Resources

How many emails do you receive a day? For most people, it is a lot. Building upon this, how often do these emails contain a request that is urgent and time-sensitive? Again, for most people, this will be very common. Business is naturally time crucial, wanting to settle matters as quickly as possible is second nature, it is expected.

Importantly, although urgency can aid a business’ ability to thrive, it can also be a major flaw. It can lead to oversight of the suspicious activity.

In the world of business, and no doubt many individuals’ personal lives too, this type of oversight has often led to funds mistakenly being transferred into fraudulent accounts. 

In cases where fraudsters act as ‘bogus bosses’ sending out emails requesting funds, staff blindly following orders can lead to serious losses. Many employees will have their guard down when they receive an urgent email from a boss.

According to an article from the INFOSEC, this type of “CEO fraud” is costing businesses across the globe millions (if not billions) a year. Several other articles have also reported the impact of bogus boss fraud emails, including BBC, The Geek Guys and RBS. 

For example, the accounts department receives an email from a board member requesting payment of funds, perhaps to settle a court case or to enable an important deal. This in itself is not out of place, and it would not be uncommon for such emails to inspire urgency.

However, although the email seems genuine, that may not be the case. A criminal after doing some reconnaissance into the company’s high-level staff and those who are in control of payments may successfully spoof a request to defer funds into their own fraudulent accounts. This reconnaissance leads to greater ‘success’ for the fraudster but, more worryingly, a greater impact on the business’s financial health.

Using the guise of a ‘bogus boss’ uniquely increases the likelihood for many honest and hard-working employees to redirect payments to a fraudster. A way to mitigate the risk here is to ensure that your staff are provided with regular and quality training, fraudsters are constantly improving their craft and it will take diligence to stay ahead of them. It is also worth creating strict policies and procedures for when payment details are sent and received, a simple technique could be to require that any account details and any changes to them are verified through two forms of media, i.e. via email and a telephone call. Please use the contact form to reach out to us if you would like more information on training or policies and procedures to best protect your business. 

Furthermore, with a sudden and drastic increase in the number of individuals now working from home due to the impact of Covid,  Nicholls Law cannot help but wonder what impact these types of ‘bogus boss’ emails will have on businesses going forward? Staff newly working from home, eager to show they are working hard, might be fooled more easily than they would have been while working in an office environment. 

Moreover, this interesting article by Financial Times reiterates those fears, as they reported a sharp rise in attempted scams in the weeks at the start of the first lockdown. 

If your business or you personally have been affected by ‘bogus boss fraud emails’ or other types of fraud, please contact us for a FREE initial consultation. 

The ‘This or That’ trend seems to be taking off on social media. We thought we’d jump on the bandwagon and give some insight into the decisions that solicitors and other legal professionals will make daily, which often help them avoid trouble later down the line.

Litigation work is our firm’s ‘bread and butter’. Sadly, much of litigation work tends to be reactive instead of proactive. However, working on the opposite side of things has given us key insights into how to avoid problems before they arise. We have written this blog in the hope we can impart some wisdom to help you proactively avoid problems.

LPA or COP

An LPA is a Lasting Power of Attorney and a COP is a Court of Protection order (Deputyship Order). In practice, these aren’t that different. What does make them different though is speed and efficiency. An LPA is something that you put in place before you lose capacity and allows others to legally make decisions on your behalf. The transition here is smooth and means you are always protected. Not having one in place, means that when you lose capacity (temporarily or permanently) you, your family, and your loved ones lose the ability to make decisions on your behalf. The decisions then fall into the hands of the local council and courts. You can apply for a Deputyship Order to allow your loved ones to make these decisions for you, however, there is approximately a 9-month delay between making an application and the courts granting an order. This means 9-months with strangers making your health and care decisions, including medical and care home placement decisions. And nobody able to progress financial decisions such as accessing your bank account, or selling your property to fund care home fees.

Therefore, the wise choice is to get an LPA in place early, well before the time you will need it, to ensure you are protected later in life.

Cash or Trusts

Put not your trust in money but put your money in trust” – Oliver Wendell Holmes US physician and author 

Money, and other assets, are susceptible to a myriad of threats and risks. Trusts can be an excellent way to mitigate that risk. For example, you may wish to bequeath an asset to a young member of your family but are worried that they may “blow” their inheritance but you want to give them it as an investment. Putting this asset in a trust would enable you to have some control over how that asset is used. Trusts can also help protect assets from claims made by partners in divorce proceedings or financial institutions in bankruptcy proceedings.

