Recently we have seen an increase in professionals who hold client money being targeted by hacking scams. Accountants are increasingly being targeted because they are used to handling, and moving on instruction, sums of money for their clients.
The scams operate whereby employees are unknowingly making payments to a criminals' account when they think they are making a legitimate payment to, or on behalf of, a client.
Upon realisation of the scam, the professional is faced with a claim from their client who is seeking to recover the lost sums. The professional then looks to their PI insurers for indemnity.
We have seen an increase in these types of claims against professionals that traditionally hold, or have access to, client monies.
Typically the hacker approaches a member of staff at the professional, often by email, purporting to be a client and requesting client monies to be transferred to a third party account or for an invoice to be paid. The hacker usually has accessed the client's email and is therefore able to mimic previous payment requests.
Whilst these transactions may seem like obvious scams, we have seen examples of hackers going to great lengths to mimic a client, including providing various verification details such as addresses and passwords. Once the transaction or payment is made, either the professional realises the error or the real client contacts the professional querying the payment. After the scam it is often hard to trace and recover the stolen sums.
Upon realisation of the scam, the Insured professional often looks to their PI Insurers for indemnity. Whilst these types of exposures may not be risks that PI underwriters traditionally seek to cover, where policies are "civil liability" wordings then it is possible that the third party claims by the clients fall within the ambit of cover.
The most effective way of professionals avoiding being the victims of these scams is to maintain effective risk mitigation and security measures. It is important that not only senior staff are adequately educated in handling client monies, but any member of staff who has access to client money. Hackers often target more junior members who may be susceptible to submitting to a request from a purported client.
As the demands on the modern client increase so does the desire for money to be moved swiftly and with increasing ease. In turn, the risk of a professional being the victim of a hacking scam also increases. It is therefore important that robust client money protocols are in place to mitigate against these risks where possible.