It is a sad reality that in times of crises there are people who will seek to exploit others and take advantage while attention is diverted elsewhere. It is therefore essential to consider the exposures your firm, clients and staff could be exposed to and to communicate, update or reinforce policies so they do not get caught out.
Some firms have already started to see an increase in fraudulent activity. None of the methods being seen are new and fraudsters have been attempting to access law firms’ money and client money for a long time. Your firm will have built systems to prevent fraud and scams and they should be sufficiently robust to protect you.
However, new ways of remote working have made supervision more difficult. You may need to review your policies, how staff get information, and interact with their supervisors to ensure that your procedures are fit for working remotely.
- Anti-Money Laundering (AML) and Client Due Diligence (CDD) – Most if not all law firms have appropriate measures in place to comply with their AML obligations. For many firms part of the AML process is to meet clients, either in the setup of the case or before money is transferred (for example prior to an exchange on a property purchase). Obtaining signed identity documents and proof of address does not need to change, as these documents can still be sent to you. If, as a firm, you have been reliant on clients bringing documents to you it would be wise to introduce online identification (One of our risk management partners, The Strategic Partner have an arrangement with Veriphy for this purpose which firms can access – and we recommend as best practice in any event). You may be able to make use of video calls and ask clients, as part of that call, to show you the documents they are seeking to rely on to verify their identity.
You should be aware of new clients to the firm, who you have not previously met and, in particular, those who have found your firm on the internet, as opposed to a recommendation etc. For such clients, and dependant on their legal need and value of the case, you should seek to add them to the high-risk register and perform enhanced due diligence. It may be appropriate to ask them to send you originals, as opposed to copy documents (subject to being able to send them and return them).
What is very clear is that you must apply your experience. Any genuine client will understand the need to provide you with the proof you need to confirm their identity. Those who are not prepared to, can make your life difficult, and should be approached with caution.
Fraudsters will rely on a weakening of your position to exploit your systems so be careful not to allow this to happen no matter how insistent a client may be.
If you do take on a case and you have not been able to complete all of your usual due diligence, but you are happy to proceed as you assess the risk as low, the matter should be recorded on your high risk register simply for the purpose of returning to CDD to apply your normal requirements.
If you are going to accept instructions but not take certain action, such as receive monies, you should make this clear to the client so they are aware how far your legal advice will be taken and why.
Above all, apply your policies as best you can, do not compromise where practical and if it does not feel right, trust your judgement and experience.
- Change of Bank Details (yours) – It is not always your systems that hackers target. It is usually easier for a ‘hacker’ to penetrate a personal PC than a corporate PC and if one of your clients has been hacked, the fraudster will use this method to get them to take action. For example, an email purporting to be from your firm telling them of a change of bank details and asking them for money to be sent to the new account. Often these emails will appear in a client’s email after you have genuinely sent them a letter or request for payment.
It is highly unlikely that you will be changing your bank details at the present time and doing so is very rare in any event. You should make your clients aware that your firm is not changing bank details and has no plans to. If they receive any form of notification of a change of bank details, even if it purports to come from your firm or a member of staff, they must call you using the reception number (provide it or direct them to your website). They must not call the number contained in any notification. If you do change your account details, there would be a formal process and notification by letter and you would not send them an email with such a fundamental change.
We are not advocating that firms ‘scare’ their clients into thinking something is wrong. We are operating in unusual times and a notification alerting your clients to fraud and scams is a prudent step to take and is ultimately done to protect them.
- Change of bank details (clients) – It is more likely that a client changes account details and it is a more common occurrence. Again, a client whose systems have been hacked will not be obvious to you and a change of bank details may be presented to you and will look perfectly genuine. The only way to truly avoid this is when such a request is made that you call the client, using a number earlier in the file (not a number supplied in the change request) and ask them to verify that the change of account details is correct and run through the new details with them.
All account change details should originate in writing, whether that is a letter, a picture from a smart phone or a PDF attachment. Never send or receive account details in the body of an email. It is far easier for spyware to monitor email content than a picture.
- Fake invoices – A scam that has been operating for some time. Fraudsters realise that large businesses often receive multiple invoices and try to ‘sneak’ a fraudulent email through the system in the hope it will go through with a batch payment. Most staff are aware of this and firms have measures in place to deal with this. However, with remote working this does bring new layers of exposure. Make sure if you have a payment requisition process that you protect and maintain this. If you have limits in which staff can process payments without requiring authority, consider removing or reducing these limits of authority.
It is far easier to pay a fake invoice in these times and reminding your cashiers or those approving and making payments to be extra vigilant is important.
- Fake emails – Again, email cloning has been used for a long time to try and dupe people into thinking they are receiving an email from someone, only to realise that the email address used has been modified slightly or worse an email account has been hacked. By far the more common fraud is to present a slightly different email (e.g. firstname.lastname@example.org – as opposed to email@example.com). A subtle change in the email address but easily missed in a busy environment which the originator in full control of the misspelt email account.
