Law firms and their clients are desirable targets for payment diversion fraud. This is a result of the high value sums held and regularly being transacted from/to their client account. Miller’s Risk Manager, Calum MacLean and Sam Moore of Caytons consider where liability may lie, and provide practical guidance on how best to reduce the risks associated with this type of fraud for your firm and your clients.
What is payment diversion fraud and how does it occur?
Payment diversion fraud is a form of fraud where criminals impersonate others and cause payments to be diverted to the bank account controlled by the criminals. Typically, this fraud can be perpetrated by criminals gaining access to a business’ or client’s IT systems and sending emails stating that monies need to be sent to the account which they control. The fraudster will either intercept legitimate emails/invoices and replicate them, but with different bank details, or may generate an entirely fictitious request for a transfer of funds.
These frauds can occur on any type of transaction and at more or less any stage, including at the point the client seeks to settle their account. Most commonly they target high value transactions where client monies are held by the law firm - such as litigation, probate, or conveyancing matters. Of these, conveyancing is the most frequent target given the volume of high value transactions.
Where these frauds succeed, the consequences can be catastrophic. As an example, in October 2021, The Law Society Gazette reported that a homebuyer was scammed into handing over £640,000 to criminals after emails to the firm they had retained were intercepted. The successful fraud also may lead to a deterioration in the client relationship – with one or other party looking for someone else to blame.
Legal considerations – who is responsible for the diverted monies?
The issue of who should bear the loss for monies which are fraudulently diverted by a third party is still a developing area of law.
(i) Payments made to a fraudster from the Client Account
In their June 2024 warning note - “Money missing from the client account” - the SRA emphasised that “client money is sacrosanct and proper stewardship of it is vital”.
This is underpinned by the SRA Account Rules, which state, at 6.1:
‘Any money improperly withheld or withdrawn from a client account must be immediately paid into the account or replaced as appropriate.”
In other words, the managers of the firm are required to replace missing client monies from their own resources. In the case of the law firm being targeted and consequential release of client funds to the criminal’s bank account, the client would have the benefit of a breach of trust claim against the firm.
A remedy can be for the firm to reconstitute the trust fund, which is a very difficult claim to defend as it can be essentially a form of strict liability. It is possible to seek relief from the breach of trust from the court via section 61 of the Trustee Act 1925. This requires the court to be satisfied that the trustee acted “honestly and reasonably” and “ought fairly to be excused from the breach of trust”. The difficulty with this is that if there were any signs that a fraud was being perpetrated (often there are with the benefit of hindsight) then it would be extremely difficult to satisfy the acting “reasonably” requirement.
However, where a client is uninsured and a solicitor has the benefit of professional indemnity insurance, it is very difficult to see how a court would find that the solicitor “ought fairly to be excused from the breach of trust” even if they satisfied the acting “reasonably” criterion.
(ii) Payments to a fraudster by your client
The relationship between a law firm and its client is primarily a contractual one: the firm agrees to provide services in consideration of the payment of a fee. In our view, the party bearing responsibility for a loss arising from a payment diversion fraud should be determined by the terms of the contract between them.
Contractual protections …
In J Brazil Road Contractors v Belectric Solar Ltd [2018] a building contractor’s email was hacked, resulting in an invoice being ‘hijacked’- and the customer inadvertently paying the monies due to a fraudster. The case considered whether the customer required to pay their contractor ‘again’.
The court found that the customer did indeed have to make a second payment because the email interception did not absolve the customer of its contractual responsibility to actually make payment to the building contractor. Whilst a county court case, and therefore not binding authority, it does highlight the importance of the contractual relationship in determining the issue of liability.
…tempered by a duty of ‘reasonable care and skill’
Were the court to find that the contractor (and by analogy, a solicitor or other professional) failed to take reasonable precautions to secure their email and IT systems more generally, they may well fail the ‘reasonable care and skill’ requirement implied into a contract under section 13 of the Supply of Goods and Services Act 1982.
Causation
It is possible to raise causation defences to claims against firms where the client was warned by their bank that the new account details may be suspicious and/or the name of the account doesn’t match the name of the firm (though we would note that high value frauds are typically quite sophisticated, and accounts are often set up with names that would not immediately cause suspicion – being almost identical to the actual firm name).
Contributory negligence
Even if there is not a complete causation defence to a claim, it may be that any failure on the part of the client could give rise to a contributory negligence defence, which, if successful, would reduce any damages payable.
Reducing the risk - practical risk controls
Protect your firm from making erroneous payments
It’s worth remembering that your firm can also fall victim to payment diversion frauds – it is not just a client-related risk. Your own payment protocols should help protect you:
- High value payments require at least two sign-offs.
- Large payments should not be split into smaller payments in order to facilitate faster processing and lesser controls.
- Obtain account details up-front and do not ask for or rely on account details sent by email.
- Follow the SRA guidance to ‘train staff to regularly scrutinise emails; verify the identity of a sender by hovering your mouse over an email address, check for any variations to addresses or format changes to official logos and note any unusual spelling or grammatical errors.’
- Advise clients that if they change their account details or payment instructions, your firm will not make any payment until instructions have been verified.
Protect your firm from system hacks
- Undertake independent audits of your IT security, identify gaps and act on them.
- Ensure that all staff access systems securely (including use of 2FA) and install required updates promptly.
- Provide regular update training to all staff on cyber security, including current examples of threats and vulnerabilities, and reinforcing messages about key risk controls and ways of working to minimise the risks (and keep a detailed log of such training).
- Consider using secure portals for exchanging confidential information with clients, including invoicing and requests for funds transfers.
In case that either your firm’s systems or your client’s systems are compromised, you may seek to reduce your risk exposure further by limiting or seeking to exclude liability for claims arising from a payment diversion fraud (ensuring that the provision is clearly brought to the client’s attention).
Help your clients protect themselves
- Educate your clients about fraud risks, their potential impact, and what they should do to help protect themselves - do not leave this to an email footer. Consider providing a short, but clear, standalone guide
- Keep clients informed about known current threat campaigns which could expose them to additional risks.
- Explain clearly to clients at the outset of an instruction what their transaction process is likely to look like, and at what stage which payments will be required – and how you will communicate these.
- Provide your bank details to clients in writing at an early juncture (after AML checks have been completed satisfactorily).
- State clearly – in your terms of business, in emails, on documents – that your bank details will not change – and in the unlikely event of a change, that the change of details will never be communicated by email.
- For very large transfers encourage a test payment prior to payment of the full amount.
Further information
To read the SRA’s warning notice in full, visit: SRA | Money missing from client account - Warning notice | Solicitors Regulation Authority
Other useful detailed guidance is available via the SRA’s website: SRA | How to reduce the risk of being affected by cybercrime | Solicitors Regulation Authority
Given the generality of the note it should not be treated as specific advice in relation to a matter as other considerations may apply. Therefore, no liability is accepted for reliance on this note.
If specific advice is required, please contact the team below who will be happy to help.