Fraud: Anatomy of an Attack

Fraud: Anatomy of an Attack

Fraud targeted against law firms is fast becoming one of the biggest threats facing practitioners. The techniques used by the fraudsters are subtle and convincing, and there is no guarantee of support from your bank nor insurers should the worst happen and you or your firm falls victim to a targeted attack by fraudsters.

Many law firms have fallen victim to such attacks, even those who thought their systems were watertight and their transactions safe. Vast sums of money have been lost as a result. One such firm, who wish to remain anonymous, were defrauded of several million pounds, and are keen to share the their unhappy experience in the hope that by doing so they can help other firms avoid becoming victims of similar attacks. The account that follows - in the words of a senior partner of the firm - should be seen as essential reading for all practice managers, partners and financial controllers...


I am the managing member of a law firm. Myself and the other managing member of the firm thought it might be helpful to prepare some notes for your consideration - we hope that you find these observations helpful.

It is of particular relevance that this fraud took place on a Friday afternoon and whilst it would be prudent to be alert at all times, Friday is most definitely the day of choice of sophisticated fraudsters who appear to have an intimate knowledge of the number of completions that take place on a Friday and indeed the difficulty in contacting various agencies, once the fraud has taken place, until the following Monday morning (with the exception of the police of course).

It would seem that all examples of this type of fraud are predicated upon the fraudsters having an intimate knowledge of prior transactions or indeed prior transactions on your client account earlier upon the day chosen for the ‘sting’. That knowledge might be gleaned from your bank system being compromised, or a member of the staff being linked to the criminal gang or indeed to the fraudsters hacking in to one of your clients' emails and thus discovering for example what monies are going to be paid into your account earlier in the day. [TVLS Note: email is a fundamentally insecure method of communications and should therefore be treated as such].

The possible methods of breaching security referred to above are not exhaustive but the whole ‘sting’ does depend upon the fraudsters gaining your confidence by being able to quote chapter and verse the activity on your client account on the day in question.

In addition, the fraudsters work as a team and therefore the individuals who will subsequently telephone your office will be different and may well be different genders. The fraudsters have developed a system whereby they can ‘piggyback’ telephone numbers so that when you receive the call, you believe that it is from a specific number that you recognise, which in turn would no doubt give you confidence that you are actually speaking to a legitimate employee of the bank/client. You should not under any circumstances give out any telephone numbers other than your main switchboard, for example, which the fraudsters will have contacted in the first place. Do not be tempted to give out mobile telephone numbers for example, despite the fact that you will be requested to do so and indeed the fraudsters will be most plausible and insistent on this.

How The Attack May Unfold

You will be notified that there is a problem with a transaction, usually that somebody is trying to send you a large sum of money and, as such, pressure will be exerted upon you to reveal other information. It may well be that you are expecting to complete a matter at that particular time, hence the fact that the pressure will be significant. All we can say in that regard, is that it is far better to experience a late completion than the situation experienced by my firm.

If matters have reached this point, then it is absolutely imperative that you immediately hang up on any telephone call. You may believe that it is discourteous to hang up immediately but that is precisely what you should do. Even if you are unable to then contact an individual at the bank whom you know, it would be most advisable to immediately contact whatever the department at your bank that deals with your account and ask for the account to be shut down immediately. As mentioned above, whilst that may well cause one or two complaints about late completions, it pales into insignificance when compared with the alternative.

Hardening Your Defences

As you will appreciate, I do not know the exact mechanism by which the fraud takes place but hopefully if you have adopted the advice to date then such knowledge will be redundant; the main point to note is that if you are dubious about any call, however plausible, stop it dead immediately.

There are however a number of steps that you may wish to take even before you receive the dreaded call and find yourself in the most invidious positions of having to effectively terminate your ability to transact for a period of time with all of the consequences that would ensue.

  • Whilst it may seem obvious, it is absolutely imperative that you know the two or three designated individuals who will look after your account. In my opinion you are entitled to know when those individuals might be on holiday; you are entitled to know who will be covering for those individuals if they are on holiday.
  • You may already have received a visit from a representative from the bank explaining this situation to you in rather greater and better detail than we are able to do so in this memo.  If you have not, then you should question why.
  • You should specifically request that any warnings about fraud - and any fraud, like a virus, mutates - be communicated to a specific individual at your firm or preferably to both the COFA and the COLP.
  • You may wish to contact the SRA with a view to ascertaining what information the SRA are prepared to give you, subject to confidentiality, about previous frauds involving solicitors firms. (We do not speak for the SRA of course, and nor would we wish to give you the impression that the SRA would give you any information whatsoever.)
  • You may also wish to ask your specific bank as to whether or not they have been the subject of such a fraud in the context of a solicitors firm.  A written response either way would be most helpful.
  • You should avoid faster payments if at all possible.  In other words, unless you desperately need to use faster payments, you should plate a restriction on your account accordingly.
  • You should consider barring international transfers altogether and if of course an international transfer does arise then you and your bank will be able to discuss the mechanics of the same as a ‘one off’.
  • You should consider limiting the number of transactions that can take place upon your client account within a half hour period. In other words, subject to how busy you are in so far as completions are concerned, you may wish to tell the bank that there will only be one transaction every half hour and that any attempt at a second transaction should be blocked. (At the risk of telling you how to run your businesses, we would have thought that it would be possible to stagger completions, depending on the size of the firm of course.)
  • You should give consideration to limiting the amount of any single transaction, subject to further security measures that your bank are able to implement, and from your perspective are acceptable.
  • It would be most prudent to examine your agreements with your respective bank(s) in minute detail.  In other words, you should make yourselves fully aware as to what the bank will and will not cover in the event of a fraud taking place. If you are in any doubt then you should seek written clarification from the bank accordingly. You will already be aware of the fact that there are many banks from which to choose...