Trusts are very powerful and can help in a variety of ways, however, they are very complex, and therefore expert, personalised advice is needed. There has to be a legitimate reason for setting up a trust. A trust set up with the main purpose being to hide assets from creditors, spouses and to avoid paying care home fees for example are liable to be set aside under the law. Help is at hand. We can help guide you through the maze in this complex area. Message us today to arrange a call back from one of our Elder Client Estate and Asset Protection team members.

Litigation or ADR

Alternative Dispute Resolution (ADR) is usually the better option than litigation as it can save time and money. Litigation can be very costly and, due to court timetables and official procedures, litigation is very time-consuming. This can result in years of legal battles, expenses and avoidable stress. Furthermore, litigation has far less control over the outcomes than ADR. In ADR all parties are able to decide for themselves how they would like to settle, whereas in litigation the decision is left to the judge on the day which is likely to have an outcome which at least one party won’t like. Moreover, when matters go to trial they are no longer confidential which means anyone can find out about your business.

It’s important to note that ADR does not always work out, as sometimes parties just cannot see eye-to-eye. Therefore, a third party (the judge) needs to make the decision for them. However, it is important to attempt ADR before starting litigation.

Will or Intestacy

Throughout the year, you make many decisions for how you spend your money and who you gift it to; whether that’s Christmas presents, Easter Eggs, or supporting charities. You like to choose who you’re giving things to and how much. So, why not do the same when you pass away? As, broadly speaking, this is what you are doing with a Will anyways. Importantly, this gives you control over your wishes after you are gone. Furthermore, the Intestacy Rules are very limited and do not suit modern life, which could lead to some of your loved ones missing out. Importantly, dying without a Will in place costs estates around £9,700 in lost assets only, not including fees, inheritance tax or ‘heir hunters’ and also could make probating the estate far more complicated.

Therefore, the clear choice for a lawyer is to proactively take control and make a Will, instead of leaving it up to someone else to decide where your assets go.

Bespoke or Generic

With the wonders of the modern internet, it takes just seconds to have a variety of generic, DIY legal documents fall on your lap with one simple search. And although a solicitor will always encourage you to have something in place instead of nothing, we’d also always encourage you to have a bespoke document drafted by professionals. Whether that’s a rental agreement, building contracts tenancy, Will, loan document, employment contract, privacy agreement, and so on. It’s important to get a bespoke document that actually reflects your true needs. Importantly, using online templates can impact the legitimacy of your document and could lead you to awkward or costly situations that could have been avoided.

Bespoke advice is always key and will always be what lawyers are drawn to. Importantly, at Nicholls Law, we appreciate that budget can be an impacting factor for why individuals may choose generic or DIY documents over professionally drafted ones. Therefore, we offer the ‘Goldie Locks’ style service with three levels, Papa Bear service where we do everything for you, Mama Bear where we work together, or Baby Bear where you do most of the work but seek our advice on specific queries. Speak to us today to find out more. 

Contract or Handshakes

Chivalry is dead – although we like to believe that handshakes are a signifier of trust and mutual understanding as well as an indicator of future behaviour, sadly, that is not always the case. Believe us, we have seen enough cases where something was shaken upon but then lead to later conflict. Having a contract in place is important, as this a formal record of what was agreed, that works both as a reminder and a measurement tool to ensure both parties are acting in an agreed manner.

Handshakes are a great place to start agreements, however, they should always be finished with a formal contract which is what a lawyer will always choose.

Verbal or Written

Building upon the previous point, you always want to ensure you get as much as possible in written communication. This will give you a paper trail of physical evidence, which – if needed – you could use at a later point in court. With verbal evidence, it is much harder to prove what was said and agreed. Furthermore, verbal agreements can easily be clouded with differences in understanding or forgetting certain details, unless they have been appropriately recorded. They also give much more opportunity for someone to change their mind or manipulate parts of the agreement.

Therefore, it is always recommended to get a confirmation in writing for anything agreed upon.

