New Fraud for High Street Firms
Recent reports of scammers using sophisticated viruses to target online banking customers prompts high street firms to focus on compliance.
Recent reports of scammers using sophisticated financial malware viruses to target online banking customers prompts high street firms to focus on onerous responsibilities in terms of compliance with the Code of Conduct and with the Solicitors Accounts Rules.
A number of cases have recently been reported which involve high street law firms falling victim to sophisticated malware viruses and having their client accounts targeted by online fraudsters. With the banks looking to investigate the firms’ own shortcomings firms have been left to find ways to plug the substantial hole made in client account and to keep the SRA from taking drastic action.
Using sophisticated computer viruses, scammers are able to remotely observe staff members as they unknowingly enter security details into a fake version of the firm’s internet banking portal. In some cases, staff members are asked to use a card-reader device to access their accounts. Once the fraudsters have access to these online accounts, payments can be made to offshore accounts where it can be very difficult to recover the stolen funds.
Firms are reminded to ensure that their anti-virus software is up to date and that viruses can be ‘caught’ from a number of different sources, including downloads, email attachments and other legitimate websites. Holding client money attracts onerous responsibilities in terms of compliance with the Code of Conduct and with the Solicitors Accounts Rules.
There are potentially damaging repercussions if law firms get it wrong. All law firms should be aware of the risks involved in handling client money. The SRA expects compliance with Principle (P) 10 of the Code:
“You must protect client money and assets”
It is a conduct requirement to keep client money safe. Clients and the public at large need to have confidence that client money is safe in the hands of solicitors. Everyone in a law firm has a role in keeping client money safe – not just the accounts team. The relevant SRA principles to observe are:
(P) 2: Act with integrity
(P) 6: Behave in a way that maintains the trust the public places in you and in the provision of legal service
(P) 7: Comply with your legal and regulatory obligations and deal with your regulators and ombudsman in an open and timely and co-operative manner
(P) 8: Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles (including the SRA accounts rules)
(P) 10: You must protect client money and assets
The SRA requires that firms take steps to minimise the risk of breaches:
- Keep client money separate from money belonging to the firm.
- Use each client’s money only for that client’s matter.
- Use money held as a trustee only for that purpose.
- Establish proper accounting systems to ensure compliance with SAR.
In respect of your accounting systems and procedures beware that sometimes people may try to trick you to gain access to your client account.
- Do not allow clients to talk direct to individual members of the accounts team. Accounts queries should be raised via the case handler who knows or recognises the client;
- Do ask questions of people – why are you being asked to provide information about your client account if they are not a client. Does the query relate to a specific client matter? It is important to know your client;
- Do not provide client bank account details to unrepresented opponents (say for payment of damages). Request a cheque or other financial instrument (e.g. bankers draft);
- Do not authorise staff to provide client bank account details over the telephone – details must only be given in writing to a named individual at a recognised address (letterhead/ Google search);
- Do not store bank details on your website;
- Only allow low levels of privilege to staff regarding accounts systems;
- Audit your data security;
- Use up to date anti-virus protection which includes a firewall;
- Require staff to use complex secure passwords and change regularly;
- Encourage staff not to open attachments from unrecognised email addresses;
- Monitor activity in client accounts closely and regularly;
- Be wary of emails from banks – contact the bank to verify the message;
- Educate staff on fraud prevention measures;
- Be vigilant!
For further information about Compli or to discuss any of the issues in this update, please contact Mickaela Fox, via firstname.lastname@example.org or Michelle Garlick, Partner, via email@example.com.