Protecting your firm if you fall victim to a scam
Overview
What is the issue?
- the regulatory and legal requirements that apply when a firm's client account has fallen victim to scammers
- overcoming problems which might otherwise lead to its failure and forced closure
Preventing scams and coronavirus
Law firms are a significant target for fraudsters during the coronavirus pandemic. They are handling large volumes of personal data including sensitive financial data and are stretched due to the need to provide ongoing legal services to clients while most staff are working from home with systems being used in a manner and volume that they were never intended for.
During the coronavirus pandemic, specific scams have included phishing emails sent seeking:
- to impersonate organisations like the World Health Organisation (WHO), National Health Service (NHS) or the UK government
- to encourage the recipient to follow malicious links, download malicious software (malware) or software that seeks to lock access to the system in return for payment of a fee (ransomware)
There has been a 400% increase in coronavirus-themed phishing emails in March 2020 alone according to UK Action Fraud. Google estimates that one in five of the 100 million phishing emails it blocks every day are coronavirus related, preying on the lack of knowledge, and in many instances, fear, of the recipient.
This practice note has been updated to reflect the risks created by the coronavirus pandemic and the reality of operating a law firm in conditions of lock down. It also includes links to additional advice and guidance that may help.
This practice note is the Law Society’s view of good practice in this area, and is not legal advice. For more information see the legal status.
Introduction
Who should read this practice note?
Managing partners, practice managers and staff of firms which hold a client account and who are responsible for:
- the secure management of the client account
- the firm's information security
- the management and day-to-day operation of the practice
- the firm's professional indemnity insurance (PII)
- business continuity management and handling their clients' business when something goes wrong
Compliance officers for legal practice (COLP) and compliance officers for finance and administration (COFA).
Data protection officers (DPO) or any staff responsible for data protection and cyber security compliance.
What is the issue?
Firms holding client accounts are vulnerable to the risk of theft of confidential data which could lead to the theft of client money held in client accounts. Firms of all sizes can be targeted. The effect on the scammed firm can be extremely serious both financially and reputationally.
All firms are at risk of falling victim to fraudulent scams perpetuated via email or social media platforms. Every day, business organisations are a target for fraudsters impersonating banks, brokers and other third party organisations who may wish to perpetuate fraud or to access personal data or confidential data.
It has been known for fraudsters to impersonate business clients and then direct those firms to engage in perpetuating fraud which has only become apparent to the firm many months down the line. Consequently, all firms are at risk, as are all types of transactions and not just those involving the client account and client funds.
You must immediately take certain actions if you find or suspect that your firm has been the victim of a scam, resulting in your client account being compromised. You must inform:
- your bank
- Action Fraud via their website or by telephone on 0300 123 2040
- your professional indemnity insurer
- your cyber liability insurer
- the National Cyber Security Centre (NCSC)
- the Solicitors Regulation Authority (SRA) by telephone on 0121 329 6827 or email at fraud@sra.org.uk
These actions could help safeguard your clients' money and potentially your firm's reputation and even its viability.
A firm's resilience and ability to recover will vary according to individual circumstances and the nature of the perpetrated scam. In the worst-case scenario, in a firm where the equity partners do not have limited liability or have made personal financial guarantees, the scam could lead to bankruptcy of individual partners and the firm's closure. Members of an LLP may, in limited circumstances, be held liable.
The ability to recover will be significantly greater if the firm and its senior management have prepared to handle the consequences of a serious fraud perpetuated as the result of a cyber intrusion.
As well as ensuring regular cyber security training for all grades of staff including senior management, the firm should also rehearse a cyber security incident and its immediate aftermath so that the necessary actions such as those highlighted in the bullet points above may be prioritised and executed. The NCSC provides a comprehensive suite of simulation exercises for teams and boards to carry out and test their preparedness called Exercise In A Box.
This practice note outlines the regulatory and legal requirements that apply when a firm's client account has fallen victim to scammers. It provides advice which aims to help the firm overcome problems which might otherwise lead to its failure and forced closure.
