Four law firms have collectively lost £2m in recent months after falling victim to so-called ‘social engineering’.

The firms were targeted by scammers who gained their confidence over a period of time to obtain information and access account funds.

The Solicitors Regulation Authority today warned firms to be wary of these fraudsters, who ask specifically for ‘challenge and response’ codes, which are used to authenticate payments and in some cases to log into digital banking.

The SRA emphasised that banks will never ask for passwords or response codes over the phone.

Robert Loughlin, SRA executive director of operations, said: ‘These scammers are very active and convincing. They are highly sophisticated in their approach and therefore very capable of duping many people.’

The banks’ advice is for firms to validate callers by calling a known contact at the bank, preferably using a separate telephone line. There have been examples of tricksters keeping lines open to intercept any follow-on call made by their victim.