Bogus Law Firms and Identity Theft
Taking steps to protect your firm
The problems that solicitors and the public face from bogus law firms continue to increase and rarely a day goes by without there being a new alert to that effect on the Solicitors Regulation Authority website. It comes as no surprise, therefore, that the latest version of the SRA’s annual Risk Outlook report[i] – the 2016/2017 edition and the fourth to be published – should highlight this risk as one of the main ones being faced by solicitors today.
The Risk Outlook states that reports to the SRA about bogus law firms have doubled since 2012 to more than 700 per year. Moreover, it states “almost half of all reports of bogus law firms involve criminals copying the identity of an existing law firm” with the remainder usually involving “bulk emails from individuals claiming to be solicitors.”
Of all the security issues faced by solicitors at present, identity theft can be regarded as one of the worst since, not only can it lead to reputational damage for the firm in question and potentially harm relationships with clients and employees, it can also lead to a diminution in the trust that the public places in law firms and thus make the job of being a solicitor all the more difficult.
In this month’s article, we look at some of the issues involved and at some of the more basic steps that firms can take in order to prevent identity theft and defeat the bogus law firms.
What types of fraud are being perpetrated?
The Risk Outlook states that around “a quarter of firms have been targeted by cyber criminals with nearly one in ten attacks resulting in money being stolen” and that in the wider economy “around two-thirds of large businesses detected a cyber security attack or breach in 2015”.
It goes on to point out that most cybercrime involves an element of trickery such as the use of fake emails or phone calls to access information such as passwords. However, it should always be borne in mind that people are one of the key weaknesses in firms – not just the lack of systems – and it is vital that firms take steps to ensure that their staff are aware of the issues and potential threats.
Simply guarding against threats that have previously arisen is not sufficient either – fraudsters are constantly devising new ways to deceive. The report highlights one of the newest of these tricks, CEO fraud, where senior law firm figures are impersonated and staff, such as people in the accounts team, are ordered, often by email, to transfer money to pay an invoice. Such scams often take place on a Friday, so as to give the criminals more time to avoid detection and so as to target firms at what is often their busiest time of the week.
There are a number of potential information/identity crimes about which firms should be aware – including phishing, vishing, malware, social engineering and hacking – and these will be dealt with in more detail in a subsequent article on the wider issues of information security.
The concern here, however, is the very specific issue of bogus law firms, identity theft and the steps that firms should be taking to avoid them being subject to them.
Should firms be concerned?
So is this something that all firms need to be concerned about or is it simply a problem for others?
The view taken by the SRA is that it is unequivocally an issue for firms. Being used by criminals to perpetrate a fraud, even unwittingly, could be held to be failing to manage risk adequately within the firm and this, in turn, could lead to reputational damage and even the firm held liable for losses attributed to having dealt with a bogus firm.
An example of this is to be found in the 2012 case of Lloyds TSB Bank Plc v Markandan and Uddin  EWCA Civ 65 where a firm acting for Lloyds Bank in the completion of a mortgage had released the mortgage funds to fraudsters who were holding themselves out as a non-existent branch of a genuine firm of solicitors. Even though the firm was said to have been the victim of a fraud, nevertheless they were still held liable for breach of trust in paying away mortgage monies. The court’s conclusion here was that had the firm performed their role as solicitors with exemplary professional care and efficiency then they may not have been held liable but that material failing – including failing to establish that such a branch office actually existed, meant that they had not acted reasonably in the circumstances.
Moreover, there is a duty upon firms in the SRA Handbook 2011 to take steps to prevent this from happening. Principle 5 of the SRA Principles states that firms must “provide a proper standard of service” to clients whilst Principle 8 requires that the firm runs its business or that the individual solicitor carries out his or her role in the business “effectively and in accordance with proper governance and sound financial and risk management principles”. Failing to take adequate steps to prevent the firm’s name and identity being used by others would certainly be seen to be a breach of those principles. This is then backed up at various points in the Code of Conduct which provides, inter alia, that:
- you provide services to your clients in a manner which protects their interests in their matter (Outcome O (1.2));
- you keep the affairs of clients confidential (Outcome O (4.1));
- you have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks (Outcome O (4.5));
- you have effective systems and controls in place to achieve and comply with all the Principles, rules and outcomes and other requirements of the Handbook (Outcome O (7.2));
- you identify, monitor and manage risks to compliance with all the Principles, rules and outcomes and other requirements of the Handbook, if applicable to you, and take steps to address issues identified (Outcome O (7.3)); and
- you comply with legislation applicable to your business, including anti-money laundering and data protection legislation (Outcome O (7.5))
It is vital, therefore, that firms not only have in place a plan for how to deal with such events, if and when they arise, but that they also take steps to help to make sure that they do not become subject to such actions.