There are a number of reporting obligations that the firm needs to discharge immediately.
The firm must also restore the client account funds without delay. Its partners might be personally liable for the client fund shortfall.
There are then further actions necessary to bring about the firm's recovery and to improve security to the firm and to its systems.
This practice note is not concerned with advice on how to protect your firm from scams and cybercrime generally.
In view of the changing nature of the methodologies and increasing sophistication of scams, solicitors and non-qualified staff in firms should keep their knowledge of good and bad practice up to date by following advice from:
- the SRA
- the Law Society
- their banks
- their professional indemnity insurer
- organisations concerned with cybersecurity
Sources of such information are listed at the end of this practice note along with other useful information.
Firms should ensure that incident response policies and procedures are regularly reviewed and kept up to date. They should remain alert to potential warning signs so that they can take averting action and undertake due diligence where possible.
How do scams occur?
All institutions holding funds are vulnerable to sophisticated targeted attacks from fraudsters, for example through emails or telephone calls.
Criminals use a variety of ever changing and increasingly sophisticated means, electronic and/or verbal, involving impersonation and/or infiltration, in an attempt to obtain confidential financial information and data with the aim of stealing money from bank accounts. A firm's client accounts can be targeted in this way. Banks and clients can also be targeted in an attempt to defraud the client account.
To make their scam appear credible, criminals may use tactics such as convincingly passing themselves off as calling from a bank or referring to the details of a genuine transaction which they have acquired dishonestly. Or they may use the names of law firms, solicitors, parties to a conveyancing transaction, beneficiaries of trusts and wills or persons linked directly or indirectly to a client account, to make their activity seem credible.
Many scams will be designed to play on current credible threats. At the time of the coronavirus lock down many scams were perpetuated playing on opportunities and fears created by the new and novel situation.
One common email scam involved a supposed email sent from a British-Chinese dual citizen who had travelled to China and claimed to be seriously ill while in self isolation and was now emailing UK law firms to initiate the transfer of funds from the United States to the UK for the purposes of establishing a charitable fund in the event of the author’s likely untimely demise.
Giveaways as to the fraudulent nature of the email included the authors email address but if the recipient took the email at face value and assumed that the author had been forced to take extreme measures to get around the “great firewall of China” then the email may have appeared genuine and a correspondence would have ensued inducing the law firm to provide either personal data or access to financial accounts that may then have allowed the fraud to be perpetuated.
Other examples of common scams directed at law firms include:
- sending emails from common service providers (for example telecoms, broadband, post and other business service providers)
- requesting payment for fairly modest sums hoping that admin staff will arrange payment at the same time as authorising multiple further payments at the end of a busy week, busy month or during the financial year end
Many scammers carry out detailed research on business websites, at Companies House, and on professional registers and social media. This enables them to target their scam emails (known as “spear” phishing), instant messages or text messages to specific recipients.
These targeted messages may include information about a plausible client or transaction which induces the recipient to engage in correspondence with the fraudster, genuinely believing that the fraudster is a known and recognised third party.
Regulatory and legal requirements
Professional conduct
The following parts of the SRA Standards and Regulations are relevant to this issue.
Principles
There are 7 principles that apply to all Solicitor Regulation Authority (SRA) regulated individuals or entities. The relevant principles here are:
Principle 2 – You Act in a way that upholds public trust and confidence in the Solicitors’ profession and in legal services provided by authorised persons.
Principle 4 – You Act with honesty.
Principle 5 – You Act with integrity.
Principle 7 – You Act in the best interests of each client.
SRA Code of Conduct for Solicitors, RELs and RFLs
The following sections of this Code apply.
1.4 – You do not mislead, or attempt to mislead your clients, the court or others, either by your own acts or omissions or allowing or being complicit in the acts or omissions of others (including your client).
3.6 – You ensure that the individuals you manage are competent to carry out their role, and keep their professional knowledge and skills, as well as understanding of their legal, ethical and regulatory obligations up to date.
4 – Client money and assets.
7.1 – You keep up to date with and follow the law and regulation governing the way you work.
