Cybercrime and Fraud
It wasn’t even Friday…
Fraudulent emails in property related transactions are the most common cybercrime in the legal sector, with at least £12m of stolen client money reported in 2017, according to the Solicitors Regulation Authority. In recent years, these attacks on law firms, often coined ‘Friday Afternoon Fraud’ are increasing in number, value and sophistication.
Typically, the aim will be simple; to hijack a transaction at a key stage so that the firm sends the fraudster money.
Fraudsters often strike at the end of the week, in the knowledge that many lawyers and Finance Teams are under pressure, with multiple completions and the transfer of large sums of money routinely taking place. By doing so, such fraudsters deliberately seek to exploit the loss of judgement that can come with enhanced pressure and fatigue.
Previously, frauds may have involved one or two unsolicited emails or calls. Frauds may now involve the hacking and modification or control of multiple email accounts so that, from a firm’s perspective, it is faced with instructions, explanations, affirmations and demands for action from what may appear to be several legitimate sources. This multi-layered approach enables the fraudster to deflect suspicions and increase the pressure on the firm to do their bidding. It can dupe even the most sophisticated and successful lawyers. We have recent experience of a firm targeted in such a scam, resulting in a loss of more than £1 million.
The firm was in the final stages of concluding a large real estate transaction on behalf of a longstanding and valued client. The client partner, a highly successful lawyer with over 20 years of experience, was working within a thriving Real Estate department. The task before the firm was, on the face of it, simple and expected; transfer the sale proceeds to the client.
On a Tuesday, the partner was cc’d into an email purportedly sent by the client’s Finance Director (the “FD”) to the client’s property agent. This email referred to an earlier conversation between the client and agent, and requested that following that conversation, sale proceeds of more than £1 million should now be transferred to the client’s new account. The FD’s email gave a legitimate looking contact telephone number (using the correct area code for the client company).
“As discussed over the phone, You can inform [the partner] that sale proceeds … can now be transferred to the exchange bank details in the attached document.”
The attachment was a simplistic Word document providing the account details, which were for an account in a non-EU jurisdiction. The partner replied to the email from the FD, to clarify the precise sum to be transferred. He then instructed his PA to process the transfer. The firm’s bank telephoned the firm’s Finance Team to query this large transfer to an unfamiliar account, in a different jurisdiction. To address the bank’s query, the same day the PA tried to telephone the FD on the contact telephone number provided in the email. There was no answer and a voicemail message was left by the PA explaining the need for payment authority. A brief email was received from the FD in response,
“Thanks call, ….. Let me know as soon as transfer goes through.”
The PA then left another voicemail message seeking further verification, to which the FD replied,
“Hello …., got your voicemail message. I am unable to take your call. Yes, kindly proceed with a payment to our foreign exchange company account as informed. You have my full authorisation on this. Thank you for your confirmation. Let me know if you need anything else.”
On the Wednesday morning, the partner sent an email to the client’s property agent direct (not copying in the FD or the main client contact) to seek an explanation as to why their mutual client was changing bank details to an account in an unexpected jurisdiction, in a different name. The agent replied by email,
“Sorry for my late response in this, I have a series of meetings ongoing and I will try and call as soon as I can. They are having some banking problems with their [usual] bank account ……… so they sorted a better option through foreign exchange, I recommended a few though. [They] confirmed during our last meeting here ….. and I don’t think it is a problem since the foreign exchange company is well known to them, as they confirmed during their last week visit and have also given authorisation for it. If the funds are available for release you should release, I don’t see any reasons for holding it back longer. Is there money, there choice. I will try and catch up later. I hope this answers your questions. If it is urgent, send me an email. I will reply as soon as possible.”
This seemed to allay the partner’s concern.
The partner then emailed his PA and the firm’s Finance Team to confirm that he had carried out the necessary checks and that the transfer should go ahead. The transfer was duly made on the Wednesday.
On the Thursday, the (genuine) client emailed to enquire why the funds had not been received. A ‘stop and recall’ was immediately put on the payment by the firm’s bank, but to no avail. The full sum had already been withdrawn from the overseas bank, in cash.
The multi-layered attack
It quickly became clear that the property agent and the client had been subjected to a sustained and highly sophisticated cyber-attack. Layers of hacked emailed accounts and a false email address had been specifically created to target the transaction. These included:
• A fabricated email account for the FD.
