There has been a dramatic rise in the occurrence of ‘Friday afternoon’ frauds over the last year. In the legal sphere the SRA have reported receiving four notifications per month of law firms providing bank details to fraudsters - in one month alone this equated to four firms collectively releasing £2 million! This epidemic can now be seen creeping into other areas of business life, with accountants finding themselves prime targets. This ever increasing threat is something that all businesses should guard against.
What is Friday afternoon fraud?
This type of fraud originated from technically savvy cyber-attacks on law firms. Typically, criminals targeted solicitors on Friday afternoons, when housing transactions completed and substantial amounts of client money are transferred.
Firms report receiving a telephone call direct to accounts departments, in which details of legitimate transactions are given. The caller then:
• Claims that there has been suspicious activity on the account such that it has been frozen.
• Requests bank details in order to ‘assist’ the firm with transactions required that day.
Due to the sophisticated nature of the fraud, any direct contact will be articulate, knowledgeable and credible; and whilst telephone calls and the interception of email have, historically and recently, been used to access information, fraudsters are shifting their focus and methods continually.
Chances of recovery of funds taken in this way are slim: payments are usually made on a Friday afternoon, any discrepancy may not be discovered until the following Monday, by which time the funds will have dissipated. The sophisticated levels of attacks demonstrated by Friday afternoon frauds has increased, with 69% of large organisations and 38% of small organisations attacked by an unauthorised outsider (Information Security Breaches Survey 2015).
As accountants, surely this won’t affect us?
How often and to what extent do your staff act as bookkeepers or otherwise sit within a client’s business? If those staff are unwittingly involved in a scam, there is the potential for liability to attach. It is a common assumption that any bank involved would protect against such liability. In reality, however, bank terms and conditions usually allow them to avoid responsibility in precisely these types of situations.
Be sure to review your accountants' PI insurance to see whether it covers you for such claims. If your PI cover does not include adequate cyber protection, consideration should be given to taking out a separate cyber insurance policy specifically to cover your risk. It is certainly worth reviewing these points with your broker.
How to avoid this scam
Have you implemented policies and adequately warned all staff of the following:
Never reveal secure bank account details over the phone, even if the caller appears to be genuine and can provide details of the account and other transactions that have been processed.
If there is any doubt about the validity of an email – for example the use of a different/unusual email addresses – telephone that client to clarify their instructions.
Consider encrypting all client communications; any sensitive personal information should already be encrypted according to guidance from the Information Commissioner’s Office. Increasingly clients are giving consideration to the establishment of secure online portals for communicating with clients.
If you suspect that a fraud has taken place, immediately contact your bank, your broker/insurers and appropriate professional body. Any delay in contacting your bank could affect the prospects of successfully tracing funds that have been transferred prior to their dissemination.
Accountants providing auditing services are well aware of their obligation to use ‘professional scepticism’ in their day to day business. Extending this critical and evaluative approach more generally, in light of the growth and development of fraudulent Fridays, is essential for the continued protection of your, and your client’s, financial and reputational interests.
This article was first published on www.kennedyslaw.com and reproduced with their permission