Is your law firm prepared for a cyber attack?

Law firms have access to large sums of electronic money and the need for large volumes of genuine transactions may mean that any fraudulent payments will be difficult to spot. Fraudsters also know the busiest days to strike, such as a Friday which is busy for conveyancing firms. All of this puts the legal sector towards the top of a fraudster’s hit list.

The remote, faceless existence of an internet fraudster means that online attacks can be hard to spot, particularly for any unsuspecting employees within a firm who are not aware of current threats. As digital technology advances, fraudsters also continue to develop new, increasingly sophisticated uses of technology to steal funds. Malicious software (Malware) is not only used to carry out an attack, but also used widely by fraudsters to carry out reconassience work beforehand to increase their likelihood of a successful attack as well as cleaning up the “crime scene” on a firm’s PC network before disappearing and leaving no trace.

How do cyber frauds target law firms?

Phishing
Many cyber frauds start with a phishing email which is specifically targeted to capture secure information or trick the recipient into downloading malware by disguising it as a genuine email message. These emails are often made to look like they’ve been sent by your bank and may contain hyperlinks or attachments to fake websites or malware downloads. Malware describes software which is deliberately designed to deceive a PC or its user. It can allow a fraudster for example to secretly and remotely view information on a PC network or capture keystrokes and passwords which could be used to access a firm’s online bank accounts as well as many other operations.

Ransomware
Ransomware is a specific type of malware which severely restricts access to a computer, device or file until a ransom is paid by the user. It has the ability to lock a computer or encrypt files. A demand is then displayed informing the user that it will not be unlocked until a sum of money is paid. A time limit is usually imposed for the ransom to be paid, or the code to decrypt the data will be deleted and the data will not be recoverable.

Cyber Extortion
This is a crime which occurs when a fraudster issues a threat and demand via online methods to a potential victim. As with Ransomware, the demand is usually aimed at forcing a payment to the fraudster in a digital currency such as bitcoin or they will carry out their threat. Threats will vary but have previously included fraudsters stating that they will leak confidential data about a firm’s clients on the internet or a threat to post thousands defamatory comments on a review site causing reputational damage.

Payment Impersonation Frauds
Fraudsters use email to target firms with impersonation frauds. Typically these will be emails disguised to look like they have been sent by a known beneficiary of the firm, quoting alternative bank account details for a settlement or payment that is due to be paid. These frauds can also target your clients if fraudulent emails sent to them falsely advise that your firm has changed their account number for where clients need to send funds. Another common impersonation fraud is where an employee receives an email which appears to have been sent by a senior person within the firm asking for an urgent and confidential payment to be made. With both of these types of impersonation fraud, if the recipient does not check that the email is from the genuine sender as opposed to a fraudster, any payments sent to the fraudster’s account are likely to be lost.

How should law firms protect themselves?

• Have a good quality Anti-Virus software suite, with the latest version and update regularly.
• Carry out operating system updates and other software updates such as Adobe, MS Office as soon as they become available.
• Don’t rely on a phone’s caller display to identify a caller, as fraudsters can make the phone’s incoming display show a genuine number.
• Never divulge online banking passwords or online banking secure codes to anyone on the telephone, or via email, even if you think it’s the bank contacting you.
• Back-ups: Establish a programme of making regular back-ups, ensuring that your most important files are copied most frequently and to a location not permanently connected to your network. This will enable machines and systems to be restored in the event of infection, without a significant impact. Regularly test the recovery process and if you are targeted, retain the original cyber extortion emails. Maintain a timeline of the attack, recording all times, type and content of the contact and report it to Action Fraud.
• Have a documented process for employees to follow which ensures that email requests to set up or amend payment details are verified as genuine. They should use known contact details, other than email, to make these checks and apply the same caution to all payment-related emails from both internal and external sources.
• Employee education and awareness: Ensure users are aware of the risks associated with allowing malware on to a system. Additionally educate them about the typical ways malware can get onto a device.
• Removable media controls: Consider the benefits of implementing a technical solution to control access to removable media devices and scan all media for malware before importing on to any of the firm’s systems.

Legal bodies have been very proactive in organising fraud awareness seminars for their members and along with events hosted locally by firms themselves, the sector is considered to be one of the most astute when it comes to fraud vigilance. However, even though we see many reports of fraud attack prevention, there are still too many firms who do still fall victim. This is often down to employees who have not received the appropriate fraud education, or those who do not receive it frequently.

A fraudster’s preference for cybercrime as a method to commit fraud is only likely to develop further in the future, with attacks becoming more complex and difficult to detect. Law firms will need to adopt the mentality of “when we get targeted” rather than “if we get targeted” and those best prepared for a cyber fraud attack will have multi-layered controls in place. This will include a robust ongoing employee awareness programme as well as clear plans on how to respond in the event of an attack.

You’ll find more information on many other fraudulent scams by visiting Lloyds or Bank of Scotland

Lloyds Banking Group supports “Take Five”, a Government campaign

Author: Paul McCluskey, UK Head of Professional Practices for Lloyds Banking Group, SME Banking