What is a bogus firm?
The SRA’s report “In the Shadows – the risks associated with bogus firms”[ii] defines a bogus firm as being any firm or individual not regulated by the SRA who pretends to be entitled to provide reserved legal activities or call themselves a solicitor. This is perhaps a slightly narrow definition as there are situations which may not fall entirely within it – for example where someone holds themselves out as being a legal professional for the purposes of fraud without necessarily attempting to undertake reserved work or indeed going so far as to claim to be a solicitor. Another situation which arises is where a business does not hold itself out as being a law firm but as working with a law firm which then turns out to be fictitious or bogus.
Not strictly a bogus firm, but one of which firms need to be aware is the firm that has fallen outside the regulation of the SRA. This might include solicitors practising without a valid practising certificate, a once genuine firm that has closed down but is continuing to operate as if it were an authorised practice, genuine firms who have set up, or allowed to be set up, fictitious or unregulated aspects to their work and individuals working within a genuine firm and using that firm as a front for carrying out illegal or unauthorised activities.
Whatever the definition, firms need to be vigilant to the unauthorised use by others of their name, identity, names of partners/members or other personnel, websites, email addresses, descriptions and social media profiles – to name but a few. What is more, they need to look inwards at their own staff and partners as much as they do outwards to third-ofparty individuals and organisations.
What activities do bogus firms engage in?
Bogus firms are undertaking an ever growing area of activities ranging from highly sophisticated and targeted identity-related crimes to fairly simple scams such as unsolicited emails or telephone calls to large numbers of recipients, requesting money and confidential information.
Bogus firms also operate in different ways. Some bogus firms target consumers directly whilst others target busy law firms in the hope that they will, for example, remit funds to them rather than to the correct recipient.
Among the activities aimed at consumers are:
- Inheritance frauds – where the bogus firm writes to a member of the public telling them that they are the beneficiary of the estate of a distant relative but that to benefit they need to pay probate or other fees so that the estate can be finalised;
- Fraudulent claims – where the bogus firm offers to act for the member of the public in a claim – sometimes genuine (for example following an accident) and sometimes bogus – and takes money from them in the form of upfront fees;
- Grants and winnings – where the member of the public is persuaded to part with fees so that they will obtain a grant or benefit from a lottery or competition win;
- Investments – pretending to act for a non-existent investment fund or company and attracting money from investors;
- Unpaid invoices – purporting to act on behalf of a supplier (real or fictitious) and threatening court proceedings unless an invoice is paid;
- Deposit frauds – where the person who has genuinely bought a service or goods from an unconnected third party and where they are being asked to pay an upfront deposit – for example to stop a holiday company or a supplier going under for cash-flow purposes.
In other activities, bogus law firms target genuine law firms and claim, for example, to represent the other party in a transaction and persuade the genuine law firm to send information or remit funds to them. This is what happened in the Markandan and Uddin referred to earlier.
How do bogus firms perpetrate the fraud?
The SRA, in its report on bogus firms, identified three types of bogus firms:
- Where the identity of a genuine firm or solicitor has been taken
- Where an identifiable firm or individual is holding itself out as a solicitor
- Where a fictitious firm or individual posing as a solicitor.
By far the most common involves the first of these three. CIFAS in their Fraudscape 2016 report[iii] state that identity fraud has increased by 49% whilst the SRA report states that almost half of all bogus law firm reports involved the theft of the identity of a genuine solicitor. Most usually this is done by:
- cloning the website of a genuine law firm,
- sending communications that claim to be from a genuine firm or solicitor when they are not – this can either be by electronic means or by letter using forged letterheads,
- using the details of a genuine firm or solicitor on the website of a bogus firm,
- creating a social media profile for a genuine person and using it to gain the trust of a third party,
- setting up a bogus branch office of a genuine firm, and
- taking over the identity of a closed genuine firm.
