Meet Patrick, an experienced finance manager who handles payment processing for a large law firm. In the midst of his daily routine, Patrick received a call from a client who wanted to confirm her bank account information in an email she had just sent. Knowing that the process was a phone call to confirm a client’s bank account information, Patrick was grateful that the client had called to confirm her account information before she went about her daily errands and would be largely unavailable.
Without double-checking, Patrick immediately made the payment using the bank details provided in the email. However, Patrick did not know that the email containing the bank details had been tampered with, so the money was diverted to an unauthorized account.
By the time the error was discovered, the law firm had already suffered significant financial losses and had to make up the deficit in the trust account, damaging its reputation and undermining its client’s trust.
As it turned out, the caller was a scammer who sent the fraudulent email.
Lessons learned:
- Verification protocol: Implement a rigorous verification process for all payment instructions, particularly when received via email or other electronic means. Be aware that internal emails can also be at risk. This may include cross-referencing with previously recorded bank details or contacting the customer directly through established communication channels.
- Two-factor authentication: Use two-factor authentication or multi-level approval systems for high-value transactions.
- Employee training: Provide finance teams with comprehensive training on fraud detection and prevention strategies. Ensure employees are trained on any recovery plans should a breach/loss occur, as quick action is of utmost importance. Foster a culture of skepticism and critical thinking where employees are empowered to question unusual requests and verify information independently.
- Regular audits: Conduct regular audits of payment processes and controls to identify vulnerabilities and strengthen internal controls. This includes reviewing transaction records, monitoring for unusual patterns, and updating logs in response to emerging threats.
In the area of trust accounts, the consequences of weak oversight can be severe. By learning from past mistakes and implementing robust safeguards, law firms can reduce the risk of falling victim to fraudulent schemes and protect the trust account.
Practitioners who have questions about their fiduciary accounting obligations are encouraged to visit the Law Society website which provides resources to assist practitioners.
Practitioners who have further questions are asked to contact the NSW Law Society Trust Accounts Department at (email protected) or (02) 9926 0337.
