Avoiding Cyber Scams
As the number of fraud warnings and scam alerts grows, so it becomes ever more important that solicitors take steps to guard against having their identity used by others to facilitate the commission of a crime.
The past month has seen 11 scam alert messages on the Solicitors Regulation Authority (SRA) web site dealing with situations where criminals and fraudsters have purported to be genuine solicitors firms in order to assist them to perpetrate a crime. These alerts have included emails fraudulently sent out in the name of genuine solicitors’ practices, bogus web sites and fraudulent letters purporting to come from genuine law firms.
The Autumn Update to the SRA Risk Outlook highlights the problem of bogus firms and the SRA has produced a paper entitled “In the shadows: Risks associated with bogus firms” in which it highlights “the risks posed by individuals that operate through bogus law firms or by illegally presenting themselves as solicitors.” In that report the SRA state that “In 2013 we received 548 reports on bogus firms, a 57 percent increase on 2012. We have already received 454 reports in the eight months to August 2014, indicating that the number of reports received this year is likely to exceed those in 2013.”
This is not a problem that firms can afford to ignore. Being used by criminals to perpetuate a fraud, even unwittingly, could be held to be failing to manage risk adequately within the firm and this in turn could lead to reputational damage and even the firm held liable for losses attributed to having dealt with a bogus firm. It is vital, therefore, that firms not only have in place a plan for how to deal with such events if and when they arise but that they also take steps to help to make sure that they do not become subject to such actions.
What is expected of firms?
Clearly there is a limit to the extent to which firms can be expected to prevent fraudsters using their identities to carry out crimes. No firm can know who is going to be using their name to perpetrate a fraud, nor can they take steps to stop criminals from doing so. However, they can take steps to keep their identity under review and can put in place procedures designed to minimise the potential loss when such an event occurs.
One of the most common problems at present is that of the bogus firm.
In their report on bogus firms, the SRA states:
“Bogus firms increasingly use online methods to conduct activity. Almost half (46 percent) of all reports of bogus firms received this year involved the identity theft of a law firm or solicitor. This often involves the cloning of a genuine firm’s website. We have also noted an increase in individuals sending bulk emails, asking for money and confidential information, under the guise of being a solicitor or working for a genuine firm.
One of the key risks to consumers is the loss of money or confidential information. They may also suffer by receiving poor advice and representation. This is of particular concern because victims of bogus activity are not covered by the normal regulatory protections that apply when dealing with a regulated firm, such as access to the Solicitors’ Compensation Fund.
Access to legal services and public confidence may also be damaged if concerns about bogus firms deter consumers from seeking professional advice and support with legal matters.”
This is something that affects all solicitors. Principle 10 of the SRA Handbook places a duty on regulated firms to protect client money and assets. The SRA Code of Conduct 2011 provides in Chapter 7: Management of your business at Outcome O (7.02) that “you have effective systems and controls in place to achieve and comply with all the Principles, rules and outcomes and other requirements of the Handbook, where applicable;” and at Outcome O (7.03) that “you identify, monitor and manage risks to compliance with all the Principles, rules and outcomes and other requirements of the Handbook, if applicable to you, and take steps to address issues identified;”
This has two key implications for solicitors:
- There is a duty upon solicitors when dealing with other firms and solicitors to verify that the other firm is who they say they are not, for example, a bogus firm purporting to be a genuine firm. This would apply, for example, when sending money on behalf of client’s as part of a property transaction or settlement of a debt.
- There is also a duty upon firms to take all reasonable steps to prevent their identity from being misappropriated. This means actively managing online reputations and being vigilant as to possible misuse of the identities of the firm and the individuals within it.
What can firms do in practice?
There are some basic steps that firms can take in order to minimise the threat of activity from bogus firms. These include:
Periodically go online and search for your firm name and the name of all partners, fee earners and senior staff to see whether or not their names and or identities are being used by others. You should do this not only in the main search engines such as Google, Bing and Yahoo but look also in the less commonly used search engines also. Pay particular attention to any paid for adverts on such sites.
Check all of the main social networking sites on a regular basis to make sure that no one is claiming to be you and/or your partners, fee earners and senior staff.
Protect your assets
If you have not already done so, purchase domain names for you or your firm – whether you intend to use them or not. This may not be possible if the name has already been registered – in which case try and buy the name closest to your own. Thus if johnsmith.co.uk is not available, try john-smith.co.uk or john-smith-solicitor.co.uk.
If resources are limited then you may wish to concentrate on the main domain name endings – .co.uk, .com or the new .uk rather than the less used ones such as .biz or .xyz. However, bear in mind that a bogus firm may use any domain endings that you have not used in attempt to perpetrate a fraud.