A different digit was used so that the address was akin to ‘NAMEaccounfs@gmail.com’ instead of ‘NAMEaccounts@gmail.com’. This email account was used to provide:
a) The initial fake instruction.
b) A ‘back story’ suggesting that the FD and the agent had discussed the change in bank account already.
• Hacking of the property agent’s email account.
All the emails to and from the agent originated from their legitimate email address. On investigation, it transpired that the agent’s account had been hacked, monitored and carefully controlled by the fraudster. The emails purportedly sent by the agent looked legitimate to a recipient (same email address and footer), but the hacker appears to have had control over what the genuine agent could and could not see. The emails sent from this hacked account served three main purposes:
a) To provide affirmatory detail of the back story provided by the FD (that the agent knew about the change in bank details and that discussions and meetings had taken place about this).
b) To provide reasoning for the change in bank details, namely (unspecified) banking problems and a foreign exchange preference.
c) To apply pressure on the firm to do the client’s bidding (“If the funds are available for release you should release, I don’t see any reasons for holding it back longer”).
• Hacking of the main client contact’s email account.
It was subsequently discovered that the fraudster also had gained control over the client’s main email account. This additional step appears to have had several purposes:
a) To monitor the transaction and pick the right moment for the fraudulent attack on the firm.
b) To affirm the fraudulent instruction. The main client contact’s legitimate email addresses were cc’d to several of the instructing emails. This gave the impression that the client contact was aware of, and was silently consenting to, the instructions from their FD and their agent. This created a powerful but false sense of validity to the fraudulent instructions.
c) To keep the genuine client ‘out of the loop’ at the critical moment. Although the client’s email address was copied in to many of the email exchanges, because the fraudster controlled this account the genuine client was wholly unaware of the email traffic about the change in bank details.
d) To provide an extra affirmatory fall back for the fraudster; had the firm emailed the client direct to seek confirmation, the fraudster would have intercepted this email and undoubtedly responded in the affirmative.
• Knowledge and control.
The firm’s own IT systems were not compromised by the fraudster. However, the knowledge gleaned from the observation of the client’s and property agent’s email accounts enabled the fraudster to monitor the progress of the transaction, appear more convincing, and pick the perfect moment to perpetrate the fraud. The control exercised over these accounts was significant; at one stage the fraudster modified a legitimate email sent by the firm, to send false information to the genuine property agent to keep them ‘at arm’s length’.
• A convincing telephone number.
At a glance the FD’s contact number looked genuine, but telephone calls were never answered and the line went to voicemail. These messages were then followed up by an email acknowledgment of the missed call, with an apology and fake affirmation of the instruction.
• Timing of emails.
The criminals were patient and relaxed in their email exchange timing, often waiting an hour between correspondence. A plausible explanation was given; a busy schedule and their inability to take calls.
• Gradual increase in pressure.
The language in the fraudster’s emails initially lacked urgency, but gradually became more demanding in order to take advantage of the human desire to get things done for an important client.
Finally, the ease in which a vast cash sum was swiftly withdrawn from the overseas bank, without challenge, suggests that the fraud had been planned well in advance by a sophisticated criminal, or more likely, network of criminals.
As is often the case in such matters, the artificial stresses carefully deployed by the fraudster on an already pressured partner undoubtedly contributed to the temporary error of judgement in authorising the transfer.
However, if firms adhere to robust procedures, fraud can be prevented. In this case, the firm’s existing procedure required a fee earner to speak to the client on a trusted number to verify bank detail changes. This procedure was circumvented, at enormous cost.
The warning signs
In this case, there were several warning signs. Some were spotted, but ultimately the partner was deceived by the layers of the fraud. The main warning signs were:
1. A change in account details just at the point of transferring funds.
2. Use of an overseas account (in a jurisdiction which had no bearing on the client’s business).
3. Use of an account with a different name to the client.
4. Incorrect email address of the client’s FD (albeit a very minor change).
5. Random capitalisation of letters/missing words from sentences/broken English.
6. A new contact telephone number provided by a key contact.
7. A consistent failure to answer the telephone by a key contact.
What can you do to avoid falling victim?
