Services
People
News and Events
Other
Blogs

Friday Afternoon Fraud and Protecting Client Money

  • Posted

 

Finding out cyber criminals have targeted your law firm is awful, especially if you were in the belief that you had put in place due diligence and protection.

If you are a COFA, ask yourself what would your legal cashier/s do if they received a threat? Vishing criminals’ jobs are to convince their victims that they are doing the right thing by responding to them as the caller. Often the caller will pretend to be calling from the government, police, or your bank. They will have done their homework, which is why they are so convincing.

Before we dip into our blog on Friday Afternoon Fraud, don’t forget our free EBOOK guide which gives scenarios of different digital frauds and attacks, which you can download HERE.

We will glean content from the Guide too for this blog.

Vishing “Friday Afternoon” Fraud Attacks 

Firstly, vishing (as opposed to phishing) is when a fraudster uses the phone to contact their target.

There are a few scenarios and case studies we could give, but let’s concentrate on a typical version of events we see often see unfold. Imagine it’s Friday afternoon, many of your colleagues might have gone home; are possibly part-time and don’t work Fridays; are working from home; the managing partner could be on holiday; the COFA is on a training day; and your conveyancing clients are waiting for their completion to go through to get those keys!

So many days are such as the above in a legal practice, it’s nothing out of the ordinary; but what is different about Fridays? Feeling sluggish and ready for the weekend, has your mind slightly switched off? Possibly not, but cybercriminals think they probably are.

The Legal Cashier

What would our law firms do without our legal cashiers?  Let’s think of the story of SARAH.

Sarah is legal cashier in a law firm practice, been there part-time for several years. It’s Friday at 2:30pm and it’s busy in the office. Sarah’s firm has five partners and is growing quite rapidly, expanding on a new area of law. The fee earners are busy trying to get work off their desk for their clients by the end of the day and the accounts’ team is on its knees.

The receptionist has put through a call to Sarah from the fraud team at the Royal Bank of Scotland (RBS). It sounds serious so Sarah speaks to John from the RBS fraud security team as there are no compliance officers in this Friday and many of the firm work remotely too.

The security checks are conducted of course, and John tells Sarah that two fraudulent payments have been set up on a client account. Time is critical.

Conveyancing Transactions and Completion Dates

Friday Afternoon Fraud, yes, it’s a thing, just ask the Solicitors Regulation Authority!

As homeowners and conveyancers, together with estate agents, know the majority of completions of property conveyancing transactions take place on a Friday, it’s no wonder that there will be more opportunities to use these busy days and timing vulnerabilities for fraudsters to attack.

The pressures on time and resources for conveyancers and legal cashiers can be immense.

Criminals know they have the added advantage of being just before the weekend, decreasing the possibility of detection as businesses close on Saturday and Sunday.

The Legal Cashier and the “Bank’s Security Officer” – the Telephone Call

Here’s the outline of the call – back to Sarah, the Legal Cashier, on the phone to John at the RBS.

  • John asks Sarah if her practice that she works at has an office in Aberdeen, where the payments have been set up.
     
  • Sarah is told not to login into the RBS Bankline site because her credentials have been compromised. RBS has fortunately been able to freeze the payments, but they still need to be cancelled from the system.
     
  • John informs Sarah that she should call her line manager to authorise the fraud security team to cancel the payments from the system.
     
  • Sarah ends the call with John and calls Jenni, her line manager.  Jenni’s PA answers and tells Sarah that Jenni isn’t available for the rest of the day. She explains that she is aware of the attempted fraud and has just authorised the fraud security team to walk her through the process of cancelling the payments.  Back on phone to John at RBS, Jenni’s PA transfers Sarah back to him.
     
  • To cancel the fraudulent payments, John asks Sarah to enter a passcode into her RBS card reader and then type the response into the telephone’s keypad. Sarah provides this information in full.
     
  • John confirms the payments have been cancelled and tells Sarah not to login until she receives an email from the RBS Bankline team with instructions to reset her compromised login details.
     
  • After waiting for more than an hour, Sarah calls Jenni again and this time manages to speak directly with her. Jenni has no idea about the fraudulent payments, and this is the point at which Sarah realises what has happened. Two payments totalling £80,500 have been stolen from the client account.

How did this happen?!

The criminals had already identified Sarah’s law practice that she worked at as a potential target and carried out research on the firm (including looking at their social media presence too, and then funnelling down into personal social media of some of the employees).

Pretending to call from another firm of solicitors, the attacker has called Sarah’s law firm’s reception to find out who deals with payments. The criminal is savvy with terminology for banking terms and has prepared for eventualities in the conversation.

