Of late, there has been an increase in the number of law firms being targeted by fraudsters. Regrettably, and despite the best efforts of most firms, given the large sums of capital involved in professional services, bad actors will always look to profit.
A matter for further concern is the fact that these criminals are growing in sophistication. Organised crime gangs are looking specifically to defraud law firms and their clients with the UK Government estimating that 1,400 criminal organisations are actively targeting the UK’s legal sector.
And these gangs aren’t using traditional hacking techniques.
Instead, they’re relying on social engineering to persuade unsuspecting and vulnerable clients to ‘self compromise’.
One common form of fraud is email redirection fraud, which accrued £123.7 million in the UK in 2018. Here are some recent examples:
- A solicitors firm in south-west London employed an individual who stole the identity of a solicitor in order to facilitate a £1.2m conveyancing fraud. As a result, the solicitors’ founder has been struck off, due to her firm not having the correct security in place.
- A west London solicitor paid out £165,000 of client money after falling victim to two email scams. The firm was holding £330,000 for a client. Following a string of fraudulent email activity, the solicitors sent half of the money to fraudsters. Sadly, the £165,000 shortage on the client account was not replaced by the time the firm was closed down.
- In September 2019, a home-buying couple received an email from their solicitor asking for the £45,000 deposit to be paid. They sent it through the Lloyds banking app to an HSBC business account. However, the email was from a fraudster who had hacked the solicitor’s email system. Lloyds and HSBC have denied liability. As yet, there has been no resolution and the couple are still out of pocket.
Cases like these are on the rise as scammers' techniques grow in sophistication. These have found their way into the press and, as a result, they’re eroding faith in the legal profession amongst practitioners and clients.
To halt this erosion, the profession and their security providers must do more to protect all participants. With 60% of law firms reporting a security breach in 2018 and the news that the average loss from a fraudulent attack is over £173,000, all firms need to up their efforts to secure their clients’ assets. But even firms with the best intentions and systems – such as those with Cyber Essentials Plus certification – are susceptible. That’s because the technology used by crime gangs seems to be outpacing the technology of law firms and their security providers.
In response, in order to rebuild trust across the industry, certain technologies and practises must become commonplace throughout the legal profession. One example of an improvement that all law firms could implement is to employ Third Party Managed Accounts (TPMA), an account type that is designed to protect against many of the types of the most prevalent forms of fraud.
TPMAs have existed in the form of escrow facilities for high-value transactions for some time. Historically, they’ve been time-intensive and expensive to set up, but innovation has radically reduced the time and cost, meaning TPMAs are now a viable alternative for law firms who operate client accounts for everything from accepting clients to routine property transactions.
If we look at the cases above, a TPMA could have kept fraudsters at bay.
For example, if a TPMA is used by a solicitor, the identity of a third party must be verified by the TPMA provider, who will need to carry out identity verification, with ID scans, document uploads, video liveness checks, and electronic verifications, such as geolocation, in order for a payment to be processed. This means that, for example, a fraudster could never impersonate a solicitor and request funds.
With fraudsters growing in sophistication, there’s a chance they may be able to hack the TPMA account and give instruction to a solicitor and to the TPMA, which could lead to fraudulent activity. However, TPMA providers are now providing additional technology that is making them much more difficult to breach.
For example, if a hacker tried to access a TPMA, some providers now request that the details of the transaction still need to be verified. Any authorisation or password change on a user’s account would require the entry of a one-time PIN that is sent to the mobile number of the user. This is an encouraging extra layer of security and a good example of how security providers are trying to stay ahead of the fraudsters.
At Shieldpay, we know that there will always be bad actors attempting to defraud professional services firms, especially in legal services. The system will never be perfectly secure. However, we believe that all law firms, of all shapes and sizes, should be undertaking a fundamental level of security that keeps their clients safe, especially when it comes to handling client money.
Our technology is designed to protect against this sort of fraud, especially our deployment of Third Party Managed Accounts (TPMA). We’re the leading provider of TPMAs and they’re becoming widely used by professional services firms, including legal practises, to secure payments and client cash, offering a solution that we hope will keep law firms and their clients safer, restoring faith and trust throughout the profession.