The Aftermath

If, despite all of the above, you find yourselves in the position that we found ourselves in, then the golden rule is not to panic. That is easier said than done and if you must panic, as we did, then try and do so internally, which in fairness we managed to achieve! We make that point, because it is absolutely crucial that you share this information with as few people as possible and we suspect that will probably entail senior management only. Any more junior members of staff who become aware of the fraud (i.e. staff in your accounts department) must be informed in no uncertain terms that the matter is to remain in-house.

The first telephone call to make is of course the police. On this subject we are able to be more specific because, in fairness, the police have been quite magnificent in their handling of the situation.  It would be prudent however to have the relevant telephone numbers to hand, in advance, rather than having to scrabble about finding telephone numbers and then being transferred from pillar to post.  From the perspective of the police, time is of the essence and as soon as the matter is logged with the police, the better it will be for you in so far as the inevitable civil claim is concerned.

In our case the police were at our offices taking a statement within an hour or so and indeed we have been kept in the loop in so far as the continuing criminal investigation is concerned.

You may wonder why we did not refer to you contacting the bank.  We are presuming that by this stage the bank will have discovered that a fraud has taken place and will have made contact with you in any event. If the bank has not made contact with you, then that is somewhat worrying in any event.  As mentioned above, it is absolutely imperative that you know who will be at the bank to contact and on what number, because of course if the bank have not already shut the account down then they must be instructed to do so immediately.

It is absolutely imperative, despite the fact that your brain would no doubt in turmoil, to try and keep some contemporaneous log of who you contacted and what precise time and a synopsis of what was said. We would therefore respectfully suggest that you put in place some form of contingency plan whereby key staff know who to contact, what to say and what to record.

I cannot over-emphasise the importance of contacting certain agencies quickly and indeed in being able to prove that you did so. You can not necessarily rely upon those whom you expect to rely to effectively solve the problem for you.

Your next port of call is, inevitably, the SRA. It would be very wise for you to ascertain in advance of any fraud taking place whether or not you have a designated regulatory supervisor.  If you do not, then you may choose to request one, although of course we cannot speak for the SRA as to whether one will be appointed on your behalf. The point being made however is that you need to know the specific individual or individuals to contact in the event of a fraud taking place. You also need to be aware of when the SRA offices are open and you need to establish whether or not your point of contact, be it a regulatory supervisor or not, is contactable out of hours. I will in a moment come back to my experience of how the SRA dealt with this matter.

As previously mentioned, the fraudsters know the best possible time to strike which in turn might lead you to having the most uncomfortable of weekends until such time as you can actually speak to somebody with relevant advice/information on Monday morning.  This being so I do not think it is presumptuous for you to request of your bank an out of hours number.  Likewise, I do not think it presumptuous for you to seek assurances from your bank that in the event of a fraud taking place, that you will be contacted with updates, even on a weekend.


Of course there is one particularly important institution still to contact, namely your insurer/insurance broker. You will no doubt have contact numbers to hand but if not I suggest that you ensure that you are in a position to contact your insurers/broker as quickly as possible. You may wish to check your policy at the present time to ensure that you are indeed covered and you may also wish to check the amount of excess that may apply. [TVLS note: many insurers, stung by the rapid rise of such frauds, are putting limitations and specific requirements in place - be sure you know what these are!]. You will be requested to compile a lengthy report to your insurers which to a considerable extent will require cooperation from your bank in providing the relevant documentary evidence.  You will almost inevitably discover that your insurers will appoint solicitors to act on their behalf and, initially at least, you will be in communication with those solicitors several times a day.  Unfortunately, all of your other work commitments must stop because you will find the fraud and its repercussions have to take precedence.

Once you have made all of the relevant calls that you can and whilst you are no doubt preparing reports both for the insurers and the SRA and in due course the police, it would be a good idea to speak to any members of your staff who were contacted by the fraudsters. Whilst we do not necessarily suggest that you take a full statement at that stage, it would be most helpful indeed to take a contemporaneous note of what actually happened and that note can then be subsequently put into statement form. Once again, accurate times of conversations and events are absolutely crucial in so far as any information is concerned. Fine detail is equally crucial as such detail may well assist you in the weeks and months to come once the inevitable civil litigation gets under way. Note I am not suggesting that it's necessary to interrogate your staff, who will no doubt be greatly upset in any event, but to get all details noted whilst events are still fresh in everyone's minds. Also, I think it is particularly important that you do not display any signs of outward panic: Shouting at staff does not help (we did not) and will not elicit accurate information in any event.  At the end of the day both your firm and your staff will have been on the receiving end of what the police described to us as a 'highly sophisticated top end fraud'.

