Law firms are an increasingly attractive target for cybercriminals – and private client solicitors, who often hold data on high-net-worth clients, are obvious prey. Robert Rutherford explains how you can stay safe, and remain one step ahead of the scammers
High-profile cyber-attacks are continuing to make national headlines on a weekly basis, and affecting governments, businesses and customers at an alarming rate. Law firms and their clients are prominent targets for cybercriminals – recent research from Hazlewoods revealed that over a six-month period, £2.5m of client funds were transferred by lawyers conned into sending monies to fraudulent accounts.
The most common scam used by cybercriminals to target law firms is the ‘business email compromise’ (BEC) scam. In this scenario, an employee is tricked into believing that they need to make a bank transfer to a known external account, but inadvertently ends up sending these funds to a cybercriminal, either an individual behind a computer or, in some cases, a larger criminal organisation. This is also known as ‘conveyancing fraud’ or ‘CEO fraud’, depending on the target at hand.
Focusing on the weakest link of a firm’s security – an employee sitting at their desk – is the most successful method for these fraudsters. A BEC scam can take place in one of two ways: either the client is targeted, or the law firm itself is compromised. Whichever approach is taken, the criminal will typically email the law firm or the client, asking them to make a payment. In most cases, the bank details of the employee or the client will have been changed from an earlier exchange, which means that the money is sent to a fraudulent account.
The increased frequency of these cases is a matter of real concern, not only for the clients whose money is transferred outside the firm, but for the firms themselves. Alongside the reputational damage that can be caused by this type of breach, firms can be fined for a lack of security practices under new legislation such as the General Data Protection Regulation (GDPR), which comes into force in May 2018 (for more information on the GDPR, see page 3 of this edition).
Why are law firms such a prominent target?
Law firms are an incredibly attractive and lucrative target for cybercriminals, as these organisations typically have access to large amounts of funds and a wealth of confidential data on their systems. Despite these threats, the majority of law firms are still utilising standard, unprotected emails to share clients’ bank account and other personal details.
Firms dealing with private client data are a particularly desirable target. Gaining access to a firm’s network, and therefore its client data, often gives cybercriminals access to other information as well, such as a client’s lasting power of attorney privileges. In this situation, a fraudster can use this information to direct transactions to alternative accounts, gain personal financial details and, in some cases, even begin to sell an individual’s assets.
Law firms need to be aware that cyber-attacks are never carried out at random, and can often take weeks or even months of planning.
Hackers are now employing increasingly intelligent methods to gain access to the inner workings of a firm, in some cases by combining emails, calls and physical visits in order to ‘socially engineer’ employees into performing particular actions or divulging confidential information.
A breach of a high-value client’s data could result in a ‘double whammy’ for law firms – the firm could not only incur huge fines, but also suffer significant reputational damage. For cybercriminals, this is a win-win situation – their own reputation is increased for accessing a proverbial data goldmine, and they have potentially transferred huge amounts of client funds outside of the firm.
Recognising the warning signs
The first step to recognising a scam email is to remember that any message can be from a cybercriminal; even a seemingly legitimate, polished email could still pose a risk to a firm. There are several warning signs to look out for if a member of staff thinks an email may be suspect.
In each of these cases, it is important to train employees to trust their instincts and flag any emails which could be fraudulent – either to the IT team or an appropriate member of staff. The following is a list of tips which all employees should look out for, as a minimum.
- Don’t trust the displayed name on the email – a name displayed in the ‘From’ box is not a guarantee of the sender; it is important to consider the email address and the name together.
- Check the domain – with the previous step in mind, double check whether the sender’s email address looks valid. Many scam emails use a domain name which is similar to the legitimate domain in order to fool a recipient.
- Look, don’t click – hovering a mouse over a link without clicking on it will allow a user to see the web address displayed. If it doesn’t directly reflect that of the sender, users should treat the email with caution.
- Spelling and grammar mistakes – scam emails often don’t seem very polished and may contain errors. If this is the case, the email may not be legitimate.
- Look at the salutation – if the person emailing usually addresses you by your first name, but now begins with ‘Valued customer’ or ‘Mrs Smith’, for example, this could be another sign of a scam email.
- Don’t send sensitive information via email – if a trusted sender is asking for sensitive information via email, it is best to pick up the phone and validate the details by speaking to the sender personally.
