8 tips to combat fraud for legal practices


The well-publicised Mishcon de Reya £1 million fraud case, when its client was duped into buying a London property from a seller dishonestly posing as the owner, has sent ripples of alarm throughout the legal community.

Although conveyancers are an obvious target for the increasing threat of rogue house owners and buyer deposit redirection fraud, it’s not just conveyancing practices that need to be on their guard. As a legal practice, you’re tempting prey for cybercriminals, not only because you hold large sums of money, but also vast volumes of valuable client information.

The number, variety and sophistication of cybercrime grows daily, ranging from distributed denial of service attacks and phishing scams to hacking and ransomware. To qualify our argument, here are some recently quoted cybercrime statistics:-

  • National Fraud Intelligence Bureau’s 2016 figures show 159 recorded losses of buyer deposits which is an 85% year-on-year increase
  • Office of National Statistics quotes 5.8 million cybercrime incidents which equated to 40% of all recorded criminal activity in 2016
  • Action Fraud estimates the cost of cybercrime is currently £193 billion per year
  • BIS Information Security Breaches Survey revealed that 81% of large organisations have experienced a security breach with the cost per company being, on average, between £600,000 and £1.5 million

And this is only the tip of the iceberg. Under-reporting is a big issue. Many cybercrimes go unreported for fear of criticism and disciplinary action. You have a professional responsibility, enforceable by industry regulators, to identify, contain and remediate breaches, cyberattacks included.

Aside from your regulatory obligations under the SRA Code of Conduct, you face new pressures from indemnity insurers who’ll want to see plans in place to thwart criminals when renewing policies and setting premium rates including run-off cover. There’s a plausible case for the need for a separate cyber insurance policy, over and above PII, to address the risks posed by cybercriminals and assist the recovery of potential losses incurred.

Not forgetting your other compliance responsibilities. The Data Protection Act 1998, Money Laundering Regulations 2007, Proceeds of Crime Act 2002, Terrorism Act 2000 and new EU General Data Protection Regulation applicable from May 2018 to name a few.

The stakes are high but there’s much you can do to mitigate risk by creating a robust, reliable and secure cyber environment. Access our previously published ‘Desktop security: 10 top tips’ article for more in-depth advice on how best to manage risks within your IT infrastructure. We cover topics such as operating systems, email attachments, file transfers, data back-ups, passwords and more. Learn more.

Because cybersecurity is such a serious business risk, we’re extending our earlier guidance here with our eight top tips on combatting fraud so that you can take proactive steps to tighten your defences:

1. Beware of outside-of-the-norm behaviour and requests for monies

According to the Solicitors Regulation Authority (SRA), 75% of cybercrime reports are so-called ‘Friday afternoon frauds’. These cases involve criminals intercepting and altering emails being sent between two parties (solicitor and client), mostly bank details in order to redirect funds.

If you’re suspicious, raise queries, several times if needs be, and ideally via a known telephone number. As part of this, you could set up a dummy run with a £1 transfer. Once receipt’s been confirmed, you’re ready for the real McCoy. If it turns out to be completely legitimate, those concerned will appreciate your stringent questioning and testing.

2. Review your new client intake procedures

When new clients instruct your firm on their legal matters, what checks do you carry out on them? A cursory glance at someone’s passport, driving licence or utility bills is no longer sufficient for the purpose. Seek out as much detail as possible on both identity and credit history so that you’re confident your clients are who they say they are, have the means to pay for your services and that your hard-earned profits aren’t ending up in the greedy hands of racketeers.

Also, tell clients upfront – both face-to-face and within your client care documentation – that you’ll never ask them to send money to a different account than that already provided. That way, they can be on the lookout too and immediately contact you should they receive any communications of this nature.

3. Define your client money handling processes

Following on from the above, money is of course the biggest incentive and the SRA’s referred to £7 million of client money being lost to cybercrime in the last year. With the SRA Accounts Rules at the forefront of your mind, make a clear distinction between client and office monies, assign duties to your cashiering team members, designate reporting lines and outline timescales throughout.

For example, you may specify only appointed staff should transfer money and make it a habit to take deposits as late as practicable so there’s less money on account at any given time. As well as giving your clients a higher level of service, you’ll lessen the risk of financial theft.

4. Create disaster recovery and business continuity plans

To form an adequate series of responses to unexpected emergencies attempted crime amongst them, produce carefully written disaster recovery and business continuity plans. These will contain information on the types of crises that could befall you, how you should act if they do, roles of primary staff members, phases of recovery, emergency contact numbers, anticipated outcomes and records of test or genuine disaster situations. The ultimate objective is to put your firm in the strongest position to deal with critical incidents with minimum disruption to the running of your business.

This is yet another area we’ve written about extensively before. Read our ‘Top ten disaster recovery and business continuity planning tips’ for further details.

5. Develop a risk management policy and monitor activity

Prevention is always better than cure so set out your preventative and detective measures within a risk management policy. These may comprise IT-based solutions such as SSL encryption and anti-virus software to physical security devices such as CCTV surveillance and burglar alarms. Your policy will address how to classify, deal with and communicate risks.

Analyse your business closely for signs of unusual activity that could indicate the beginnings of an attack. The sooner you’re able to counteract possible violations, the better, to effectively stop criminals in their tracks.

6. Report every failed and successful attack

There’s an onus on you to do so, and the legal profession can only clamp down on cybercrime if we truly know the extent of unlawful activity and the methodologies employed. With more two-way conversations, trends can be recognised, scams identified at an earlier stage, alarms raised to others and appropriate responses carried out.

Notify the SRA, Action Fraud, Information Commissioner’s Office and/or your insurers.

7. Consider your employees’ role in your business and engage your workforce in best-practice risk management

Restrict certain tasks in your business, for example, software installation, to assigned personnel. Small steps such as these can go a long way to minimising exposure to risk. One weak link is all it takes to open your business to intrusion.

Similarly, if you employ home and remote workers, you’ll want to restrain the use of unapproved devices and removable media, both of which carry their own security risks and can uncover your entire network to vulnerabilities. Set up some safe parameters for your staff to adhere to then educate your personnel in IT best practice.

8. Evaluate your IT systems and suppliers

We’ve already briefly mentioned the importance of running the latest operating systems, performing automated back-ups, installing firewalls, and using dedicated anti-virus and anti-spyware software for protection against hackers. There’s readily available software to reduce risk even more. Anti-money laundering checks, credit screens, conflict of interest searches, proof of identity document capture and breach warnings will preserve your matters and their associated finances.

Or, you can go a step further and enlist extra back-office services such as fully outsourced cashiering and payroll. Your outsourcing provider’s keen attention to detail will immediately highlight anomalies and alert you to dubious goings-on.

Remember the SRA Code of Conduct here. Ensure outsourcing agreements – be it for cloud software or outsourced services – allow you to comply with your client protection duties. And ask about ISO certifications for reassurance that your supplier conforms to international security standards.