Password123 or Multi-Factor Authentication

Password123 is one of the most common passwords used today. Other popular passwords include; qwerty, password, 123456, picture1, abc123, iloveyou, letmein and princess. For a hacker, it would take them mere milliseconds to crack your password and gain access to your account. This puts you at risk. Aside from creating strong passwords that are unique for all your logins, multi-factor authentication is an excellent method to provide an extra layer of security. As they would not only need to crack your password but also access your authenticator/s, such as phone, app or email. In most cases, it is quick and easy to set up and the upside of the added security far outweighs the inconvenience some may feel this causes.

When deciding passwords and security remember that you are trying to make it difficult for a computer – not humans. Computer security is a priority to lawyers and should be a priority to you too.

We hope you enjoyed this blog and it gives insight into the types of choices that lawyers make and, hopefully, will enable you to avoid problems in the future. If you would like to contact us to talk through any of these points, please do. We look forward to hearing from you.

*Notice: This blog does not constitute legal advice*

There is a big difference between a Will that is written and a well-written Will.

We deal a lot with contentious probate, where often a Will has been poorly written, and this can mean that the wishes are unclear. Resolving a poorly-written Will after-death is lengthy, costly, and stressful. In the main, this can be avoided by instructing specialist advice before the Will is needed.

Furthermore, recent statistics indicate that around 65-75% of individuals die without a Will in place. When somebody dies without a Will in place, this means that their estate is distributed in accordance with the strict intestacy laws which take no account for someone’s wishes. This means that the majority of individuals miss out on the opportunity to have the final say on what happens to their worldly possessions.

The laws of intestacy are a ‘one-size-fits-all’ approach, which does not reflect modern life entirely. Family structures have changed. In society, there are more now blended families. More unmarried couples. More people not having children. More family disputes. These changes can lead to individuals needing a specialist Will to reflect their wishes, so their loved ones are not left empty-handed.

Furthermore, not having a Lasting Will and Testament in place can mean that the beneficiaries are landed with large inheritance tax bills which can otherwise have been avoided through careful planning. Inheritance tax is set at 40%, so your estate can easily diminish without careful planning.

Additionally, you may need to appoint guardians for any children aged under 18 years of age and trusts to safeguard the future of your children of grandchildren.

In summary, there is only one way of truly knowing whether your Will is well-written and that’s by talking to experts. Luckily, at Nicholls Law we are currently offering FREE Will reviews.

For more information on Wills, please check out our Wills page.

*Notice: This blog does not constitute as legal advice*

Is it possible to make a Will during the COVID-19 pandemic?

In short, yes. It presents challenges, but most can be overcome. Please read our guidance below.

Our own mortality isn’t something we like to think about too much, but the COVID-19 pandemic has prompted many of us to check that our personal affairs are in order. A large part of this is ensuring that we have an up-to-date Will. In fact, many solicitors are seeing a large increase in demand, with double the number of enquiries. Indeed, many NHS managers have recommended to their key workers that they make sure that they have a valid Will.

But how can I get my Will witnessed?

In order to be valid, a Will must be signed in front of two independent adult witnesses. Usually, witnesses are friends, neighbours, work colleagues, or staff from the firm that prepared the Will for you. However, beneficiaries cannot be witnesses. Clearly, the current lock-down makes this difficult, particularly as the two witnesses cannot be close family members unless they forfeit their entitlement under the Will.

As a result of COVID-19, we are adapting our normal processes so we can still help you if you need a Will.

So how will you take my Will instructions?

Will instructions are almost always taken by meeting with you face to face. As this isn’t currently possible, our team can take Will instructions through video meetings using Zoom, Skype, Microsoft Teams, WhatsApp or Facetime. This means that we don’t need to visit, and you can stay safe in the comfort of your own home. If you’re not able to use any of these options, we can take instructions via the telephone.

Can you send my draft Will to me by email?

Yes, we often email draft Wills to clients, as this is the quickest way for you to make sure that the Will accurately reflects your wishes. We do understand, however, that not all clients have or are comfortable with email. If this is the case for you, we can send you a printed copy in the post (whilst the postal service remains available).

OK, that’s all good, but how do I sign my Will?

The Ministry of Justice has been asked by the Law Society and the Society of Trust and Estate Practitioners to relax the legal requirements for Will signing during this current crisis. However, at the moment, both yourself and your two witnesses must all be present at the same time to witness and sign your Will.

