David Fleming outlines how email attacks start, the common consequences of an attack and some top tips on how to avoid becoming a victim of the most common cyber scams

Your business email account is the most common entry point for criminals and is at the root of many successful cyber-attacks on lawyers. It’s not surprising that the most commonly used function in a business is the one that criminals seek to exploit. What is surprising, is that the security of a firm’s email system isn’t made a higher priority.

Four most common attacks

The most common methods of cyber-attack against firms’ email systems includes the following.

1 Phishing

The criminals send blanket emails to every address they have acquired from social media, the dark web and website scraping. They pose as legitimate suppliers and trick their victims into giving away their email login credentials. In our simulated attacks 20% of untrained staff typically fall for this type of attack.

2 Malicious attachments

Emails with fake attachments will tempt the recipient to open them with headings like ‘missed message’, ‘urgent invoice’, ‘bank statement’ and so on. They will contain malicious coding that will attempt to control your computer in some way.

3 Account hijacking

With credentials purchased from the dark web, automatically breaking weak passwords, or tricking recipients with phishing attacks, the criminals can gain access to an email account. They login as you, with full functionality including access to all your email history.

4 Spoofing

The criminals create their own email accounts and pretend to be you. They are not inside your account but send emails to employees to try and get access to business systems and data.

Three consequences

The consequences if the criminals are successful can be catastrophic.

1 Ransom

This is the most damaging consequence and can mean the end of a business. Criminals use the access they have gained first to steal confidential and personal information, and then to encrypt IT systems. They threaten to release the data if the firm won’t pay a ransom fee. The average ransom payment in 2021 was £628,000 and the average business downtime is now 26 days.

2 Virus spreading spam email

This is the most common consequence and results in thousands of emails being sent from your email to every contact associated with your business. The aim of the email is to contaminate their systems with a view to stealing money from them. We don’t need to describe how damaging this can be for a previously trusted business.

3 Payment diversion

The object here is to get money diverted to the criminal’s bank accounts by tricking you or a client into sending money to the wrong payee. There is the obvious financial and reputational damage and also conversations with the Information Commissioners Office (ICO) will not end well if a client has lost thousands of pounds because you didn’t protect their data sufficiently.

10 top tips to defend against attacks

Here are the top 10 areas you must address to defend against the greatest cyber threats facing your business.

1 Appropriate business email accounts

Free and basic email systems are not good enough. You may need to upgrade to get the right level of capability.

2 Good employee discipline

Email addresses should be for work purposes only and you need to make this clear to staff. The dark web is littered with business email addresses that have been used on personal accounts (such as Amazon, eBay etc) that have then been lost along with passwords and critical information.

3 Unique, strong passwords and strong authentication

The password should not be a repeat of anything you have used elsewhere, and it is essential that authentication has another factor such as a verification code on your phone.

4 Inbound filters

Get these expertly set and don’t rely on defaults. If done well it will stop the deceptive emails ever getting into staff inboxes.

5 Domain records

The end of your email, @acme.com, is called the domain. There are important records that need to be set in the domain control panel to avoid criminals easily spoofing your address.

6 Staff training and simulation

Make sure your staff get annual training and run simulated attacks to make sure they know what to expect.

7 Access methods

You need to have a clear policy on how staff access emails for example from a laptop, mobile, through a web browser and so on. The more you reduce this, the more access points can be switched off in the security settings.

8 Payment methods

Make sure that there is a robust process that ensures that changes to payee details have strong challenge processes.

9 Antivirus and browser integration

Your web browser, email service and antivirus software need to be configured to work in unison to stop attacks. This is the most important retrospective control as it is unwise to rely on staff spotting the criminals’ tricks.

10 Alerts and blocks

Make sure that the alerting from security systems is properly configured, is going to your technical support and that rules are set to block rather than allow.

This guide is meant to provide you with a starting point and a roadmap but do invest some time and resources to getting this right – it will be the best money you spend this year.

We have partnered with Mitigo to offer technical and cybersecurity services with exclusive discounts for our members. For more information contact Mitigo on 020 8191 9205 or email lawsociety@mitigogroup.com.