7.3 – You co-operate with the SRA, other regulators, ombudsmen, and those bodies with a role overseeing and supervising the delivery of, or investigating concerns in relation to, legal service.
7.4 – You respond promptly to the SRA and:
- provide full and accurate explanations, information and documents in response to any request or requirement and;
- ensure that relevant information which is held by you or third parties carrying out functions on your behalf which are critical to the delivery of your legal service is available for inspection by the SRA
7.5 – You do not attempt to prevent anyone from providing information to the SRA or any other body exercising regulatory, supervisory, investigatory or prosecutory functions in the public interest.
7.7 – You report promptly to the SRA or another approved regulator, as appropriate, any facts or matters that you reasonably believe are capable of amounting to a serious breach of their regulatory arrangements by any person regulated by them (including you).
7.8 – Notwithstanding paragraph 7.7, you inform the SRA promptly of any facts or matters that you reasonably believe should be brought to its attention in order that it may investigate whether a serious breach of its regulatory arrangements has occurred or otherwise exercise its regulatory powers.
7.10 – You act promptly to take any remedial action requested by the SRA. If requested to do so by the SRA, you investigate whether there have been any serious breaches that should be reported to the SRA.
7.11 – You are honest and open with clients if things go wrong, and if a client suffers loss or harm as a result you put matters right (if possible) and explain fully and promptly what has happened and the likely impact. If requested to do so by the SRA you investigate whether anyone may have a claim against you, provide the SRA with a report on the outcome of your investigation and notify relevant persons that they may have such a claim accordingly.
7.12 – Any obligation under this section or otherwise to notify, or provide information to, the SRA will be satisfied if you provide information to your firms COLP or COFA, as and where appropriate, on the understanding that they will do so.
SRA Code of Conduct for Firms
Section 2 Compliance and Business Systems.
Section 3 Co-operation and Accountability.
Section 5.2 You safeguard money and assets entrusted to you by clients and others.
Section 9 – Compliance Officers.
SRA Accounts Rules
Rule 5 – Withdrawals from Client Account.
Rule 6 – Duty to correct breaches upon discovery.
6.1 – You correct any breaches of these rules promptly upon discovery. Any money improperly withheld or withdrawn from a client account must be immediately paid into the account or replaced as appropriate.
SRA Authorisation of firms’ rules
Authorisation of Individuals Regulations
PII Minimum terms and conditions
The SRA Participating Insurer's Agreement
The following legislation also applies to this issue.
Fraud Act 2006
Section 3 sets out the circumstances in which it is an offence not to disclose information to others (such as the client).
Section 4 sets out that people (such as solicitors) who are in a position where they are expected to safeguard the financial interests of others commit an offence when they fail to do this.
Data Protection Act 2018 and General Data Protection Regulation
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 provide for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.
The most significant change for solicitors and other data controllers introduced by the GDPR is the explicit requirement to demonstrate accountability for the specific and demonstrable measures you need to have in place to ensure compliance with each of the GDPR’s data protection principles.
These principles relate to the following requirements in your handling of personal data:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- accuracy
- storage limitation
- integrity and confidentiality
What you must do immediately if you discover your firm's client account has been scammed and who you must inform
Regulatory and legal implications
Operating a compromised client account risks being regarded as a breach of trust and also as constituting serious misconduct because of the impact on clients.
It is essential that in the immediate aftermath of the incident you do everything that you can to contain the situation. This means engaging with the following organisations without delay in order to limit the damage and bring about the best possible result in rectifying it.
Informing your bank
You must contact your bank immediately if you suspect there has been an unauthorised or suspicious withdrawal from your client account. Delays in contacting the bank could lead to further loss of funds from the client account and reduce the opportunities to make recoveries.
Ask your bank's relationship manager and its fraud department to help you contain the losses, secure and protect the account and records and assist where possible in recovery of funds taken through criminal activity.
It is advisable to keep a record of the content and times of your communications with your bank.
