The use of the internet, social media sites and electronic messaging is growing at an unprecedented rate. It has never been easier to communicate, spend money and operate a business in a virtual environment, often never physically meeting or speaking to the other party to a business transaction. This culture change has facilitated a boom in social engineering; that is, the exploitation of the natural human instinct to trust. Criminals are becoming increasingly clever at taking advantage of this trusting instinct.

Firms need to be alert to the scams employed by bank fraudsters and protect themselves from the dangers attached to unsolicited messages from banks, whether that is the firm's own bank or that of a client.

On all occasions, there is a real need to stop and think before divulging any confidential or personal information (see News brief "Panama papers: time to firm up on cyber security?"). Firms should stay in control of all calls and emails.

The following useful techniques should always be adopted:

Client funds are particularly vulnerable to fraud due to the size of the transactions, the knowledge that they will be transferred at a particular defined date and time, and that payments are regularly one-off transactions to bank accounts unfamiliar to the firm.

Some simple steps can be put in place to ensure that the client is made aware of the potential threat without needlessly alarming them that their money is at risk:

When operating an online bank account for client money, always use strong passwords (a combination of capitals, lower case, numbers and other symbols), never share user credentials and limit access to those who really need it. Access should be disabled for absent staff. Dual authorisation of payments and the introduction of payment limits are also advisable, but firms frequently view these measures as impractical.

All businesses and individuals connected to the internet are exposed to the risk of attack from malicious software, known as malware. The worst attacks result in the theft or locking of files, which are only returned to the owner after a ransom is paid, and even then files are not always returned. The ransom amounts charged are usually modest, involving hundreds rather than thousands of pounds, but the cost can be far more, such as the loss of reputation which can rapidly lead to the decline of a previously thriving business.

It is enough to keep every practice manager awake at night, so plans need to be made to make this risk bearable and keep firms practicing safe cyber security. There are three key steps.

Firstly, firms should undertake a risk assessment. This will involve: understanding where the firm is exposed to risk, and probably already compromised; identifying how and when information is exchanged within the firm's IT systems; and putting in place measures to detect and prevent the introduction of malware.

Most smaller practices do not have in-house cyber-security knowledge, so it may be well worth seeking expert advice at this stage.

Secondly, firms need to implement a cyber security policy to ensure that all staff are upholding the measures introduced to prevent the spread of malware. Staff training is paramount to the effectiveness of these controls. In the majority of cases, spyware or ransomware is activated by genuine authorised users of the system being manipulated into opening harmful email attachments or divulging confidential passwords.

Best practice would be to assume that the business will be compromised at some point, so firms should prepare for this event by making and practicing an incident plan. Firms need to ensure that individuals take responsibility for making back-ups, changing passwords, and downloading only approved software and applications.

Lastly, firms should keep operating systems up to date with the latest versions. It is a false economy to assume that the current system does all that the firm needs it to do. Often the upgraded versions have evolved to combat the increasingly complex malware that it is exposed to.

If a firm suspects that it has been the target of a scam, whether or not it was successful, no matter how big or small, it is critical to report all fraud or attempts at fraud to ActionFraud on 0300 123 2040. These cases can be investigated far more successfully with large amounts of data when cases are linked.

Andy Harris is a director of Hazlewoods LLP.