The recent report of a significant loss suffered by a client following the interception of an email by a gang of fraudsters has sparked a debate about the suitability or otherwise of communicating with a client via email especially as regards the exchange of financial information.
Mr and Mrs Lupton sold a fla for £340,000. Two days before the set completion date of February 27, Mr Lupton’s solicitor, Perry Hay & Co in Richmond, Surrey, emailed him requesting his bank account details for the sale proceeds to be paid into.
Mr Luton replies and unfortunately for all concerned the email was intercepted by fraudsters.
Posing as Mr Lupton, the fraudsters emailed Perry Hay & Co again instructing them to disregard the previous details and send the money to a different account instead.
The sale completed and following the discovery of the fraud the account was frozen and £271,000 was returned to the Luptons but the balance of £62,000 had already been withdrawn by the fraudsters.
Speaking to the Daily Telegraph, Robert Loughlin, executive director at the SRA, said: “We are very concerned about this continuing activity. The fraudsters are highly sophisticated in their approach. All firms should ensure that their own, internal systems for guarding against scams are up-to-date and that staff know how to implement them.”
Unfortunately the SRA dis not seize the opportunity to provide guidance. There is an element of common sense involved but this is easy to say in the cold light of the day but less simple to implement faced with the intensity and pressures of a busy day of completions.
So what can be done to reduce the risk of falling victim to fraud?
Some commentators speak about the need of encrypted email but I question whether this is a practical solution and more to the point one that is really necessary.
The first and most important step is to make sure there is a very clear and coherent policy prepared on how to deal with the transfer of client funds and to make sure every single member of your business knows the policy and knows it by heart.
The policy should make sure that any bank details supplied to you by a client should always be verified by calling the client and taking the client through some security questions. That is questions to which only the client would know the answers. You should avoid questions such as date of birth, file references and any other information which a determined fraudster may have gleaned.
I also recommend that you should always ask the client to send through a copy of the bank statement relating to the account into which the money is to be paid. This can then also be used to verify the bank details. I know a bank statement can be replicated but if you have asked the client to forward this to when speaking with the client over the phone the chance of a fake statement being sent through is remote.
I also suggest that significant sums of money should only be retuned to clients after it has been authorised by a director or partner of the firm. This will add a second layer of security since the director or partner can then check that the policy has been followed.
We operate in an uncertain world full of people who operate tirelessly to defraud others - we must be more vigilant and careful with our clients money.
Interestingly, following the crime, Perry Hay & Co said it did not believe it was at fault and that the Luptons would have to suffer the loss. I am not sure about that!