The Law Society of Scotland has seen an influx of online scams by fraudsters trying to con solicitors’ clients out of significant sums of money, using various sophisticated methods, including email interception, WhatsApp and fake websites.

Recent examples of fraud include:

• Scammers intercepting and controlling email messages between a solicitor and its clients. The fraudsters targeted clients at the point where housing transactions were due to complete, mimicking the solicitor’s emails exactly to give bogus payment details to multiple clients in an attempt to con them out of tens of thousands of pounds.
• WhatsApp messages alleging to be from legitimate law firms, offering health and social care visas, in return for providing personal information, such as copies of passports, and paying fees of hundreds of pounds. These use the imitated law firms’ correct information, such as office addresses and logos, in order to dupe people into thinking the messages are real.
• Websites mimicking real law firms sites and emails, but with slight spelling errors in the URLs that are easy to miss.

Paul Mosson, executive director of member services and engagement at the Law Society of Scotland, said: “Scammers are opportunistic and sophisticated. While solicitors can’t prevent fraudsters imitating them, they can take steps to ensure that their clients and the firm are as protected as they can be. Make sure your clients and staff are alive to the threat of cyber crime and be consistent in your communications, so that clients know what to expect from you.”

What legal firms can do to help clients protect themselves:

• Ask the client to call your office to confirm the firm’s bank account details if they receive any communication that requests a payment.
  Provide the details of the firm’s bank account in your letter of engagement/terms of business.
• Include within your letter of engagement/terms of business a notice to clients stating that the firm’s bank account details will not change during a transaction, that the firm will not change bank details via email, and that clients should check details in person if in any doubt. Also include this notice as a footer to all firm emails.
• Don’t deviate from this practice – you are more likely to be held liable, if something goes wrong and you have done something you said you wouldn’t do.
• Keep discussing this issue with your clients to ensure that they are alive to the threats and that they know what to expect from your firm.

What solicitors can do to protect their firm:

• Never act on an emailed instruction to change a client’s bank account without seeking further verification of that instruction – call the client or speak to them face-to-face.
  Consider introducing systems and controls regarding payments to bank accounts.
• Advise clients that if they subsequently change their payment instructions, your firm will not make any payment until instructions have been verified by alternative means.
  Make your staff aware of the cyber threats, raising the issue repeatedly to keep them alert to the risks.

Further information on how firms can protect themselves against the threats of cyber crime can be found in the Law Society of Scotland’s Guide to Cybersecurity.