Safer banking procedures
29/10/2024 09:30:19See how safe procedures can protect your firm and client funds at a crucial point of vulnerability.
Law firms, particularly those handling large sums of client funds, have always been attractive targets for cybercrime. A study by Smith & Williamson (now Evelyn Partners) revealed that that 60% of top-20 law firms experienced cyber-attacks in 2021, with smaller firms also at risk.
Safer banking tips
Solicitor bank accounts – particularly at the point of transferring funds – are attractive targets for attacks and merit particular attention.
Staff training
-
Training and awareness: Attacks often target law firm employees rather than the firm itself. It’s therefore crucial to train staff to spot threats, report suspicious emails, and handle the manipulation of sophisticated attacks. By reducing human error in your firm, your team can become an important line of defence.
Client Account security
-
Direct communication: Provide bank details in person at the transaction outset and advise clients that these details won't change. Stress that email will not be used to communicate bank account information.
-
Jurisdictional compliance: Inform clients that Irish solicitors cannot operate client accounts outside of Ireland. Any request to transfer funds to a non-Irish account should raise immediate concern.
-
Encryption and verification: Use unique PINs for encrypting sensitive documents, and advise clients to verify any fund transfer requests by phone, especially if received outside working hours.
-
Alternative communication: Cross-check account details via phone using numbers from trusted sources like the Law Directory.
Client communication
-
Set expectations: Clearly explain the process of transactions, emphasising the need for clients to verify solicitor bank details by phone or in person.
-
Public profile caution: Advise clients to avoid sharing transaction details on social media to prevent becoming targets of cybercriminals.
-
Safe communication practices: Encourage clients to avoid using public Wi-Fi for sensitive communications and to verify phone numbers provided via email.
Safe banking practices
-
Secure information sharing: Provide IBANs and BICs on a separate letter or coloured paper, not in the body of engagement letters. If they must be sent by email, encrypt these details and communicate the password through a different channel.
-
Verification: Always verify bank details received via email by phone using pre-existing contact information, not the numbers provided in the email. If account details change, this should be treated as a red flag.
Double-check system
-
Two pairs of eyes: Implement a system where two people independently verify bank account details, especially for significant transactions. This reduces the risk of errors and potential fraud.
-
Secondary verification: Always verify new bank details through a second communication method, such as calling the firm or client using known contact details.
Cyber security awareness
-
Protect online banking: Be cautious of fraudsters who may try to install software on your computer under the guise of a "banking error." Ensure your online banking portal is legitimate before entering login details.
Report Attacks
-
Professional vigilance: Sharing information on attacks can help to protect fellow colleagues. If you experience an attack, whether successful or unsuccessful, please contact us so we can share anonymised details with the profession.
Learn more
This is an abbreviated version of ‘Equality of Arms’, published in the November 2023 Law Society Gazette.