During periods of crisis or upheaval where most of us see worry, stress and concern, fraudsters see opportunity.
Where there is an event occupying the public mind e.g. a general election, a global health issue or where people are distracted by a crisis or a period of change, fraudsters will seek to use the event or subject of the crisis as a route to yet another ingenious fraud.
The COVID-19 outbreak is no different. This is probably the period of greatest social upheaval and change which any of us have experienced and, I bet, rather than worrying about their health or virus transmission, the fraudsters of today are turning their mind to how they can exploit the situation and prey on businesses or the unsuspecting public.
Their aims will often be to find opportunities to install malware in your systems or gain access to personal information. This could take the shape of bogus emails purporting to be from government authorities or public health organisations directing recipients to click on links for updates on COVID-19 spread, government containment actions or other aspects of the pandemic.
As a legal profession, you are already in the sights of the fraudsters as a potential target, as we have so often reported in the past. Now, not only do they have target firms with large client accounts and lots of data and information, they also have firms who have many more things on their minds than usual and, very likely, teams of people working remotely at home.
The fact that solicitors can no longer verify instructions face-to-face with their clients makes firms more susceptible to risk and fraudulent activities. Fraudsters will exploit the fact that solicitor CAN'T meet with their clients.
Obtaining bank details from clients suddenly becomes more risky – if not at an initial face to face meeting then how? Video calls or in the post would be an obvious solution with a secondary means of verification where possible.
The Law Society has published guidance on non-face to face ID and you might want to refer to that - https://www.lawscot.org.uk/news-and-events/law-society-news/coronavirus-updates/
All of this presents a perfect storm as far as fraudsters are concerned. Experts expect a rise in malicious campaigns, some of which will be specifically targeted at remote workers.
It's not just emails you need to watch out for – phone scams will be rife too so staff need to be on their guard when answering any cold calls or any calls which are out of the ordinary or just don't 'feel right'. Many business phones will be directed to personal mobiles and this could impact how staff answer calls or how they react to unusual requests.
Fraudsters activities at this stage will be aimed at gaining access to systems or information but once they have that then firms need to be on their guard even more, in case the firm is specifically targeted. The most common fraud will be a client account fraud where they seek to have the firm change the destination bank account for a payment. They do, on occasion target a firm's client pretending to be you, the solicitor advising of a change of bank account for the firm.
We've all heard the horror stories. Well, I'm sad to have to tell you that in the week commencing 23rd March, we have had reported two instances of potential client account fraud already.
What to do to help avoid falling victim to fraudsters:
- Make your staff aware of the risks – not just what to look for in emails or phone calls but to recognise that the current situation may make us more vulnerable to falling victim to fraudsters through stress, distractions at home, simply a different routine. It will be time well spent
- Introduce new methods for client ID and establishing the clients bank details
- Be very wary when receiving emails of from an unknown source, especially where they are using COVID19 as a subject to grab your attention.
- Review your processes and controls around payments to ensure the controls still work when staff are working remotely.
- Use 2 factor authentication for changing bank accounts and for authorising payments
- Never accept an emailed instruction to change a destination bank account - Never! Never! Never!