We recently issued an updated fraud alert, which highlighted the rise in telephone phishing ('vishing') scams. City law firm RPC have recently alerted us to another emerging fraud risk, which the National Fraud Intelligence Bureau is calling "invoice hijacking".
Invoice hijacking explained
This scam involves the fraudsters intercepting correspondence between two parties who have an existing contractual relationship, and 'invoicing' the target for services that have actually been rendered. Solicitors are a particular target for this scam, given the large sums of client money typically held on account.
One particularly sophisticated example we have seen of this recently involved a conveyancing transaction. A deposit for a property was being paid in tranches, which the solicitor was holding on account for the client. The client received an email purporting to be from his solicitor, asking that the funds be transferred to a separate account, due to a limit being reached. The fraudster provided details of a new account, to which the client sent the remaining deposit.
The email account the fraudster had set up was similar enough to fool the client, but was not from his solicitor. As the original email had been from the fraudster to the client, either the client or the solicitor's email account must have been hacked, with each party suggesting the fault must lie with the other.
In this case, the client had enough private funds to cover the sum stolen, allowing the transaction to complete; however, it remains to be proven where any liability may lie. If the client had not been able to complete, there could have been losses down a whole conveyancing chain, increasing the stakes considerably.
Regardless of whether or not any fault lies with the law firm, invoice hijacking is likely to damage client relations and may cause reputational damage. Educating clients regarding the risks is therefore important.
Risk Reduction Tips
To reduce the likelihood of your firm becoming involved in this type of fraud, you should:
- keep your firm's anti-virus software up to date
- inform your clients never to send funds to a new account without ringing the office and speaking to the relevant person first
- remind clients to check the email addresses of emails purportedly sent by the firm, particularly ones relating to payment/funds transfer requests ( e.g. check for different domain addresses, different spellings)
If you are a victim of fraud you must immediately contact (i) your bank (ii) the police, (iii) your PII broker; and (iv) the SRA.
Taking immediate action may help to reduce the scale of this fraud.
Please get in touch with us if you require further advice or if this has already affected you.