Fraud Issues for members in practice

This helpsheet has been issued by ICAEW’s Fraud Advisory Helpline to help ICAEW practice members to navigate some of the issues that may arise if they find that they have been victims of fraud.

Members may also wish to refer to the following related helpsheets and guidance:

• The ICAEW Fraud Advisory Helpline
• CCAB – Phishing and Insider Fraud

A member firm has recently processed a request from a client to pay a tax refund, currently held in the client account, to a different bank account than usual. It has since been discovered that the correspondence was fraudulent and the client has no knowledge of the request.

The firm has been the victim of ‘spear phishing’, the fraudulent practice of sending emails that appear to be from a trusted source in an attempt to install malware, extract confidential data or, as in this case, convince the recipient to transfer funds.

If the client is not already aware, they should be informed of what has happened as soon as possible.

The firm should also check its PII (Professional Indemnity Insurance) documentation as it is likely that its insurer will require information about a potential claim as soon as possible.

Since the business has information about a crime with proceeds it will have an obligation to make a suspicious activity report (SAR) to the National Crime Agency (NCA). Read further guidance on SARs. Whilst it might appear as though the firm has very little information about the suspect it will have the details of the account to which it was asked to send the money, as well as an email address (depending on how advanced the spoofing was).

The firm also needs to consider whether it needs to report a reckless breach of Client Money Regulations to ICAEW. This will depend on the facts and circumstances associated with the deception and the policies, procedures and controls in place at the firm.

Read further guidance on preventing and responding to Phishing attacks, written by the National Cyber Security Centre (NCSC).

The firm receives an email advising that they are unable to access data on the server as they have been a victim of a Ransomware attack. They are given a link to a website where they can make a payment in cryptocurrency, after which they will be granted access to their files.
Ransomware is a type of malware that restricts access to data. The system could be locked, or the data on it might be stolen, deleted or encrypted. It is for this reason (amongst others) that law enforcement advise against the payment of such a ransom, since access to data is not guaranteed even following payment. The temptation to pay will be strong since such attacks are often accompanied by a threat to release the data if payment is not made.

The firm should check its PII (Professional Indemnity Insurance) documentation as it is likely that its insurer will require information about a potential claim as soon as possible.

The firm will also need to consider the Data Protection implications of the attack. Specific guidance on Ransomware attacks can be found in our UK GDPR – Data Breaches helpsheet but such attacks are likely to be notifiable to both ICO and affected clients.

Although the business has information about a crime with proceeds it will only have an obligation to make a Suspicious Activity Report (SAR) to the NCA (National Crime Agency) if the ransom has been paid or they have been presented with information suggesting that attackers have been successful in extracting payment previously (read further guidance on SARs). Whilst it might appear as though the firm has very little information about the suspect it will have the details of the website or account to which it was asked to send the money, as well as the email address used to make contact. If the firm does not have an obligation to make a SAR then the appropriate channel for reporting will be Action Fraud.

Read further guidance on mitigating malware and ransomware from the NCSC.

ICAEW members, affiliates, ICAEW students and staff in eligible firms with member firm access can discuss their specific situation with the Fraud Advisory Helpline anonymously on +44 (0)1908 248 250.