- Beware of ‘urgent’ emails – if an email sounds urgent, take the time to think, analyse and if necessary ask for advice. If the sender is threatening to stop a service or is making a demand of some kind, discuss the situation with the relevant colleagues to determine whether the demands are legitimate.
- Consider the layout of an email – it is common for cybercriminals to not get the ‘look’ of an email right in terms of layout and images, so if an email appears different from normal correspondence, this should be a red flag.
- Be wary of attachments – email attachments can be dangerous if the file type isn’t from a standard program like Word, Excel or a PDF, and employees should be especially wary of those ending ‘.exe’, ‘.cmd’ and ‘.com’. Zip files should also be treated with caution, as they can often hide dangerous files from virus protection systems.
How is cybersecurity changing in the legal sector?
The cyber-threats facing law firms have not actually changed much over the past 20 years; it is the force behind them that is becoming more prominent. Furthermore, there are now multiple angles of attack to consider. Email is a crucial factor, but USB sticks, cloud storage, databases, or any other online location where private client data can be accessed, is at risk.
Industry regulators such as the Solicitors Regulation Authority are becoming increasingly focused on information security and strengthening the requirements for law firms to prove that they have robust measures in place. This will only be amplified once the GDPR comes into force next year. At the same time, clients are also becoming more security-savvy, with many now demanding that law firms prove their security credentials, even at the pitching stage.
Winning new business isn’t the only reason that firms need to demonstrate tight security. Solicitors are increasingly having to deal with client concerns outside of work hours and when they’re away from the office. This new way of working means that solicitors often need to work across mobile devices and away from established office networks, while still maintaining the highest levels of security.
For today’s law firms, the challenge of maintaining modern working practices while keeping confidential data beyond the reach of cybercriminals is a key concern. In some firms, ‘bring your own device’ (BYOD) strategies are still commonplace, but these too bring additional security concerns. All private client data needs to be secured, whatever device is being used, which means that firms need to use advanced technologies to prevent data leaks.
From May 2018, the GDPR will also have a role to play. Aimed at harmonising data protection laws across the EU, this new regulation will require law firms to think about the personal client data they have on file and how it is processed. Moving forward from the Data Protection Act 1998, firms will be liable for any cyber-breaches which affect client data, and they can be fined up to four per cent of their annual turnover by the Information Commissioner’s Office if found to be at fault. As such, it has never been more vital for organisations to have procedures in place to prevent – and in some cases, respond – to a security breach.
What other steps can law firms take?
In most cases, the secret to defending against cyber-attacks is already contained within the firm itself: the member of staff sitting at their desk. The first step towards achieving tighter security is ensuring that all staff have received sufficient, regular training that will enable them to stop, block and report any suspicious activity.
From May 2018, firms will be liable for any cyber-breaches which affect client data, and can be fined up to four per cent of their annual turnover
Firms that train their employees well and keep them regularly updated on new guises and forms of cybersecurity threats will be on the right track. The best way to do this is with seminar-based training, where smaller groups of employees are shown how easy it can be to succumb to an attack using real-life examples from other organisations which have recently fallen victim to cybercriminals, and the impact on the business and its reputation. Additionally, firms should be testing their staff on a semi-regular basis to ensure that they are still aware of the processes involved in IT security and in turn, regulatory compliance. By using these techniques, firms can dramatically increase their defences and help employees to understand the role they play in preventing a security breach.
The only way that a firm can have confidence in its IT security is to understand all of these risks and put suitable controls in place to control them. The most sensible solution is the ISO 27001 standard, which is the best practice standard for managing IT security within a business.
ISO 27001 is undoubtedly the best way for a firm’s leadership to understand what the cyber-risks are to the business and the likelihood of an attack, as well as the impact that a security breach would have on the firm. As a minimum, a firm should have a register of all its assets and take steps to understand the risks that these assets face, and what controls can be put in place to mitigate these risks.
When discussing IT security, we are essentially talking about a threat to a firm’s assets, whether that is a PC, a server, or even a member of staff. For a law firm, the largest assets are its client data, its reputation and its brand. The most effective way to protect these assets is for a firm to understand the risks facing it, ensure its staff are regularly trained on the latest forms of cyber-attacks, and ensure that it is ready to act as the first line of defence against an incoming security threat.