Darren Cable explains why law firms are targeted by internet fraudsters – and what you should be doing to protect the firm. (Updated 3 February 2020)
It's not difficult to understand why fraudsters consider law firms to be an attractive target. With significant client balances held in call accounts, fraudsters who identify a weakness in a firm's controls and processes can potentially steal huge amounts.
Law firms have access to large sums of electronic money and the large volumes of genuine transactions can make fraudulent payments difficult to spot. Fraudsters also know the busiest days to strike, such as a Friday which is busy for conveyancing firms. All of this puts the legal sector towards the top of a fraudster's hit list.
The remote, faceless existence of an internet fraudster means that online attacks can be hard to detect, particularly for unsuspecting employees who are not aware of current threats. As digital technology advances, fraudsters continue to develop new, increasingly sophisticated uses of technology to steal funds.
"Cybercriminals have realised that even the biggest law firms do not have the same cybersecurity capabilities and resources as big multinational banks." Peter Wright, chair, Law Society Technology and Law Reference Group
How do cyber frauds target law firms?
Malware (malicious software) describes software which is deliberately designed to deceive a computer or its user. For example, malware might allow a fraudster to secretly and remotely view information on the firm's computer network, or capture keystrokes and passwords which could be used to access online bank accounts.
Malware is not only used to carry out attacks. Malware is also widely used for reconnaissance work beforehand – to increase the likelihood of a successful attack – and for cleaning up the 'crime scene' on the firm's computer network before disappearing, leaving no trace.
Many cyber frauds start with a phishing email, disguised as a genuine email message. This is specifically targeted to capture secure information or to trick the recipient into downloading malware. These emails are often made to look like they've been sent by your bank and may contain hyperlinks to fake websites or attachments containing malware.
This type of malware severely restricts access to a computer, device or file until a ransom is paid by the user. Ransomware has the ability to lock a computer or encrypt files. A demand is then displayed informing the user that the system will not be unlocked until a sum of money is paid. A deadline is usually imposed for the ransom to be paid, after which the code to decrypt the data will be deleted and the data will not be recoverable.
This occurs when a fraudster issues an online threat and demand to a potential victim. As with ransomware, the demand is usually aimed at forcing a payment to the fraudster, typically in a digital currency such as bitcoin. Threats vary but have included fraudsters stating that they will leak confidential data about a firm's clients on the internet, and threats to post thousands of defamatory comments on a review site causing reputational damage.
Typically these are emails disguised to look as if they have been sent by a known beneficiary of the firm, quoting alternative bank account details for a settlement or payment that is due to be paid. Fraudulent emails can also target your clients, falsely advising them that your firm has changed the details of the account to which clients need to send funds.
Another common impersonation fraud is where an employee receives an email – apparently from a senior person within the firm – asking for an urgent and confidential payment to be made. With any of these types of impersonation fraud, any payments sent to the fraudster's account are likely to be lost.
Protecting the firm against cyber fraud
- Have a good quality anti-virus software suite. Update regularly to the latest version.
- Carry out operating system updates and other software updates (such as Adobe, Microsoft Office) as soon as they become available.
- Don't rely on a phone's caller display to identify a caller. Fraudsters can make the phone's incoming display show a genuine number.
- Never divulge online banking passwords or online banking secure codes to anyone on the telephone or via email – even if you think it's the bank contacting you.
- Establish a programme of making regular back-ups, ensuring that your most important files are copied most frequently and to a location not permanently connected to your network. This will enable machines and systems to be restored in the event of infection, without a significant impact. Regularly test the recovery process.
- If you are targeted, retain original cyber extortion emails. Maintain a timeline of the attack, recording the times, type and content of all contacts. Report it to Action Fraud.
- Have a documented process which ensures that email requests to set up or amend payment details are verified as genuine. Employees should use known contact details other than e-mail to make these checks. The same caution should be applied to all payment-related emails from both external and internal sources.
- Ensure employees are aware of the risks associated with malware and the typical ways malware can get onto a device.
- Consider controlling access to removable media devices (such as USB drives). Ensure that all media are scanned for malware before files are imported onto any of the firm's systems.
Responding to the increasing threat of cyber fraud
The legal sector has delivered a very proactive and effective response to the increased threat of cyber fraud, probably more than other industries. This is of course understandable given the significant funds law firms hold on behalf of their clients. The seriousness of reputational and regulatory damage is also a key factor.
Legal bodies such as the Law Society have also been proactive in organising fraud awareness seminars for their members. Along with events hosted locally by firms themselves, the sector is considered to be one of the most astute when it comes to fraud vigilance.
But even though we see many reports of fraud attack prevention, there are still too many firms who do fall victim. This is often down to employees who have not received the appropriate fraud education, or do not receive it often enough. It is really important that firms have a regular schedule of delivering up-to-date fraud awareness material to their employees.
Fraudsters' preference for cybercrime as a method to commit fraud is only likely to increase in the future, with attacks becoming more complex and difficult to detect. Law firms need to change their mentality from 'if we get targeted' to 'when we get targeted'.
Those best prepared for a cyber fraud attack will have multi-layered controls in place. This will include a robust ongoing employee awareness program as well as clear plans on how to respond in the event of an attack.
"The NCSC reports that 80% of firms have reported a phishing attempt in the previous year, and losses stemming from those events increased 300% from 2016-2017. Employee education and utilising multi-factor authentication for remote email access are two of the most important steps a firm can take to avoid these losses"
Davis Kessler, head of cyber, Europe, Travelers