While each bank may react differently and according to the individual circumstances, your bank can be expected immediately to freeze the client account to prevent further losses. The bank can also be expected to contact the receiving bank without delay to attempt to recover lost money, if the fraudsters have not yet taken it out from the receiving bank account. The bank will also co-operate with and support any police investigations to establish what has happened.
Informing the police
You must inform the police straight away that your client account has been compromised.
To report fraud, including online or internet crimes and to receive a police crime reference number, contact Action Fraud via their website or call 0300 123 2040
Informing your professional indemnity insurer
You must inform your insurer under the terms of your professional indemnity insurance (PII) policy of any claims or circumstances that may give rise to a claim.
This triggers a claim under your PII policy for the loss sustained to the client account.
When notifying insurers of the claim and circumstances, you should also consider your duty of client confidentiality. Client confidentiality and legal privilege can only be waived with the express consent of the client. There is no effective waiver of privilege where a client has not yet made a claim against the firm. You should describe to the insurer the nature of the problem without providing client details.
The situation is more straight forward if your terms of engagement or retainer made clear that if your firm has to make a notification under the professional indemnity policy of information about the client and the client file, the client file may in those circumstances be seen by an assessor or another person unconnected with the firm in the absence of the client's prior disagreement.
Informing your cyber liability insurer
It is a likely term of your cyber liability policy that you’re required to inform your insurer of any circumstances that may give rise to a claim. While you must maintain client confidentiality and legal privilege as with PII above, you should check your cyber liability policy wording as your insurer may place a time limit on when they need to be notified of a possible cyber security breach failing which the full level of cover may not be forthcoming.
However, it is in your interest when prioritising your actions to notify your cyber liability insurer as one of the first steps that should be taken. They are likely to be able to help you in the immediate aftermath of a scam perpetuated as the result of a cyber security breach. They will have supported many other insured law firms through similar incidents in the past and will be able to share expertise and resources with you. They may also be able to provide useful contacts such as forensic IT specialists.
If you have concerns about gaps in your firm’s existing insurance provision, the National Cyber Security Centre (NCSC) has recently published advice for organisations contemplating taking out cyber insurance (August 2020) in the form of a helpful checklist of points to consider.
Inform the ICO
If a fraudster has been successful in perpetuating a fraud that involved the handing over of any information that identified an individual such as any name, an email address, a sort code or an account number, medical or criminal records or any photographs, audio or video recordings then there will have been a breach of personal data and the Information Commissioner must be notified within 72 hours of becoming aware of the breach.
In cases where a breach is likely to result in high risk to the rights and freedoms of natural persons, the Information Commissioner must be notified without undue delay. Failure to notify within the appropriate statutory time frame may lead to an investigation and enforcement action from the Information Commissioner’s Office (ICO).
At the time of reporting the breach the appropriate form should be used from the ICO website and as much helpful information should be disclosed to the ICO as possible. This should include:
- detailing the firm’s applicable policies, procedures and training to prevent fraud
- identifying the reasons behind the fraud
- confirming what measures have been taken to protect the individuals affected and to ensure that such a breach does not happen again
Informing the SRA
You must inform the SRA promptly on 0121 329 6827 or email at fraud@sra.org.uk.
The SRA will work closely with you to safeguard your client's interests. It might also be able to assist in expediting police involvement.
Funds stolen from the client account will amount to a breach of the SRA Accounts Rules because the rules impose absolute liability regardless of personal fault.
If you’re a compliance officer for legal practice (COLP) or compliance officer for finance and administration (COFA) you have additional reporting duties.
The theft may put the financial viability of your firm into immediate question if the amount stolen and needed to be immediately replaced exceeds the means of those liable to repay it. This is covered in 5.3 of the Accounts Rules.
Informing affected clients
If a particular client's money has or may have been stolen in the scam, you must inform the client. Informing clients who may be affected about the client account shortfall will also ensure that you’re acting in the best interests of clients.
You may wish to say to the client, preferably with your insurer's agreement, that you’ll be notifying your insurers and will be passing on the client's details.