The second of the three involves the use of the name or identity of a genuine person or firm that can be independently verified using, for example, solicitor records but where there is no actual link to that person or someone who is holding themselves out as possessing a qualification that they either have never held or which has been stripped from them. Thus,
- someone without a professional qualification could hold themselves out as having that qualification
- someone without a professional qualification could hold themselves out as being someone else who did have that qualification or,
- someone who was a solicitor but who has ceased practising, or who has been struck off, could continue to act as if they were an authorised individual
The third and final type of bogus firm involves the situation where a firm or individual creates an entirely fictitious identity as a solicitor or law firm in order to carry out reserved legal activities or perpetrate some other form of fraud. In this scenario, there is absolutely no connection to a genuine solicitor or firm.
What can firms do to protect themselves?
Whilst it is essential that firms take steps to protect themselves against either having their identity stolen or used to perpetrate a fraud or to prevent themselves from being the victim of a fraud – either perpetrated in the name of another firm or by a totally fictitious firm – this may be easier said than done. This is especially the case where the fraud involves what appears at first sight to be a genuine law firm.
Amongst the steps that firms can take are:
- 1. Identity Checking and General Awareness
- When acting for a client in a transaction, don’t just check the identity of the client but check that of the solicitors purporting to be acting in the matter. In particular:
- Check to make sure that both the individual, the firm and the branch office in question is legitimate. Use the Law Society’s “Find a Solicitor” web resource [iv] of the SRA’s “Law Firm Search” resource [v] to make sure that all three exist and if you have any doubts rely on any contact details set out there rather than on any supplied by the firm itself. Remember that websites can be cloned and may not contain information that is accurate or truthful. If you have any concerns that there may be something not quite correct contact the firm’s listed head office or undertake further checks. Bear in mind that if the firm is not personally known to you then you may need to undertake far wider ranging checks than a mere web search – for example contacting another local firm or instructing some form of enquiry.
- If there are factors which give you concern, look into them and don’t just accept what you are told. Thus, if the firm’s website does not mention conveyancing but that is the transaction in which it is involved, find out why they are doing it. If the branch office is a long way from the main office, ask why this is the case. If the address with which you are corresponding does not feature on the website, ask why this is so – it may be innocent in that a fee-earner works from home or it may be a fraud. If the email address you are given is different from that for the firm as a whole, question it.
- Is there anything which strikes you as odd. Do the logos on letters match those on websites and in emails? Do letters and emails look as if they have been written by a fellow professional in terms of grammar, spelling, use of technical terms and layout? Do letterheads and websites comply with SRA requirements? Are partner names on letterheads or websites consistent with those contained in the “Find a Solicitor” website. There may be perfectly rational explanations for all these things – just do not assume that there are – check first.
- In the case of emails are they generic addresses (e.g. Yahoo, Gmail or Hotmail) or do they relate specifically to a firm’s web address (e.g. @smithsolicitors.com). Is the email address the same domain as the website address? On the website, do links actually go to the correct web address or somewhere else – try hovering a mouse over these and seeing whether the addresses match. Is the email for the person you are dealing with the same as their email address on an “official” website? If you have dealt with the person before, has their email address changed.
- Does the firm have a telephone landline or just a mobile number? Is the landline referred to in any business directories? Is the number that you are calling the same number as on their letterhead, their website or referred to in the Law Society “Find a Solicitor” website? Is the area code the correct one for the address they use? Are calls being diverted when you make them?
- If you have been supplied with bank details, are these correct? Check by contacting the firm’s account’s department using independently verified telephone numbers where possible. If it is overseas, ask why. If it is a bank which is not near the firm’s head office, ask why. Is the account name unusual? Speak to the bank and ascertain if it is the correct account for that firm.
You may feel overly suspicious asking such questions or taking such steps but if you are in any way concerned, or if you have not dealt with this particular firm on a previous occasion, then it is only an example of you being diligent and acting in the best interests of your client.