The attacker first sends a phishing email to Sarah in the accounts department. She clicks on a link, which releases a keylogger program onto her computer. The keylogger program covertly monitors and records all the keystrokes made on Sarah’s keyboard and enables the attacker to validate the customer ID and password details for her RBS Bankline account. Using Sarah’s customer ID and password, the attacker then logs into the RBS Bankline site and sets up the fraudulent payments. The attacker has more than one accomplice on this occasion, including one posing as a secretary (Jenni’s PA…!). They pounce and make the call to gain the final piece of the jigsaw - the card-reader details needed to release the payments.

The attacker uses telephone-hijacking software to manipulate caller IDs and prevent call recipients from fully hanging up. When Sarah attempted to call Jenni (her line manager) on the first occasion, the line is in fact still connected to the attacker.

What are the repercussions from the Friday afternoon attack?

It’s a sickening feeling, especially as Sarah believed she had covered herself and checked with her line manager, it all seemed so above board.

COFA TRAINING WITH THE ILFM

In comes the compliance officer!

Sarah informs Matt, the head of finance, who is also the COFA, about what has happened. Matt then tells the partners what has happened (stolen client money) and immediately informs the bank. He is told the funds have been sent to an overseas account and are unlikely to be recoverable.

Next step?

Matt and the partners of the law firm know that they have to call their professional indemnity insurers, because the PII policy covers stolen client funds.

The firm MUST transfer money from their office account to the client account to cover the stolen funds’ shortfall, as required under rule 7.1 of the SRA Accounts Rules 2011*. A material breach is reported to the SRA.

£80,500 is a lot of money, but fortunately for Sarah and Matt’s firm, they can afford to cover the shortfall.

* You must not use a client account to provide banking facilities to clients or third parties. Payments into, and transfers or withdrawals from a client account must be in respect of the delivery by you of regulated services

As expressed in our EBOOK, what can be done to pre-empt attacks? Download HERE.

What is vishing? 

Vishing is a fraudulent scam, using telephone communications in an attempt to trick a target into surrendering private information that will be used for stealing identity or money. The attacker usually pretends to be a legitimate business: in this case, the fraudster pretended to be from the bank’s fraud security team.

Route to client money

In this scenario the attacker has stolen money from the client account by first gaining access to the firm’s online banking account. He then poses as the bank’s security team, tricking the (extremely busy) legal cashier into releasing the card-reader details to release the payments to the fraudster’s account.

Preying on human behaviour

The attack started with an email to Sarah. The email seemed legitimate at first glance, and this seemingly professional email then prompted her to opening an attachment or clicking on a link: this installed the malicious keylogger software on her computer.

Most of us trust people and especially those in a position of authority.

The attacker then exploited the trust Sarah has in the bank’s fraud security team.  As many of us would feel, on a Friday afternoon, busy with transactions and not many people left in office – Sarah is grateful to John and the RBS team as they have ‘prevented’ payments leaving the firm’s account.

The fact that Sarah calls her line manager herself and speaks to her supposed PA adds to the plausibility of the caller.
 

ILFM and SRA – What are the correct accounts procedure
 

  • Verify any caller at the bank by using a mobile phone to call the bank back on a telephone number you have previously validated.
  • Use training to raise awareness and to make sure your cashier and accounts team are aware of vishing scams. Some banks and insurers provide audio recordings of vishing calls (made by actors) to raise awareness and give an insight into how the fraudsters attempt this scam

 

ILFM and SRA - banking tips – protect your firm

  • Banks will never ask for your full online PIN, username and password.
  • Banks will never ask over the telephone for your PIN, password or codes for smartcards and readers. 
  • Banks do not send emails to reset users’ access to online banking.
  • Never open attachments purporting to be from a bank’s security team.
  • Make sure you download any security software your bank offers.

Top Tips from the SRA and ILFM for Cybercrime and Friday Fraud Protection

  • Plan your response with a cyber-risk incident plan
  • Foster a positive "no-blame" culture
  • Monitor, record, analyse and respond
  • Integrate cybersecurity into all your processes
  • Know your reporting requirements
  • Train staff and raise awareness in clients

The ILFM works in conjunction with the SRA’s Accounts Rules and best advice on law firm cybercrime and fraud attacks, and our membership, training and qualifications will allow your legal cashiers, COFAs and Practice Managers to feel at ease in their knowledge that they are aware of ever evolving digital and malicious attacks.

Here’s our membership details: MEMBERSHIP

Here’s our training details:  TRAINING

And here’s our contact details if you’d like to chat or find out more about how we can help you.

Last but not least, have a look at the Government’s Cyber Essentials Scheme too, if you haven’t already.

 

We hope this helps towards protecting your legal cashiers and your client's money.

Comments