• Never deviate from bank account verification procedures. They are there for a reason. Such procedures should be reviewed at least annually as new challenges emerge.
• Obtain the bank account details from the client, ideally in person, at the outset of the matter.
• Failing that, confirm account details by post, and ensure they are certified with supporting documents. ‘Low-tech’ solutions can be used effectively to fight ‘high-tech’ fraud.
• Account details can then be ‘tested’ by sending £1 and approving the account only once you have spoken to the recipient via telephone, using trusted contact details. This should be done at the outset of a transaction or on receipt of new details, as part of the verification process.
• Terms of business, retainer letters and email footers should expressly exclude liability for losses arising from any delays occasioned by the necessary verification of a client’s (or other party’s) bank account details.
The client’s role
• When meeting with the client, consider agreeing a security password or code for telephone conversations in relation to authorising large payments and changes to banking details. This code should never be sent via email by you or the client.
• To manage a client’s expectations, it should be made clear to clients from the outset that the late provision of account details (or account changes) will give rise to necessary verification steps, which in turn will give rise to delays.
• If new bank account details are received by email, this should be considered a ‘red flag’ and verified with a telephone call to the client on their original telephone number to confirm the new details. All staff should be told that they must never use the telephone number provided on the email itself.
• When obtaining verification of account details, email communications should never be trusted. Be vigilant in respect of clients who avoid answering calls and repeatedly revert by email in such circumstances.
• Primary responsibility for obtaining and verifying bank details (e.g. arranging documentation/calling the client on receipt) should rest with the fee earner. The Finance Team may play a part too (e.g. running test payments) but should be considered the last line of defence.
• Fee earner time spent on anti-fraud checks should be treated as equivalent to a ‘time recordable task’ with reference to their targets, thus removing the ‘administrative/box ticking’ approach that might otherwise be taken.
• Fee earning staff (including partners) should be informed that the Finance Team is fully authorised to refuse transfers, until the firm’s procedures have been complied with. There should be a consensus between fee earning and support staff that verification procedures must be robustly followed, and that these should never be circumvented due to external or internal pressures.
• Ensure only approved staff can authorise transfers, with all large payments over a fixed value to be authorised by experienced and senior personnel e.g. Finance Director/Deputy Finance Director/COFA. Evidence of the payment verification steps should be made available to these individuals as part of the payment process.
• Reward staff who spot potential fraudulent requests/emails and take steps to disseminate this information as a matter of priority within the firm.
• Trust your instincts if an instruction seems suspicious, and keep abreast of the most common scams.
• Be alive to unusual typographic errors, random capitalisation of letters and unusual remarks. Although we have redacted the parties’ names, quotes in the article above otherwise contain the exact language used.
• Ensure all staff undertake regular cybercrime prevention training. The SRA recommends certification schemes such as Cyber Essentials to demonstrate a commitment to preventing cyber fraud. https://www.cyberessentials.ncsc.gov.uk/
• Fraudsters will not always use overseas accounts. However, if your firm is asked to transfer funds to a jurisdiction that has no obvious relevance to the client or transaction, or to a country known to be a high-risk origin for cybercrime, such as China, United States, Russia, Turkey or Brazil (which frequently appear in ‘top ten’ lists of countries of origin for cyber-attacks), be extra vigilant.
• Notify the SRA, not least so that if appropriate, the SRA can update their Scam Alert page .
• Use of software such as “CheckRecipient” can identify where a phony email address is being used, by showing a warning message when an email from an unknown sender is received. This can help to identify emails from fraudsters where a familiar email address is modified slightly (as in this case, with the use of NAMEaccounfs@gmail.com).
The human touch
• Be mindful that no one is immune. Fraudsters deliberately seek to exploit the fact that firms are handling large sums of client money when operating under huge pressures. Partners, fee earners, secretaries and support staff, including Finance Teams, may be struggling to cope. Your colleagues may also have domestic worries that are not immediately apparent. If so, their ability to spot and prevent frauds may be significantly impaired. Firms are strongly encouraged to be supportive in such situations, and engage proactively with mental health and wellbeing initiatives.Since Libra Managers act as agents for professional indemnity underwriters, our comments are necessarily given from a professional liability and loss prevention perspective only. You may well consider it appropriate to obtain further views and advice on this subject either internally or externally.