The Friday blues

A quick internet search for the words “diversion of client’s money” shows that it was around 2015 when this phenomenon was first reported. Four years later, it is still an issue. The Law Society provides guidance about how this so-called “Friday afternoon fraud” occurs. Every conveyancer should read this and remind their staff of the dangers of email and what can happen when emails are intercepted by fraudsters. Some 75% of all cybercrimes reported to the Solicitors Regulation Authority (SRA) in 2016 were Friday afternoon fraud.

But what actually happens? The criminal hacks into emails between the conveyancer and the client, and waits until they see the email they want – the one in which either the client’s or the solicitor’s bank account details are sent. They intercept that email.

Clients may not be aware that such scams are perpetrated

If the email includes the client’s details, the fraudster pretends to be the conveyancer, and asks the client to pay monies into an account which belongs to the fraudster, not the solicitor. The client does as instructed, and it is only when the solicitor queries why no monies have been received or when the client checks to see if funds have been received, only to find that there is no trace of them, that the fraud becomes apparent.

If the email includes the solicitor’s details, the fraudster pretends to be the client, and asks the solicitor to pay the net sale proceeds into an account which belongs to the criminal, not the client. Either way, it is the client’s money which is diverted.

This form of fraud is known as Friday afternoon fraud because many conveyancing transactions complete on a Friday afternoon, and because it can be easier to perpetrate on a Friday, when both parties are in a rush to complete the transaction before the weekend.

Below, I look at what law firms and solicitors can do to reduce the risk of Friday afternoon fraud, and how the new Conveyancing Quality Scheme (CQS) Protocol has been drafted to support firms with managing this risk.

1. Never email your client’s or your firm’s account details

There is a firm local to me which states in its email footer that it will never email bank account details, but from which I often receive replies to requisitions on title by email, including its bank account details.

The easiest way of avoiding Friday afternoon fraud is never to email bank account details, of either your firm or your client, whether that be to another solicitor or a client.

I recently led a group on reviewing the CQS Protocol. We were conscious that email was the most common means of correspondence between all parties in a transaction, and we were keen to ensure that this was reflected in the changes. We wanted to ensure that there was a continuing obligation to manage cybersecurity risks, so one of the general obligations stated at the start of the revised Protocol is: “Have a continuing awareness of potential cybersecurity issues.”

We also included a number of other requirements on the conveyancer acting for the seller.

Step 19 now says: “Beware how you submit your bank details. It is good practice not to submit bank details by email.”

This is a reminder not to send the firm’s bank account details by email. This is repeated in the TA13 Completion Information and Undertakings form, where it now states at the start of question 4 (and in bold): “Be alert to the risks of emailing bank details.”

2. Keep an eye out for changes in bank account details

Step 3 now says: “Obtain instructions for dealing with remittance of gross / net sale proceeds and details provided by the seller of UK bank account for remittance of proceeds. Obtain evidence that the bank account is properly constituted as an account conducted by the seller for a period of at least 12 months. Confirm that remittance will be made to that account only.”

Having this requirement so early in the process gives the solicitor a better chance of being aware of any changes in these details. Most clients will have had the same bank account for more than 12 months; if not, then it is for the solicitor to assess the risk. There could be a valid reason why an account is less than 12 months old, for instance if the sellers are separating, or it is an executor’s account – and it is for the solicitor to decide whether they are happy with the reasons given.

Step 32 now says: “Account to the seller for any balance of the sale proceeds. Check funds are only being sent to the account details supplied at the beginning of the transaction.”

This is to remind conveyancers to check the bank account details supplied under step 3 and to be aware that, should the details have changed, especially if such changes were sent in an email, then this needs to be verified by the seller.

3. Talk to your client

I’m sure that we’ve all encountered a firm which has experienced Friday afternoon fraud, but clients may not be aware that such scams are perpetrated, so talk to them about the risks and ways to mitigate them.

The Law Society’s guidance suggests ways solicitors can protect clients. I have outlined these below, including my own thoughts.

• Give the client your firm’s client account details at the start of the transaction and tell them that the details are unlikely to change. I would suggest sending this in the post to the client at the start of the transaction, and reminding them never to email account details to anyone. You may even want the client to have a password so that you can verify their identity when you speak with them concerning bank account details.
• Tell the client not to transfer money to a bank account where the details do not match those given at the start of the transaction.
• Call the client or ask them to call you before they transfer the money. Tell them not to email you to say that the money is being sent, as that email could be intercepted and fake account details sent to the client with an urgent request to send monies elsewhere – the client would assume that was a genuine email from your firm.
• Confirm to your client when you receive the funds – a quick telephone call will put their mind at rest.

It is always important to remember that data transmitted and received on insecure networks is readily available to hackers. It is also a solicitor’s duty to protect their client, who may have no knowledge of such scams. And remember that fraudsters can impersonate clients as well as solicitors.

As the SRA stated in its paper IT Security: Keeping information and money safe, email-modification fraud relies on weaknesses in systems and deception. Anti-virus systems are important, but well-trained and well-informed staff are even more so. I would also add to that: a well-informed client will also help to reduce the chance of your firm falling victim to this type of fraud.