If you’re able, one solution might be to enlist the help of neighbours. For instance, you could use your garden, with you and your neighbours respecting social distancing by keeping two metres apart over a garden fence, each wearing gloves and using your own pens to sign.

If this really isn’t possible for you, then in exceptional circumstances, we would permit two members of the Nicholls Law team to visit you at your home to witness the signing of your Will. Naturally, it would be essential to maintain the appropriate two-metre distance to keep everybody safe.

What if I absolutely cannot sign my Will in front of two witnesses?

Whilst not ideal, the last resort would be to sign your Will without witnesses (still making sure you date it). Your Will would not be regarded as legally valid but could, instead, be used as a “Letter of Wishes”. Extra steps would be needed to ensure that your wishes were followed and, unlike with a legally valid Will, it would only work with the agreement of your family.

How do I contact the Nicholls Law Team?

If you have further questions or would like to book an appointment to make your Will, please do get in touch today, using the details below (all staff are currently working remotely, but will be happy to take your enquiry by email or telephone).

*Notice: This blog does not constitute as legal advice*

It all starts with spam…

Employees are vital in the everyday operations of a business. They are gatekeepers to swathes of lucrative data. This becomes particularly evident when considering the impact of phishing attacks on businesses, the diligence of employees is one of the most potent tools in defending against data breaches and cyber-attacks. Read below for some steps that a business can take to aid their employees in this aspect.

First off, what is phishing? How does this relate to spam emails?

The National Cyber Security Centre (NCSC) describes phishing as “a type of social engineering where attackers influence users to do ‘the wrong thing’, such as disclosing information or clicking a bad link.”

Phishing attacks occur mostly via email, but can also occur via text message, social media or by telephone. Phishing attacks can be used to steal sensitive information, install malware, sabotage systems or defraud money.

What people often refer to as spam email, is coined phishing in the cyber-world, threat actors cast a line (or millions) and wait for a payday.

Tip 1:

Create and maintain a policy whereby employees are not allowed to use their main business email addresses when signing up for services or websites.

This includes services that are specifically related to an employee’s daily duties.

Instead – supply your staff with secondary email addresses which are to be used for this purpose.

Why?

Data breaches have many knock-on effects, one of which is spam. When you sign up to a service or website, you are trusting that company with your information, and if that company suffers a data breach, that information becomes public knowledge.

Threat actors will seek to monetise this information. Among other things, the many thousands of email addresses will be added to databases of potential phishing targets. Threat actors will use these databases to send out millions of phishing attempts, with minimal effort.

The purpose of this tip is to keep your company’s main business email addresses as clean as possible, reducing spam, and reducing the chance of threat actors being able to contact your staff directly.

It will not aid in avoiding more sophisticated spear-phishing attempts (where attackers research your company beforehand to inform their attacks), this tip will simply help to reduce the volume of spam received from automated attacks.

Tip 2:

NEVER click on any links OR allow images/files in emails to be downloaded from unknown senders.

This includes images in the body of an email where your mail client may ask if the sender is trusted and if the images should be loaded/downloaded.

Why?

This is for several reasons, files and images can perform many malicious tasks on your computer if downloaded, such as open a backdoor to an attacker, and images in the body of the email can be used by threat actors to track who opens emails (among other things).

Even when the sender is known, employees should still maintain a degree of scepticism. Threat actors could have compromised another legitimate business’ network and launched the attack from there.

You can set up email clients to automatically block all extra content and ask for permission even when the sender is known. Though this may make employees complacent, and indeed cause a reverse effect on security.

Tip 3:

Train your staff.

Although Tip 1 will help reduce the amount of spam received in your employees’ main email accounts, it is still likely that they will receive spam – unfortunately, this cannot be avoided altogether. Therefore, the next step to take is to train your staff.

Why?

We urge all staff to read through advice on spotting spam emails. Some common features would be that spam often has typos or general irregularities i.e. the sender email address is not correct (john.doe@companyy.com instead of john.doe@company.com) or the formatting of the email is strange.

Some phishing/spam is more targeted and convincing, however, so the most important advice is to create a work environment where all staff stay vigilant and be cynical of any emails that ask them to do anything (especially urgently), i.e. click this link to re-activate your account or the whole world will implode.