- 2. Ongoing review
- From time to time recheck the information that you have been given and ensure that it has not changed in any way. Make sure that the email addresses, phone numbers, correspondence addresses or bank details you have been given have not changed and if they have find out why. Do not assume that because everything was correct at the start of the transaction that it will continue to be so at the end. If anyone contacts you and asks you to change any of the original details, check that this is valid and make sure that your accounts department do not act on any changed information without first checking with you.
- 3. Monitoring your own firm’s online identity
- Periodically go online and search for your firm name and the name of all partners, fee earners and senior staff to see whether or not their names and or identities are being used by others. You should do this not only in the main search engines such as Google, Bing and Yahoo but look also in the less commonly used search engines also. Pay particular attention to any paid for adverts on such sites. Check out directory sites in particular as these may be directing potential clients to bogus firms.
Also, check all of the main social networking sites on a regular basis to make sure that no one is claiming to be you and/or your partners, fee earners and senior staff. This is especially important if you have partners and staff who do not use such sites. It would be easy, for example, for someone to go on to your website, save a picture of, and personal data about, one of your partners or staff and then create a wholly fictitious LinkedIn or Facebook page with the intention of using it to make themselves appear to be a legitimate member of your firm.
- 4. Protecting your assets
- If you have not already done so, purchase domain names for you or your firm – whether you intend to use them or not. This may not be possible if the name has already been registered – in which case try and buy the name closest to your own. Thus if johnsmith.co.uk is not available, try john-smith.co.uk or john-smith-solicitor.co.uk.
If resources are limited then you may wish to concentrate on the main domain name endings – .co.uk, .com or the new .uk rather than the less used ones such as .biz or .xyz. However, bear in mind that a bogus firm may use any domain endings that you have not used in an attempt to perpetrate a fraud.
Where possible set up a website on those domains or at the very least put in place a holding page linking back to your main website or containing your contact details.
Check on a regular basis that these websites have not been hacked and that the content AND ALL OF THE LINKS are correct.
Following on from the final point under 3 above, think about setting up Facebook, LinkedIn and Twitter accounts for yourself and your partners, fee earners and senior staff. Do this even if they do not want to post information. Whilst not impossible, it will be harder for someone to set up a false profile if a genuine one already exists. Don’t forget to monitor social networking sites at all times to watch out for bogus profiles.
- 5. Checking third party web sites
- If your, or your firms, profile features on any third party web sites then check to make sure that the details are correct and up to date.
Remember that you may not know which websites carry your details. Some websites post details without telling you in the hope that you will choose to purchase more comprehensive profiles. Therefore, check using search engines to find out where your profile is listed and check with colleagues who may have created a listing without telling you.
Monitor and amend profiles regularly to ensure that they are always up to date. In particular, make sure that your details on the Law Society’s “Find a Solicitor” web page about your firm and partners/staff are accurate and up to date.
- 6. Being Alert
- Take action if suspicions are aroused or something does not seem to be right. If someone refers to something online that you were not aware of, try and find out more from them and check to see what they are referring to. Be particularly wary if others claim to be involved in transactions with you that you were unaware of.
Ensure that others in your firm receive training or guidance on issues relating to security and that they are being equally vigilant. In particular, make sure that reception staff and secretaries are alert to receiving phone calls where callers think they have been dealing with your firm but there is no record of them having done so. Where this happens, try and get a contact name and number so that you can alert them to a potential fraud.
Check the SRA Scam Alerts (http://www.sra.org.uk/alerts/) on a regular basis to watch for bogus firms and make sure that everyone in the firm knows who they are so that they can take appropriate steps in their own transactions.
When dealing with others in a transaction, ensure that those whom you are dealing with are really who they say they are. This applies to everyone – not just solicitors.
- 7. Being Proactive
- The ActionFraud web site[vi] contains a number of suggested steps that firms might wish to take. These include:
- Verify new requests for orders, transfers, or changes to financial details by using client details already on file, or obtained from open source records (such as a company website). Consider doing so via two separate methods (e.g. email and telephone), in case one or the other has been hijacked by the fraudsters.
- Consider sending a confirmation email and/or text message to supplier when an invoice is paid, which includes the beneficiary bank name and last four digits of the account number that the payment has been sent to.
- Where funds have been paid out as a result of the scam, contact your bank and the beneficiary bank as soon as possible, so that they can attempt to prevent the onward dispersal of the funds.