Informing staff
If the scam is sufficiently serious to have warranted all of the actions outlined above, and in the event that there has been a breach in personal data that could lead to regulatory action and enforcement, it may be prudent to ensure that all staff are aware that the firm’s systems have been compromised and are informed of the measures that the firm is taking to support and safeguard the affected individuals.
This will ensure that all staff are aware of the situation and that staff or management are taking responsibility in the aftermath of the fraud so that any relevant enquiries from clients, regulators and other relevant parties are directed appropriately and efficiently.
Ensure you do not compromise your insurance coverage or fall foul of the reimbursement provisions
Ideally, you should get agreement from the insurer on what you may tell clients and other parties.
Do not make any admission of liability or any offer of settlement to any third party without specific consent from your insurers.
Do not disclose the involvement of your own insurers beyond the extent that you’re required. Firms must disclose certain insurance details to clients and/or claimants. Both these regulations apply only to the compulsory element of the insurance, that is the minimum terms and conditions of cover. This means that only details of the primary layer insurer have to be provided.
The obligation to disclose comes from two different sources:
Informing other clients and other parties
This is dealt with under Section 5: the practicalities of dealing with client monies after a shortage has been identified.
What you must do next – putting into effect an action plan
The precise order of urgency for next steps will be dependent on your individual circumstances and what the SRA and other agencies advise. But it seems likely that putting the following steps into action should be done in parallel.
Drawing up a plan of action will help you demonstrate to the SRA, your bank and your insurer that you’re acting professionally and responsibly, with serious intent to limit damage, safeguard the public interest and restore confidence in your business as a going concern.
Cyber-incident response
In the immediate aftermath of a cyber-based scam, you should decide if you need to make use of a Cyber Incident Response (CIR) service.
CIR services should be well-placed to advise you on what action needs to be taken. They should have proven knowledge and experience that will enable you to contain the incident and prevent recurrence.
The government has certified a number of providers. Further information, along with contact numbers, can be found on the National Cyber Security Centre (NCSC) website.
Unless you have relevant add-on insurance to your standard PII policy, the cost of these services is unlikely to be covered.
If you hold cyber-insurance, depending on the extent of its cover, you might be able to get assistance with or recover some of the following costs:
- costs of response
- investigation
- neutralising cyber-infection
- putting right damage to, or loss of information from, IT systems and networks and of data breach
- informing clients and reputational damage
- fines (where insurable by law)
- cyber-extortion
Depending on the severity of the incident it may also be reported to the NCSC. Action Fraud may be able to advise on whether the NCSC should be notified.
Replacing the stolen funds - plan of action
You should be able to demonstrate that you’ve taken prompt action to inform your bank and to contain the damage.
The SRA regards a deficiency in the client account as exposing clients and others to a risk of financial loss and damage to public confidence. The SRA will expect urgent assurances from you that you’ve put in place measures to replace the stolen funds without delay. The SRA set out its expectations in their Warning Notice: improper use of client account as a banking facility.
It should be possible to obtain early indications from either the insurer or the bank, or both (depending on the circumstances), as to the steps they are prepared to take to replace the funds.
Under the SRA Accounts Rules, it is your duty to remedy breaches.
Rule 6 of the SRA Accounts Rules 2019 provides that any breach of the rules must be remedied promptly upon discovery, including money improperly withdrawn from the client account.
If the client account shortage continues, the SRA might deem the firm to have committed serious regulatory breaches.
Professional indemnity insurance
As part of the assurances the SRA will seek from you as to how you’ll replace the stolen funds. The SRA will want to know whether you’ve submitted a claim against your PII policy and whether and when the insurer is likely to pay.
The definition of a claim in the PII Minimum Terms and Conditions wording provides that an obligation on the part of an insured firm to replace a client account shortage amounts to a claim under the firm's PII policy.
The large sums likely to have been taken will usually mean that the insurer can be expected to appoint panel solicitors to investigate. The insurer will probably reserve rights and investigate coverage. The insurer may also investigate whether the firm can recover their loss from anyone else, for example, from their bank.
