Invoice hijacking-  the technique whereby a legitimate invoice is intercepted and replaced by a replica invoice, with different bank details for payment – has become a known risk for law firms and their clients.

While you are unlikely to face a claim on your Professional Indemnity insurance from such a fraud, the fraud typically comes to light when you chase your unpaid bill – and results in an often acrimonious dispute between you and your client over who is to blame.  You will want your bill paid, and the client will be unwilling to pay for the work a second time.

While this scam could arise from postal invoices, to date, we have seen it only in relation to emailed invoices, indicating that cyber criminals have hacked into either your or your client's email system.

While you can control, to some extent, the security of your own email system, clearly there is nothing you can do about the security of your clients' systems and the way they use them  – other than share with them our top tips on email security.

Your next best risk management tool is client education – and providing clients with clear statements about your invoice process and the provision of bank account details.  These goals are best achieved by building them into clear and effective standardised systems and procedures.


Lockton's Best Practice Guide to Invoicing

Calum MacLean, Risk Manager for Professions at Lockton, suggests

  • Ensure that all new engagements use an approved centrally stored (and regularly updated) Terms of Engagement letter. 

  • Include all payment information (including bank account details) in the Terms of Engagement. This section of the document could be non editable, to reduce the risk of fraudulent amendment.  We would also suggest, on a precautionary basis, that these details are double checked by the Fee-earner on receipt of the signed Terms of Engagement.

  • Clearly flag your procedure for notifying changes to account details in your Terms of Engagement

  • If your bank details do change, have a policy of notifying clients by Recorded Delivery hard copy letter.  Ideally, this would be a 'centrally-managed' campaign (eg by the Accounts team) to avoid the risk of fee-earners choosing to email clients with the details.

  • Play safe:  DO NOT include bank details in any invoice

  • Invoices should clearly state the firm policy in that regard:  eg 'We will never provide details of our bank account number or sort-code on our Invoices.  Please check your Terms of Engagement for details or contact your [law firm name] matter manager for details'

  • Ensure you flag your policy regarding how and where you provide payment details and notify any changes thereto in any initial meetings with a client.  Include this as an item in any  'client meeting checklists' you may use.

  • Add an alert to your firm's email sign-off.  A high profile visual will attract more attention (see for example the Nat-West cyber-crime alert included in their current emails). 

Alternatively – you can simply add some a simple message in text – just make sure it stands out.   Suggested messages include:

Please note our bank details will not change during the transaction. If you receive an email or suspicious telephone call informing you differently, please let us know immediately by telephone using the contact details on our letterhead.

Cyber Crime Alert
Emails can be scammed. Please do not rely on email notification of bank account changes without direct verbal confirmation from a trusted source.

For more information about protecting your practice from frauds and scams, speak to our Risk Manager, Calum MacLean, or browse our other guidance articles on our resource centre.