Identity theft – especially the creation by cybercriminals of bogus firms – is one the biggest risks facing law firms today. But there are some simple steps you can take to mitigate the risk. Rhonda Treacy-Hales explains
It is hard to imagine life without the internet, email and social media. These innovations have transformed the way in which we work and communicate, but they have also made us wide open to the risk of cybercrime. The Solicitors Regulation Authority (SRA) identified bogus firms as a priority risk in their 2015 Risk Outlook. The risk of cybercrime is on the increase across all industries, but the legal sector, and particularly work types in which handling client money is involved, remain a primary target for criminals.
Having systems in place to mitigate the risk of falling victim to a scam is both an obligation – as you have a duty to comply with principal 10 of the SRA Code of Conduct 2011, on protecting client money and assets – and a vital step in protecting your firm, your partners and yourself. The latest Law Society practice note on protecting your firm if you fall victim to a scam (tinyurl.com/nn2vf56) explains that, in a worst-case scenario, being a victim of a scam could lead to bankruptcy of individual partners, and even closure of your firm. Other potential risks to your firm include:
- loss of clients and income;
- irreparable damage to your reputation, loss of trust by clients, bad press and so on; and
- increased professional indemnity insurance premiums.
But with the odds stacking up against law firms, what steps can you take to protect your firm and clients against the risks of identity theft and the cybercriminal?
What is a bogus firm?
One of the biggest areas of risk is bogus firms. In the first eight months of 2014, the SRA states there were 130 scam alerts reported, compared with 70 in 2013. Up to the end of March 2015, there were 90 alerts. Compare this with over 700 reports of bogus firms in 2014. 46 per cent of these reports involved identity theft of a firm or individual.
Bogus firms are a risk to consumers, as clients can lose money and criminals can find out confidential information about them.
The term ‘bogus firm’ is used to describe situations where criminals take on the identity of a law firm in order to steal money or access information. Bogus firms are a risk to consumers, as clients can lose money and criminals can find out confidential information about them. It is also in the interests of law firms to safeguard against this risk, as it has the potential to lead to reputational damage.
Activities of criminals include: setting up fake firms; using scam email communications; cyber-attacks using encrypted data; hacking into existing firms to impersonate a bank or client; creating fictitious websites; and cloning genuine law firms’ websites. Other risks include an individual who conducts reserved legal work while not entitled to do so – that is, someone who has been struck off the roll of solicitors, an unadmitted person or a registered company which is not authorised by the SRA or other regulator to conduct reserved legal activities. This type of activity equated to 37 per cent of the 454 reports made by the SRA between January and August 2014. 17 per cent of reports were about fictitious firms – that is, using fake websites etc.
According to a 2014/15 survey conducted by the Information Commissioners office, solicitors and barristers are the fourth most frequent subjects of data breaches. A 2014 survey of law firms by PwC (tinyurl.com/pjrqkmu) showed that 45 per cent of law firms had suffered an information security incident in the previous 12 months, 61 per cent had experienced multiple cases of infection by malware (malicious software), and one-third had experienced serious repeated attempts to break into their systems.
How can you identify a bogus firm or individual?
This is incredibly challenging. However, there are a number of ways you can protect yourself using information available to you in the public domain, including the following.
Use the search facilities on the Law Society ‘Find a Solicitor’ website and the search tools on the Council for Licenced Conveyancers (CLC) and Chartered Institute of Legal Executives (CILEx) websites. Check for the firm name and the name of the individual you are dealing with. If you are dealing with a branch office, check the location of the office in relation to the other office(s). A branch office located some distance from the other office(s) requires further investigation by you.
Is the logo on the letterhead the same as the one on the website? If there are names on the letterhead, are they consistent with the website and the above-mentioned search facilities? Unsolicited correspondence or correspondence that contains spelling and grammatical errors also represents a higher risk, requiring closer investigation.
Unsolicited correspondence or correspondence that contains spelling and grammatical errors also represents a higher risk.
Methods of communication
Is the firm using a generic webmail account, such as Gmail or Hotmail? Does this match its website? Look out for subtle inconsistencies in the email addresses compared to the website, such as addition of hyphens and dots. Is the only phone number made available to you a mobile? Do all numbers match those on website and other sites? When calling, do you get straight through to your contact, or are you constantly reaching an answering service?
Check the name of the bank account holder matches exactly the name of the firm you are dealing with.
How can you mitigate these risks?
A risk register is a risk management tool commonly used in organisational risk assessment. It acts as the central repository for all identified risks, and for each risk, includes information surrounding probability, impact, counter-measures, the risk owner and the period of review. This register can regularly be considered at risk management team meetings, and updated as appropriate.
It also acts as a practical reminder of the key risks you face and what you are doing about them. It provides regulators and insurers with a clear picture of your approach to risk management. The threat of identity theft and falling victim to a bogus law firm must be included in your risk register. Ask yourself the following questions, the answers to which will also form part of your mitigation process.
1. Do we conduct the following regular checks?
- Website: check the content and layout of your website for unexpected changes.
- Web searches: conduct regular web searches for the names of your firm, any associated firms, and your fee-earners.
- Find a Solicitor / CLC / CILEx websites: check your entry to ensure the details have not been amended.
- Social media: check your company pages on social media to ensure nobody is purporting to be a staff member within your firm.
- Rating sites: check what is being said about you, and if there are reviews about any individual who is nothing to do with your firm.
2. Do you vary the content of your website regularly?
A static website is easier to clone, so more attractive to fraudsters. Keep your site updated with news items, social media feeds etc.
3. How secure are your passwords?
Do you have a procedure for regularly changing passwords or do staff choose their own? Passwords should be changed frequently and strongly constructed – with a mix of upper and lower case letters, numbers and symbols. This process should also form a part of your information security policy.
4. Is your email secure?
Email accounts such as Gmail, Yahoo, and Hotmail are not subject to the same security as email transmitted via a firm-based server, so ensure your people only use their work email addresses for work email. Do you use email encryption or have you considered doing so?
5. Have you acquired other website domain names?
Purchase domains similar to your own and derivatives thereof, such as abcsolicitors.co.uk, .org, .com and so on. You may also have seen in the press that the new .law domain is now available for purchase. Since 28 September 2015, the domain has been open to third parties, which could give rise to more fraudulent activity and bogus firms being created, so if your domain is still available, act now.
6. Do you have an effective information security policy?
The policy should address issues including: the use of firewalls; procedures for the secure configuration of network devices; and procedures to detect and remove malware. It should be kept up to date, and its implementation should be prioritised and monitored.
The rise of cybercrime is not slowing – quite the contrary. Criminals remain a step ahead of us all. It is down to you to ensure your systems are robust, to protect your client’s interests and your firm. What does your risk register include, and when was it last reviewed? Have you updated your business continuity plan, information security plan, and compliance plan to reflect this ever-growing threat? Are you satisfied that your documented procedures cover everything?