Ensure your staff are aware to look out for this and any email which seems unusual even if it seems to come from the correct person, to double check. Fraudsters rely on routine to bypass your systems.
A far more difficult issue to address is the hacking or cloning of an email account. However, fraudsters will rarely be aware of how you operate and a sudden request to make a purchase or send money is likely to be out of character. Regardless of your status in a firm, there are systems and processes to follow and your accounts staff should be aware and told not to break protocol. They must check with you if something appears to be wrong or protocol is not being followed.
- Protect your premises – Ensure your premises are secured. With the Government now enforcing a lockdown, offices are likely to be empty for a period of time and burglars will be aware of this. It is a fact that when there is a crisis certain types of crime increase, and burglaries are high on the list. If you have not already made provisions to remove items of high value, or of a sensitive nature, you should consider doing so. If this is not practical, then do what you can to protect your premises. If you have an alarm, make sure it is set and notification lists of those who are told if the alarm is triggered are up to date and working.
Ensure all doors and windows are locked including internal doors, making it difficult for people to access and move around the premises.
Is it possible to install a Wi-Fi security camera in the premises, these are inexpensive and effective.
This is difficult as what can be done is limited at this time, so ensuring you have protected your premises as best you can, and removing high value or sensitive items may be as far as you can take this, for now.
- Requests for data or information - Be aware of requests for information about your business, staff or clients. It is highly probable that you have a data protection policy that forbids sharing of information unless a process has been followed. It is highly unlikely that any government department is going to be requesting information at this time and equally unlikely that regulators or authorities are.
This is a time to repeat your data protection and confidentiality procedures and ensure staff follow them in the event they are requested to provide any information to any person.
- Protect data – As already mentioned, as part of your data protection policy you will have considered how you protect your own and clients’ data. Be aware, that most firms do not have home working until now and your data policies may not have considered this as an issue.
If, like most firms, you are providing staff with home access to your systems, it is imperative that you ensure your staff are aware of their obligation to protect data. If they have a PC they must make sure it is locked when they leave their workstation, particularly if there are others in the household. If they have paper files, again these must be protected and when they are not working on them they must put them into a cabinet, preferably a locked one.
With the sudden implementation of home working, not all environments will be practical but your requirement to ensure data is protected does not change. Make your staff are aware of the need to protect data, ask them to act sensibly and do what they can to secure data.
Where appropriate, update your data protection and home working policies to make it clear to staff what is expected of them.
- Check your systems and those of your staff – Again, most firms have anti-virus software installed on their systems. If you are not aware of when the system last performed a scan it would be wise to confirm this and run a virus scan to be sure that your systems have not been compromised. Where you have allowed home workers to connect their own equipment to your systems it is essential that they have appropriate software installed on their system and that it is used and updated regularly. If a home use PC has a virus you risk this infecting your systems, so it is imperative that you ensure home PCs have been scanned before connection is allowed. Most remote working is performed through some form of web access, which does offer some protection, but it is always better to be safe in such circumstances.
- Use images not email content – As referred to above, it is easy for spyware to monitor and read content of an email but it is not so easy to read a PDF as the content is converted into a picture. Hackers are reliant on you sending sensitive information via email content so avoid this at all costs. When sending information externally from your firm or receiving information, make sure that your staff and clients know to convert documents to PDF before sending them. It is a simple but effective tool to use.
- Monitoring and Supervision – Be aware of the need to monitor and supervise your staff when they are remote working. Be aware of any out of character or unusual activity. It is essential that you are aware of what your staff are doing. Remind them that they can access the supervisory structure to gain advice and guidance as they need it, whether that relates to them personally or advice on a file etc. Your staff need to be supervised as does their activity.
Ensure your staff are aware of the policies and processes you have in place to supervise and use this as an opportunity to repeat what these are. A firm with a robust risk and compliance plan will have policies in place and will have notification forms and registers to track, monitor and evidence compliance with such policies.
With remote working a reality this is the time to test the effectiveness and robustness of our policies.
You may need to adjust your working practices as you introduce news ways of working and you must communicate those changes to your staff. Ensure your policies are keeping pace with the way in which you work and how you expect your staff to interact with their supervisors and their clients.
We hope the above guidance is useful and covers areas you may have not yet considered. Protecting your business in changing times is essential and ensuring your practices are robust and kept up to date.
At The Strategic Partner, we work with firms to ensure they have and implement risk and compliance structures which protect them alongside proportionate and sensible ways of working to ensure they are and they remain compliant. Details of our compliance service is detailed in this link - Law Firm Regulation & Compliance
We are also offering our member firms the opportunity to undertake a free consultation to discuss any issues and concerns they may have. Free Business Consultation
If you need to contact us for any reason you can call us on 02039119710, email us firstname.lastname@example.org or visit our website to make an online enquiry.