Where possible set up a web site on those domains or at the very least put in place a holding page linking back to your main web site or containing your contact details.
Check on a regular basis that these web sites have not been hacked and that the content AND ALL OF THE LINKS are correct.
Set up Facebook, LinkedIn and Twitter accounts for yourself and your partners, fee earners and senior staff. Do this even if they do not want to post information. If someone can get a picture and some basic information about you or your colleagues then they can set up and pretend to be that person. This will be more difficult to do if that person already has a presence. Don’t forget to monitor social networking sites at all times to watch out for bogus profiles.
Third party web sites
If your, or your firms, profile features on any third party web sites then check to make sure that the details are correct and up to date.
Remember that you may not know which web sites carry your details. Some web sites post details without telling you in the hope that you will choose to purchase more comprehensive profiles. Therefore, check using search engines to find out where your profile is listed and check with colleagues who may have created a listing without telling you.
Monitor and amend profiles regularly to ensure that they are always up to date. In particular make sure that your details on the Law Society’s “Find a Solicitor” web page about your firm and partners/staff are accurate and up to date.
Take action if suspicions are aroused or something does not seem to be right. If someone refers to something online that you were not aware of, try and find out more from them and check to see what they are referring to. Be particularly wary if others claim to be involved in transactions with you that you were unaware of.
Ensure that others in your firm receive training or guidance on issues relating to security and that they are being equally vigilant.
Check the SRA Scam Alerts (http://www.sra.org.uk/alerts/) on a regular basis to watch for bogus firms and make sure that everyone in the firm knows who they are so that they can take appropriate steps in their own transactions.
When dealing with others in a transaction, ensure that those whom you are dealing with are really who they say they are. This applies to everyone – not just solicitors.
The ActionFraud web site contains a number of suggested steps that firms might wish to take. These include:
- Verify new requests for orders, transfers, or changes to financial details by using client details already on file, or obtained from open source records (such as a company website). Consider doing so via two separate methods (e.g. email and telephone), in case one or the other has been hijacked by the fraudsters.
- Consider sending a confirmation email and/or text message to supplier when an invoice is paid, which includes the beneficiary bank name and last four digits of the account number that the payment has been sent to.
- Where funds have been paid out as a result of the scam, contact your bank and the beneficiary bank as soon as possible, so that they can attempt to prevent the onward dispersal of the funds.
- Ensure your computer antivirus software is up-to-date and that your staff receive regular reminders and training with respect to the on-going threats from malware and phishing emails, including social network invitations.
- Consider what your business makes publically available, with respect to existing contracts and suppliers. Evaluate whether it is really necessary to publish information of this type in the public domain, given that it is also available to fraudsters.
- Ensure that all of your members of staff are aware of these scams and of the relevant security protocols in place to identify and prevent them.
- Notifying insurers if you believe that there is a likelihood of a claim being made against the firm.
In addition, make your own checks as to client identities, third party identities and contact details – don’t rely upon what you have been told by others.
Put in place risk management/business continuity plans
Have a plan in place as to what to do if the firm should become the subject of a bogus law firm scam. Build procedures into the business continuity plan. Those procedures should include:
- Reporting the issue to the SRA – their email address for this is firstname.lastname@example.org
- Reporting the issue to ActionFraud – the UK’s national fraud and internet crime reporting centre – http://www.actionfraud.police.uk/
- Taking steps to notify any clients that might be, or might have been, affected by the scam.
- Amending web sites and other online details as soon as a problem is observed. Keep a list of web-site contact names/phone numbers/email addresses so that you can contact the offending web sites or online providers as a matter of urgency.
- Ensuring that everyone within the firm is made aware of the problem.
- If you outsource work, making sure that all outsource agents are aware of the problem.
- Appointing someone within the firm to carry out a full investigation to determine the severity and scope of any breach that has taken place.
- Putting in place procedures to set up a specialist call centre/telephone line to deal with any enquiries from those who believe they may have been affected by the scam.
- Having in place a system for checking to ensure that client data has not been compromised.
The SRA’s paper “In the shadows: Risks associated with bogus firms” can be found at http://www.sra.org.uk/risk/resources/risks-associated-bogus-firms.page
The Law Society’s Practice Note “Protecting your online reputation” can be found at http://www.lawsociety.org.uk/support-services/advice/practice-notes/protecting-your-online-reputation/
The American Bar Associations report “Cybersecurity & Law Firms: A Business Risk can be found at http://www.americanbar.org/publications/law_practice_magazine/2013/july-august/cybersecurity-law-firms.html
ActionFraud resources can be found at http://www.actionfraud.police.uk/resources