The insurer should be able to confirm within two days of being informed by you of the fraud whether it has decided to appoint panel solicitors to commence investigation. This should not, however, in the circumstances, be a reason to delay paying the claim.
Insurers have a duty to treat their customers fairly. Clause 7 of the Participating Insurer's Agreement imposes an obligation on the insurer to act with the utmost good faith in the course of its dealings, as well as to pay claims without avoidable delay after liability under the policy has been established and the amount payable by the insurer has been agreed.
There is a risk that if the bank and the insurer are plainly uncooperative and persist in their deliberations, the SRA will expect the principals to make good the client account shortage from their own resources in order to meet the urgency of the situation or to insist upon closure of your firm.
In these circumstances, you may wish to hire independent expert legal advice to assist you as this might work out a less financially damaging option than negotiating with your insurer or your bank.
Obtaining independent expert legal advice
The impact of any delay in making good the client account on the scammed firm's viability while the regulator, insurer and bank carry out their processes should not be underestimated. It could result in the firm's forced closure.
It may be advisable to procure specialist legal advice to assist you in getting through this difficult phase to ensure the firm's survival. Specialist legal advice in the immediate aftermath of a cyber-attack will assist in prioritising measures that will ensure the firms continued reliability and that appropriate resources are directed in the most efficient manner. Specialist legal advisers may also be able to facilitate where necessary the procurement of forensic IT support or forensic accounting in order to ascertain the true extent of a long-term fraud or scam.
Information on sources of external expertise is provided at the end of this practice note.
Other general insurance policies
In addition to your PII policy and any cyber-insurance you might hold, you should check your firm's other general insurance policies for cover and for assistance with reputational damage or business interruption which might help you recover your business.
The practicalities of dealing with client monies after measures have been initiated to replace the stolen funds
Developing SRA policy
Lenders will want to be notified about how a mortgage transaction will be completed. The insurer might also wish to prioritise which clients should be paid first or to pay a client in instalments and refund the balance later.
A deficient account cannot be used (beyond a de minimis transition to realisation of the extent of the problem) because any withdrawal will be a breach of the Accounts Rules. Some degree of tolerance, of a few days, less than a week, would allow plainly identifiable recent receipts to be used for required payments.
However, how you can operate as a firm is far from straightforward.
There are legal as well as regulatory requirements that affect how you might be able to act.
In certain circumstances, it may be an offence under Section 3 of the Fraud Act 2009 not to disclose information to others, such as clients, that a shortage to the client account has arisen as a result of the fraud.
GDPR and UK Data Protection Act 2018 include information security obligations when processing personal data and the Information Commissioner has the power to set penalties for breaching these obligations.
The ICO advises that you should be clear about who needs to be notified about the breach of data security and why, and the decisions you have taken aboutyou notifying the affected parties and the ICO. Links to the ICO's guidance can be found at the end of this practice note.
The SRA's Warning Notice: bogus law firms and identity theft takes a robust view of how the regulator perceives the situation.
Recovering the client account
Clients whose funds are needed without delay will need to be informed of the theft and that urgent steps are being taken.
To overcome a barrier to getting your firm back in business, the bank might decide to set up a new client account which will enable you to deposit the funds securely. Your bank will let you know whether and when it can authorise you to use the client account again.
Any new receipts should be credited to a secure client account through which transactions can take place without any impact from the shortage. The usage of the account will have to be in line with SRA requirements.
You may well breach your duty to act in the best interests of clients if you pay client money into an already deficient account without fully informed consent. No properly advised client would pay funds into a deficient account with the risk of only receiving a proportion back. Failing to inform clients exposes them to a risk of loss (see section 4.2).
Until the missing money is replaced, you should not take costs from the client account. The SRA's advice is that you should work closely with the SRA on what you need to do to start operating the client account again. You should consult the SRA's Supervision function in these circumstances, on 0370 606 2555.
Losses from scams have tended to be of two kinds – one leading to a general shortage and one not.
In the former, thieves may gain access to banking details enabling them to operate the account. Alternatively, they may telephone the firm posing as bank employees and persuade them that the client account is at risk and to transfer the monies into a 'safe' account – thereby facilitating the theft. In these scenarios, the money taken could be 'anybody's' and there will be a general deficiency to the client account.
