With most professional services firms on the east coast working from home, there have been a number of recent alerts from government bodies, professional bodies and insurers concerning cyber security risks and threats.
In the legal services sector, Lexon recently issued an alert indicating that cyber claims involving a transfer request coming from a hacked third party were becoming more common. Similar warnings have been issued by the Australian Tax Office, which has seen an increase in scams where people receive text messages or emails from a person purporting to be the ATO and making requests for payment of money via unusual methods.
Two of the biggest risks of working from home include:
- Internet security at an employee’s home is not as robust/reliable as the internet security at the office, and
- Employees not following standard office procedures at home.
The convenience of email, the increasing number of people now having to use it to stay in touch with clients, colleagues and other parties and the less than ideal encryption on most platforms means that there is a high risk of funds transfer information being intercepted by a third party before it reaches you. It is therefore essential that upon receipt of account details or requests for payment, that all professional services firms always verify those details and requests. Verification should occur through a different means of communication, such as a telephone call.
Our firm recently issued proceedings and subsequently settled a matter where an accounting firm had failed to take steps to verify bank account details it received via email. The bank details were inconsistent with those already on file and, in fact, had not been sent by the client as the client’s email address had been hacked. The accounting firm’s failure to make a simple 30-second phone call resulted in the firm having to pay the entire amount back to the client themselves.
All professional services firms have an obligation to ensure that the information they act on is correct, and failure to confirm information can have dire legal consequences. Those consequences can include negligence lawsuits from clients, insurance claims being denied and irreparable reputational damage. The impact on your business could easily measure anywhere in the tens of thousands of dollars to the hundreds of thousands of dollars, not to mention the unquantifiable damage from the loss of trust.
Further, an insurer may refuse a claim where the insured has not acted with due care and skill in discharging its duties to its clients. Alternatively, even if a claim is approved, the failure to verify the information before acting on it may have an impact on insurance excesses. Therefore, it is vital that regardless of whether employees are in the office or working from home that all requests for payments and account details are confirmed and they should continue to abide by the other recommendations regarding internet security (for example, not clicking on random attachments from unfamiliar email addresses). It is also good practice to keep a file note of the conversation verifying account details or a request for payment. Whilst that may be a familiar practice for some sectors of professional services firms, there are other sectors that could benefit from adopting the practice.
Employers need to be mindful that employees, while working from home, should follow the appropriate protocols to verify instructions and do not relax those practices just because they are no longer in the office. Whilst it can be easy to forget to make the phone call, or even not recognise when it needs to be made, when you receive instructions by email relating to the payment of monies, always confirm the request– no matter how small the amount.
Individual liability is limited by a scheme approved under professional standards legislation (personal injury work exempted).