When dealing with your insurers, or more likely their solicitors, you may be asked whether you have any employee negligence cover. It would be prudent to investigate the economic feasibility at this stage of taking out such cover for a small number of employees who are most likely to be the direct target of the fraudsters in question. The annual premium will of course determine whether or not you go down that path but this is a further level of protection and one which you may wish to explore with your current PII insurers or indeed your general office insurers.

Of course, you have an absolute obligation to cooperate with your insurers' solicitors, as long as that does not put you in conflict with the SRA nor indeed the police investigation. Those obligations take precedence over your relationship with the bank; if you accept that premise it will ensure that any request made from your bank at the very least is communicated to your insurers’ solicitors. It will also ensure that all information that you receive is communicated to your insurers’ solicitors.

It's important to keep in mind of course that the solicitors appointed on behalf of the insurers are actually acting on behalf of the insurers and not on behalf of you. With that in mind therefore I would suggest that you have your own specialist lawyers on standby as opposed to trying to find a specialist solicitor in haste. Indeed, you may wish to make contact at this stage with firms that specialise in insurance / regulatory law as even if you are obliged to pay a modest retainer, that will be dwarfed by the potential costs that will result in you having no specialist lawyer at all, or at least not from the outset.


Once the dust has settled, you may find yourselves under a certain amount of pressure from the SRA - this is not a criticism of the SRA because, as the SRA will constantly remind you, their primary concern is clients’ money.  In other words you have an immediate obligation to put right the loss whether you do so from your office account or indeed your own resources. Once the SRA are aware of the fact that you have insurance, the insurers may not work as quickly as the SRA would like and inevitably there will be a hiatus between the fraud taking place and the point at which the insurers/bank make good the loss. I have referred specifically to the bank possibly making good the loss, because inevitably there will be communication between the insurers solicitors and the bank to ascertain what actually happened.

This hiatus will leave you 'in limbo', and with every day that passes the pressure upon you from the SRA will mount, not only to make good the loss but also to inform those specific clients who were affected by the loss that you no longer have their money; the reputational damage to your firm in doing so will be immense but this is a secondary consideration from the SRA’s perspective (once again that is not a criticism).

Ultimately if you fail to cooperate with the SRA you may find yourself subject to an intervention. You may then find yourselves in a battle against time to rectify the situation without necessarily having to inform the clients but also ensuring that you have satisfied the SRA that you are doing everything that possibly can be done to ensure that you are no longer in breach.

The SRA may well advise you to contact the Law Society who in turn will tell you what you already know, i.e. that you owe the clients the money and you must immediately return it. The Law Society may direct you to a number of firms who are able to provide free emergency assistance but from my experience, having contacted one of those firms, it took over a month for the firm to respond to the telephone call! (You will now no doubt appreciate as to why you may wish to have a specialist solicitor ‘lined up’, so to speak).

You will almost certainly be visited by the SRA but that in itself is nothing to fear. The individual who visited us was indeed most helpful and sympathetic, hence the fact that I would not wish you to think that I am in any way being critical of the SRA.

You have an absolute obligation to cooperate with the SRA; if you do not then your firm will be shut down. This is another reason why it is particularly helpful to have your own specialist solicitor who will be able to intercede with the SRA on your behalf.

Other Considerations

You will of course have a practical problem within a day (or if you are lucky within a few days) in that you will need the clients money. Assuming that no member of your firm is involved or implicated in the fraud (and I am delighted to confirm that all at my firm were above suspicion), then your insurers should pay out whether by installment or by lump sum. The problem then is that you will no longer have a usable client account that is capable of any transactions. I therefore believe that you should ascertain from your bank what arrangements will be put in place for the establishment of, say, a parallel account into which money could be paid. Or, indeed, you may wish to explore the possibility of having a second, dormant, client account at a different bank altogether. At the very least however, the practical problem will confront you and it is far better to have the answer to that question before any fraud takes place, rather than after the event.

You may also wish to consider preparing an article for your website, just in case you are ambushed by the press as we were. If you find yourselves in the unfortunate position of having your firm splashed over the front page of a newspaper, you may find it advisable to immediately place your own statement on your website. Again, a specialist solicitor will be able to provide guidance on the wording of such an article, and of course care must be taken not to divulge sensitive or confidential information that may be material to any criminal or civil actions that may result from the fraud.

The point is that, on seeing headlines, your clients will no doubt visit your website to see if further information is available, and it may reassure them to learn that the matter is being dealt with in the way that it should be, and that you are actually the victims of a crime (something that in our situation we felt the press lost sight of).

I hope that some of the above information is of assistance to you, and I fervently hope that none of you ever experience what I and my fellow Managing Member experienced. If as a result of the above just one of you avoids becoming the victim of such a fraud then it will at least be something good to have come out of what has been an exceptionally unpleasant situation.