The Sunday Times of the 7th April carried yet another report of a cyber fraud attack against the client of a law firm in its “Question of Money” column.
In what was described by the law firm’s client as “the worst experience of my life”, an email, ostensibly from the firm but in fact from a fraudster, was sent to the client requesting that the sum of £100,000 should be sent to a new account using four payments of £25,000. These payments were made by the client without checking with the solicitor. The fraudster had used an email address that was almost identical to the email address of the firm except that a letter “w” had been replaced with a double “v” – “vv”. Rather worryingly it is easy to suppose that most people, law firm personnel and clients alike, would be likely to be taken in by this particular form of fraud technique.
The client’s bank, Lloyds, commented that the blame had to lie with the client since they had ignored advice to call the solicitor, using a telephone number previously supplied rather than any telephone number given in the email received, before making any such payments. Lloyds had refunded £25,000 but this therefore left the client potentially facing further net losses of £75,000.
The payments were made to HSBC who confirmed that the account used to receive the funds had been opened in accordance with its normal checking procedures, but that they had then frozen the account after its monitoring processes triggered an alarm after the receipt of the four tranche payments. Fortunately this prevented the fraudster from withdrawing the sums from that account which did mean that most of the funds were still held by the bank and so could be refunded. Furthermore, since HSBC also admitted that errors had been made by their staff when the funds were first received they agreed to repay the remaining amounts that were also still due.
The client in this particular matter was fortunate that the fraudulent payment was identified by HSBC – many others who have been tricked in similar circumstances have not been so lucky and the article credited HSBC for having taken swift action to protect the funds while it investigated the suspect transfers.
The lesson to be learned from this example is that both clients and firms must be vigilant as to cyber fraud at all times during transactions and that in particular, firms must warn their clients as to the continual possibility that they will be subject to cyber fraud. It is not something that only ever happens to other people.
If firms are to resist cyber frauds of this type, then they will need to consider taking a number of preventative steps including:
- checking how and by whom money is handled. This could include making sure that clients are aware that the firm’s bank account details will not be changed by the firm at the last minute. Warnings to this effect should be made in a prominent manner in the retainer and later correspondence, emails and on the firm’s website.
- confirming client and third-party accounts by making a small deposit (as little as £1) and getting the client or third party to confirm receipt of that sum. That way the firm can be sure that money is going to the correct account;
- being wary of any request to change payment details and making sure that clients are likewise;
- if the lawyer or third party to whom money is to be sent is not well known to the firm taking steps to verify them and their details (including bank details) before remitting any funds. Checking through their regulator is one way of doing this or using services such as Lawyer Checker.
- having a policy that only approved staff can transfer money and making sure that those staff are fully conversant with the risks and are trained in the issues that can arise.
- Using protected email accounts and encouraging clients not to use a Hotmail or Gmail account for the transactions, and never communicating bank details via email in any event.
- Warning clients:
- not to send funds to a bank account other than the one you notified them of at the outset;
- not to use insecure public Wi-Fi systems to check their emails when house purchases are ongoing as fraudsters often use these to steal information;
- not to post statuses on social media about buying/selling their house or getting a mortgage. Fraudsters may get hold of this information and so become aware that the next step will probably be a large financial transaction;
- to use strong passwords for their accounts and to have antivirus installed on their devices;
- always to contact the firm at the telephone number that has been provided at the outset and not to rely on number changes stated in emails – don’t even rely on websites as they can be, and often are, hacked;
- not to email bank details;
- to be suspicious of emails that do not sound right, such as those that employ incorrect use of terminology or bad grammar; and
- to be wary of opening attachments.
Remember that above all else if you as a firm do not take adequate steps to prevent cyber frauds from happening then it could be you and your firm that are found to be have been responsible for the fraud being allowed to take place and you, not the client, that could ultimately lose out.