Finishing points

Action Fraud, the UK’s National Fraud & Cyber Crime Reporting Centre, reports that it received over 8,000 reports of phishing scams every month – with around 70% of those coming from email. Furthermore, according to a report from Verizon, 23% of people will open a phishing email.

You can check if your email has been compromised on the ‘Have I Been Pwned’ website. You can also sign up for notification, to notify you if your email has been ‘Pwned’. If any accounts have been found, make sure to change your passwords as soon as possible.

Avoiding spam and phishing attacks is one of the first steps a company can make towards improving their cybersecurity tool kit. As recent reports suggest, it is not a question of if a business experiences a data breach but when.

Moreover, data breaches can severely impact the day-to-day functioning of a business. However, cybersecurity expert Theresa Payton recommends to “fear not the breach” but instead ensure you develop a “cybersecurity playbook”. Having a playbook or policy in place before a breach saves business valuable time and money. Nicholls Law works closely with a variety of experts in this field and can offer advice on this process, as well as advice after a data breach. Speak to Nicholls Law today to get your cybersecurity playbook and forensic readiness policy in place today. Alternatively, visit our specialist Fraud & Cyber Risk website.

*Notice: This blog does not constitute as legal advice*

Issues with Data Breach Liability

For many organisations, it is simply a question of when, and not if, a data breach will occur. There are many approaches to data security that a company can take, but this does not fall within the scope of this blog. Instead, we aim to enlighten you regarding data breach liability following a cyber attack. Furthermore, we want you to become better equipped for facing data breach liability issues. Let us hope that you will never be victim to a serious cyber attack, though, and that this insight will never be needed.

Cyber attacks are no two the same, because of this, there are many considerations to be made. Motivation of the attacker, damage to the data subject and how the stakeholders are affected are just some examples of the key elements involved. Mindful of the potential liability that can surface, necessary action following a cyber attack must include considerations of the aims of those suffering the losses. Since GDPR, data subjects have become a prominent focal point for many businesses, more transparent data practises are being employed across the UK. This is good news because, in this day and age, our personal data is scattered among many companies.

Someone needs to be accountable for losses. Someone needs to pay the ferryman… but who? First, let us look at the bases for claims.

Claims

Claims may both arise on behalf of, and against the company who suffered the data breach. Whether it be an employee, partner or third party perpetrator, the victim company will seek to claim against the threat actor who ultimately brought about the loss. The victim company will likely also become defendant to claims brought against them. After all, it is possible the data breach constitutes a breach of contract, or the attack may have followed a failure by the target company to meet basic standards of data protection, there may have been a negligence in patching known errors in software, or even just a lack in ability to establish and maintain resilient data protection practices. The limit is, somewhat, the imagination. The company hit by the attack is not the sole victim, they are not the only one experiencing a loss resulting from the data breach. 

The data subjects will seek to bring forward claims based on losses in integrity of their personal data. This may be against the data controller / processor, or the threat actors who are responsible for the breach. Data subjects can do this individually or on a group basis. 

Who else wants a piece of the pie?

There is also the potential for third parties to raise claims. This will be based on losses suffered in a more indirect respect to the data breach. For instance, where there has been a wider impact on a supply chain involving other organisations.

Where they seek to prevent unauthorised access to data, third parties may bring forward claims to secure the recovery of data assets held by the victim company, whether or not this data was affected by the breach. This will be in an effort to protect the interests of the rightful owners for such data. They may also seek to acquire information that will lead to the identification of those responsible for the data breach. 

Central to all defences against liability will be the exact contractual obligations that are in question of being breached; the facts upon which it is said that the supposed threat actor is responsible; or the basis upon which some level of duty has been imposed as a result of the breach. 

Companies can make counter claims against sanctions or regulatory action with regard to the nature and imposition of any action or penalty. As well as seeking to challenge the bases for the original regulatory decision being made.

There will be questions of civil and criminal law. Independent regulators will need to be involved. Stakeholders will need to be kept in the loop. Because of this, there needs to be considered a full landscape view of the liabilities that a victim company must consider. This will be covered in further blogs on the topic of Data Breach Liability to follow. 

This short piece is the first in a series of blogs on data breach liability.

The second blog will outline the full landscape view of data breach liability.

Nicholls Law, Experts on Data Breach Liability

*Notice: This blog does not constitute as legal advice*