In the second category, as a result of learning about an imminent payment through intercepting communications (typically emails), the thieves impersonate a genuine party in a transaction to instruct the firm to change the destination account for the expected payment.
When the duped firm sends the money of client A to the wrong account there will be a liability to A to account for the missing money, and to replace that money, but there is no general deficiency. There is no obligation to pay A from other clients’ money nor does the debt to A mean that other clients’ money is affected. Client A would theoretically sue the firm for an account and the firm would be insured in respect of that claim. No-one else would be affected.
The SRA in these circumstances would still be expected to insist that the firm makes good the loss without delay.
Closing your firm
Ultimately, if it becomes clear that money will not be forthcoming from the bank, insurers or from private sources within a timescale acceptable to the SRA, the firm will have to close.
It may nevertheless be possible to arrange for an orderly closure, recognising that the client funds will still need to be replaced.
The SRA might still require recovery of the stolen money from the principals' own funds.
Once again, specialist legal advice might be valuable to the firm at this stage. Refer to our practice note on closing down your firm for more information on the regulatory requirements.
Recovering your business - reviewing your incident response policy and lessons learnt
If the firm has survived and recovered, you should review the incident to see what lessons can be learnt to prevent further attacks. It is important for the firm to identify how and why the scam was successful. The firm should consider whether the scam resulted from a control failure, or whether correct preventative measures were not in place at the time.
This may involve reviewing and revising your information security, business continuity and incident response policies and procedures, technical controls, staff training and cybercrime awareness.
Your bank, insurers and lenders might insist on verification that these measures have been taken.
You should ensure that all preventative measures are regularly reviewed to ensure that they reflect current best practice. You should ensure that preventative measures are applied consistently across the firm, and are effective, and every attempt to breach your firm's systems is recorded even if it was unsuccessful.
A review could also include small but effective steps such as making clear that all members of the firm know that, if they think they have fallen victim to a scammer or made a mistake which could lead to further loss of funds from the account, they must bring this to the attention of the appropriate person straight away. They should know who the appropriate person with responsibility for dealing with the breaches within the firm is (for example, a COLP, COFA or IT manager).
It may be the case that new governance measures within your firm need to be established such as regular penetration testing of your IT systems by an external assessor as well as the regular performance of a cyber security breach exercise such as that offered by the NCSC’s Exercise in a Box.
Other measures should include regular staff training on identifying cyber security threats and possible scams. Often such training will need to be refreshed on an annual basis. It may also be necessary to introduce regular cyber security training for all new starters joining your firm as part of their induction program.
Free help and support is available below, including training and information-sharing in cybersecurity.
Sources of help and support in the event of being scammed
Practice Advice Service
We provide support for solicitors on a wide range of areas of practice and problems. The Practice Advice Service can be contacted on 0207 320 5675 from 9am to 5pm on weekdays or by email at practiceadvice@lawsociety.org.uk.
External sources
Action Fraud National Fraud and Cyber Crime Reporting Centre – this website provides information on reporting fraud and also reporting if you have received a potential scam message or computer virus but no money appears to have been lost or you have not responded to it. A Business Reporting Tool enables companies to report multiple instances of fraud and internet crime more efficiently.
The SRA's professional ethics helpline – for advice on conduct issues and compliance with the SRA handbook. Call 0370 606 2577 (inside the UK) 9am to 5pm, Monday to Friday.
The SRA's Supervision helpline for advice on risk, systems and controls. Call 0370 606 2555.
Cyber Incident Response (CIR) service – the government's list of certified cyber-response providers, with contact numbers.
The Information Commissioner's Office offers guidance on data security breach management. It has also produced guidance on reporting a breach and other related guidance.
SRA guidance, 25 November 2019, Warning Notice: improper use of client account as a banking facility.
Law Society reporting
We’re interested in hearing your experiences in dealing with scams, in order to gather intelligence to best support the profession and keep our guidance up to date.
