedure for doing this.
- Ensure that software installed on all company devices is kept up to date and regularly 'patched'. The majority of viruses and malware attacks exploit vulnerabilities in software that have been removed in the latest version of the software by the software supplier.
- Do not open any attachments, or click on any links, in unusual or unexpected emails. Contact your firm's IT service provider to check the authenticity of such emails before they are opened.
- Do not install any software from an external source without seeking expert advice.
- Security software on staff's personal devices, including USB sticks, also needs to be adequate if these are used for work purposes. Consider requiring that any client, financial, personal or otherwise confidential data may only be stored on a memory stick when in encrypted form, or else on an encrypted device.
- Use strong passwords - minimum 10 characters containing a multiple of each of A-Z, a-z, 0-9, and non-alphanumeric characters.
- Do not use the same password for more than one account, and change passwords regularly. You might like to investigate password management software, to help you manage your passwords securely.
- Be alert to indications that your computer(s) could be infected by malware. Signs could include operating systems slowing down, unexpected pop-ups, regular crashes, running out of disk or storage space, or a new browser homepage opening unwanted websites.
- Remember that malware can infect a device and lie dormant while the fraudsters wait for an opportunity to carry out their scam.
- Have clear procedures and policies in place for using email and the internet.
- Ensure that everyone in your firm is aware of the vulnerabilty of using public Wi-Fi. Criminals are able to run easily what looks like a legitimate wireless network and see what you are doing when connected to it.
- Change the original hub settings of your firm's Wi-Fi router to make it less vulnerable to hacking. Most network providers have a finite number of default passwords and criminals are able to test these out electronically to hack into your system. Do not use the name of your firm in the renamed network setting as this will identify it as belonging to a solicitors' firm.
- Be wary about offering your clients and visitors to your firm free Wi-Fi on your premises, even if this is on a separate Wi-Fi network to that used by your firm. No-one outside the firm should know the password to the firm's Wi-Fi network that is used for work purposes. Clients using free Wi-Fi to email you about transactions risk being hacked.
- If access is gained to the firm's voicemail facilities, fraudsters can exploit in-built services, such as message forwarding and call diversion, and make calls on the firm's account. The voicemail system password should be changed from its default setting and updated regularly. Remote access to voicemail should be avoided where possible, or at least restricted to essential users who regularly update their pin/password.
- Consider certification against the Cyber Essentials standard
- The SRA's Spiders in the web: The risks of online crime to legal business publication contains steps on how to address cybersecurity.
- There is also a government guide for small and medium-sized enterprises on how to stay safe online.
- The Law Society offers free online training for solicitors and their staff on cyber security.
- Regularly review and keep up to date your firm's incident response policies and procedures.
- Report any incident so that the police and government can put resources in place.
- Review your compulsory professional indemnity insurance (PII) policy and any other office policies you have to understand the exclusions. Be aware that your standard compulsory minimum terms and conditions PII policy will cover you for civil liability and third party loss of money (absent any fraudulent activity which may be established in accordance with policy terms and conditions) but will not cover other risks, such as reputational damage, the cost of a forensics investigation or business interruption, or theft from the office account. Check your other office policies to see whether they cover those risks. Discuss your insurance needs appropriate to your firm with a broker who specialises in this type of cover.