- Ensure your computer antivirus software is up-to-date and that your staff receive regular reminders and training with respect to the on-going threats from malware and phishing emails, including social network invitations.
- Consider what your business makes publicly available, with respect to existing contracts and suppliers. Evaluate whether it is really necessary to publish information of this type in the public domain, given that it is also available to fraudsters.
- Ensure that all of your members of staff are aware of these scams and of the relevant security protocols in place to identify and prevent them.
- Notify insurers if you believe that there is a likelihood of a claim being made against the firm.
In addition, make your own checks as to client identities, third party identities and contact details – don’t rely on that which you have been told by others.
- 8. Putting in place risk management/business continuity plans
- Have a plan in place as to what to do if the firm should become the subject of a bogus law firm scam. Build procedures into the business continuity plan. Those procedures should include:
- Reporting the issue to the SRA – their email address for this is firstname.lastname@example.org
- Reporting the issue to ActionFraud – the UK’s national fraud and internet crime reporting centre –http://www.actionfraud.police.uk/
- Taking steps to notify any clients that might be, or might have been, affected by the scam.
- Amending web sites and other online details as soon as a problem is observed. Keep a list of web-site contact names/phone numbers/email addresses so that you can contact the offending web sites or online providers as a matter of urgency.
- Ensuring that everyone within the firm is made aware of the problem.
- If you outsource work, making sure that all outsource agents are aware of the problem.
- Appointing someone within the firm to carry out a full investigation to determine the severity and scope of any breach that has taken place.
- Putting in place procedures to set up a specialist call centre/telephone line to deal with any enquiries from those who believe they may have been affected by the scam.
- Having in place a system for checking to ensure that client data has not been compromised.
What can we do as a society?
Moving beyond that which can be done by individual solicitors, what can we do as a society? The CIFAS Fraudscape report referred to earlier refers to seven steps that we could be taking as a nation:
- Undertake better measurement. The UK does not have a single, agreed and coordinated measure for fraud and the associated victims and losses and until such time as we do we will never have a true understanding of the extent of the problem and we will not be fully equipped to beat it.
- Provide better information. A coordinated awareness plan needs to be undertaken so that everyone becomes more aware of the dangers of fraud and how we can avoid becoming victims of it.
- Widen prevention efforts. Anyone can become the victim of fraud and fraudsters are becoming ever more sophisticated and organised. Campaigns need to reach everyone and bespoke campaigns need to target particular sectors more receptive to messages in particular formats.
- Protect the vulnerable. Although fraudsters target everyone, there are those who are more susceptible to becoming victims of fraud, especially those who rely on others for their care or who lack capacity to make sound decisions about their finances.
- Work with the next generation of perpetrators. An increasing number of younger people are becoming involved in fraud – often unwittingly or without realising that what they are doing constitutes a fraud. Steps need to be taken to target those younger people and keep them away from such activities.
- Share intelligence. There needs to be less “silo working” and a greater degree of data sharing across sectors so that accurate pictures of criminality can be created. This will enable the better targeting of preventative measures.
- Adopt new technologies. Fraud prevention is like an arms race. As one method to prevent fraud emerges, fraudsters work to find a way around it. Businesses and individuals need to collaborate to develop new and innovative ways to keep pace with fraudsters, and even to get a step ahead.
Cybercrime in all of its forms is on the increase and firms have to be constantly vigilant about what they do, who they do it with and the precautions they take. Nowhere is this more important than in relation to identity theft and bogus firms. Although it is the criminal who is undertaking the actions that could harm a firm or its clients, it is up to the firm to show that it has taken the appropriate steps to prevent itself from becoming used by a bogus firm or dealing with a bogus firm in the belief that it is genuine.
Firms are not going to be able to compete with the cybercriminal unless they have a concerted plan for doing so and unless everyone within the firm is aware of the problem, trained in identifying threats and knows what to do if and when a threat is perceived. All firms should, therefore, have a policy to address the issues and a series of actions that can be taken both on a day-to-day basis when dealing with clients and other solicitors and in the event that things go wrong.
Remember it is always preferable to prevent a fraud than to deal with the consequences – and always better to appear too cautious before the event than negligent after.