Email scamsreporting@lawsociety.org.uk to share your experience with us.
Help with awareness and preventative measures
Law Society advice
Cybersecurity information – guidance, free training, information sharing and accreditation.
This includes a free online CPD course for members developed by the UK government as part of its National Cyber Security Strategy with the support of both the Law Society and the Institute of Chartered Accountants in England and Wales.
The course aims to:
- increase awareness of cybersecurity issues so that you can apply the knowledge in your own context
- help you to protect both yourself and your business
- help you to be more aware of security issues and more confident of discussing these with clients
The course covers:
- what cybersecurity is
- how it affects you and your clients
- why you should care about it
- cyberthreats to your business and you
- cyber-attacks (phishing and hacking) and their impacts
- mitigating the impacts
SRA advice
The SRA publishes a 'scam alert'.
SRA article In the shadows: Risks associated with bogus firms.
Solicitors' Assistance Scheme
The Solicitors' Assistance Scheme (SAS) offers general confidential help and advice for all solicitors in England and Wales, their families and employees, on professional and personal problems. The first hour of the advice is free.
The SAS website has a list of solicitors who specialise in giving advice on situations where there is a delay in making good the client account due to, for example, disputes about liability.
Phone: 0207 117 8811
Email: help@thesas.org.uk
Law Care
Law Care provides support to legal professionals in the UK and Ireland facing personal and professional problems via a free confidential helpline.
Telephone: 0800 279 6888
External advice
Coronavirus-related fraud reports increase by 400% in March (Action Fraud).
Weekly Threat Report from the NCSC
Joint US and UK Advisory: COVID-19 exploited by malicious cyber actors (NCSC).
Issues around Cyber criminals pretending to be WHO
Cyber Essentials is a government-backed and industry supported scheme to guide businesses in protecting themselves against cyberthreats.
Law Society practice notes on related areas
- Professional indemnity insurance – your regulatory obligations relating to PII
- Mortgage fraud – protecting you and your firm from being used to commit a mortgage fraud
- Property and registration fraud – to assist you when acting in property transactions. Fraud targeted at the properties of both individuals and companies, including identity and other types of fraud and the presentation of forged documents to Land Registry for registration
- Anti-money laundering – to help you comply with the Proceeds of Crime Act 2002, Terrorism Act 2000 and Money Laundering Regulations 2007 and all amending legislation up to October 2013. It also details good practice
- Closing down your practice – the numerous actions you need to take when closing your practice
Practice notes represent the Law Society’s view of good practice in a particular area. They are not intended to be the only standard of good practice that solicitors can follow. You are not required to follow them but doing so will make it easier to account to oversight bodies for your actions.
Practice notes are not legal advice, and do not necessarily provide a defence to complaints of misconduct or poor service. While we have taken care to ensure that they are accurate, up to date and useful, we will not accept any legal liability in relation to them.
For queries or comments on this practice note contact our Practice Advice Service.
SRA Principles
There are seven mandatory principles in the SRA Standards and Regulations which apply to all aspects of practice. The principles apply to all authorised individuals (solicitors, registered European lawyers and registered foreign lawyers), authorised firms and their managers and employees, and to the delivery of regulated services within licensed bodies.
Must – a requirement in legislation or a requirement of a principle, rule, regulation or other mandatory provision in the SRA Standards and Regulations. You must comply, unless there are specific exemptions or defences provided for in relevant legislation or regulations.
Should – outside of a regulatory context, good practice, in our view, for most situations. In the case of the SRA Standards and Regulations, a non-mandatory provision, such as may be set out in notes or guidance.
These may not be the only means of complying with legislative or regulatory requirements and there may be situations where the suggested route is not the best route to meet the needs of a particular client. However, if you do not follow the suggested route, you should be able to justify to oversight bodies why your alternative approach is appropriate, either for your practice, or in the particular retainer.
May – an option for meeting your obligations or running your practice. Other options may be available and which option you choose is determined by the nature of the individual practice, client or retainer. You may be required to justify why this was an appropriate option to oversight bodies.