Sadly, we are all exposed to frauds and scams in our business and personal lives.  On a UK website, ActionFraud, lists a large number of types of frauds and scams which have afflicted businesses of every type, including the following: 
 

Account Takeover	A fraudster/computer criminal poses as a genuine customer, gains control of an account to make unauthorised transactions.
Cheque Fraud	Illegal use of cheques to acquire funds eg counterfeiting, forged cheques, fraudulently altered cheques, bad cheque writing, cheque washing, and using disappearing ink on cheques.
Invoice Scams	Fraudsters send a fake invoice/bill for payment of goods/services which has passed due and threatens that non-payment will affect credit rating.
Office Supply Scams	Telemarketers trick/mislead employees into thinking that an order for office supplies has already been placed, either by an existing/former colleague, and that they are calling to chase up a signature for the order form to help complete records.  An invoice is then sent for unwanted, and often overpriced, stationery and office supplies.
Telecommunications	Misuse of airtime by fraudsters with no intention of paying any bills.  These include  Mobile phone fraud, Fixed line fraud and Internet Service Provider fraud.

The range and variety of frauds and scams demonstrates fraudsters’ ingenuity, creativity and determination and the need to keep our risk awareness and risk controls up to date.
 

Focus on Solicitors 
The role of solicitors often involved being the safe keeper and in custody of large sums of client’s money, which make the profession an attractive target for the criminals.  The intelligence and capabilities these criminals have is considerable, enabling them to engage in 'social engineering' and to commit 'confidence tricks' to overcome barriers and risk controls which might otherwise be considered more than adequate. 

The following scenarios suggest how frauds might be perpetrated on solicitors firms.  Consider whether procedures and risk controls which law firms normally have in place would prevent these scenarios ever becoming a reality, resulting in claims.
   
Fraudulent commercial loan transaction
Firm B which was engaged to act for a lender in a commercial property/loan transaction, arranged a direct transfer of the loan funds to the borrower’s bank account.  After settlement, it emerged that the law firm was not a genuine law firm; that the transaction was a scam; the charge created over the property was void and the lenders had no security for the substantial loan advanced to the fraudster.  The bank account to which the loan money had been transferred was the fraudster’s own bank account and the lenders made a claim against the firm in respect of their substantial loss.
 
Reality Check
Actually, the facts of the two scenarios are not hypothetical.  They really happened.  It’s an unfortunate fact that a number of firms have had client funds stolen from their client bank accounts in the way described.  In each case, a member of the firm’s finance team was convinced and persuaded by a very clever 'confidence trick'.  They were all convinced the caller was legitimate, and a genuine member of the bank’s staff legitimately responding to a real fraud involving the firm’s client bank account and helping the firm to put things right. 
 
In all of these cases, the fraudster posed as a member of the bank’s fraud investigation team contacting the firm under the pretext of suspicious activity identified by the bank on the solicitor’s client account.  In all cases, the caller’s “cover story” was evidently convincing and the firm’s employee complied with the request for details of password/PIN or insertion of card in card reader.
 
How can Solicitors Avoid Eposure to These External Frauds?
Consider this excerpt from a firm’s risk assessment and risk prevention plan.  Would this work?  How effective do you think these measures would be in addressing exposure of law firms to the fraud scenarios we’ve just been looking at? 
 

IDENTIFIED RISK	RISK CONTROL
Fraud risk — external	Review client vetting criteria and, if found necessary, amend/tighten client vetting.
Exposure to third party frauds and scams	Check that colleagues are applying client vetting criteria consistently.  Increased importance of client vetting and other controls to minimise the risk of exposure to unwitting involvement in frauds/scams and resulting liability (and possible other sanctions).

 
These measures are entirely prudent and worthwhile.  However, would they have been effective in reducing the risk of exposure to the types of fraud in the scenarios we have just been considering? 
 
Fraud on Firm A — analysis
In addition to apparent penetration of IT systems, this form of client bank account theft has relied on persuading staff in the firms’ cashroom/finance teams to reveal security information (or otherwise comply with the fraudster’s instructions) and thereby to facilitate access to client bank accounts via online banking.  
 
Fraud on Firm B — analysis
In the transaction involving the fake law firm, the fraudsters relied on solicitors failing to detect that they were corresponding with a non-existent law firm and, crucially, failing to spot an irregularity in the bank account details provided in the bank transfer instruction. 
 
Conclusion
These real life examples demonstrate the diverse nature of the external fraud risks to which law firms are exposed, and prove that a methodical approach to risk avoidance or, perhaps more realistically, risk reduction is called for.  This requires a range of measures starting, importantly, with risk awareness and including a set of targeted risk controls.  We can see that:

• The profession is exposed to a range of different types of external fraud/scam; 
• A 'con trick' to induce disclosure of security information is one method by fraudsters to access systems, bank accounts;
• Fraudsters are capable of breaching IT security by hacking and penetrating computers/networks with malware; and
• Fraudsters are determined and persistent.​

The risk alerts also highlight a number of important risk management points: 

• The need to maintain awareness of current frauds and scams by reading risk alerts and other sources of warnings;
• The importance of ensuring that all colleagues including finance team colleagues are fully aware;
• A weak link in the firm’s risk awareness/controls can undermine the best efforts of everyone else in the firm;
• Never disclose password, PIN, or other security information; and
• Don’t allow yourself to be persuaded/tricked into believing someone is bound to be genuine just because they have private information about you, your practice, your bank account, bank account transactions, or your clients. 

 
RISK CONTROLS
Fake law firms or fraudsters impersonating as employees of a law firm have been a particular concern to the profession and the public at large.  It is suggested that, solicitors should adopt a consistent approach especially when it involves transfer of monies, particularly clients’ monies.
 
Red flags to look out for:

• A strange or suspicious bank account name (eg the account not being in the name of the firm);
• Inconsistent bank account details to those generally used by another firm; 
• A firm based in one part of the country with a bank account in a different area;
• An overseas client account;
• Any other discrepancies/anything suspicious in bank transfer details.  For example, to confuse a receiver, a bank account name may appear similar with the name of another firm but with a company/business registration number added;
• Errors in letter heading on letters received (eg misspelt solicitor names, named partners, branch offices, and place names).  Whether it is an original / scanned copy of a firm’s letterhead, any marks of it being tempered with etc;
• No landline telephone number is available (check the Malaysian Bar website); and
• Inconsistent email address or telephone and fax numbers to those generally used.

 
What can you do:

• Check on the Bar Council Website on the directory of solicitors available;
• Telephone and speak with the employee of the firm which you are familiar with to verify the instructions; and
• Ask other fellow solicitors if they have heard of the name of the other law firm.

 
CONCLUSION 
Bar Council have been issuing scams and frauds alerts from time to time.  The risk of being duped by a fraudster is real.  It is better for you to implement these risk management steps seriously among all your partners and employees now rather than regret it later.