Cyber criminals have long targeted law firms with a variety of scams, with conveyancing being a particular favourite because of the large sums of money that are routinely transferred between accounts.
In 2018, over 84,000 reported attempts were made to persuade people to send money to fraudsters’ accounts, with over £123 million being stolen in malicious redirection fraud.
Increase in cyber threat
Over the past few years, cyber crime has increased substantially, with 60% of law firms reporting an information security incident in 2017, according to PricewaterhouseCoopers’ Law Firm Survey of that year.
The National Cyber Security Centre (NCSC) now issues a separate annual report on the cyber threat to the UK legal sector, noting the particular attraction of law firms to cyber criminals, because of the availability of valuable, sensitive information and the regular transfer of large sums of money. In 2017 alone, the NCSC reported a 20% rise in cyber attacks on law firms, with smaller practices just as at risk as larger ones.
The biggest cyber security threats to law firms
The main attacks on law firms are via phishing, ransomware and authorised push payment fraud.
This is the most common cyber-attack to target law firms, with Osterman Research finding nearly 80% of law firms1 complaining of phishing attempts in 2018. The Government estimate that there are 1,400 criminal organisations actively targeting the legal sector at any one time.
Those perpetrating the attacks are attempting to extract sensitive information such as usernames and passwords that can then be used to access data. Phishing emails will appear to come from a legitimate source and will ask for personal information to be input onto a fake website or returned by email.
Attacks are evolving from mass attempts to targeted spear-phishing attacks, where potential victims are carefully selected and details replicated to try and fool recipients into responding, as well as whaling, targeting senior firm members.
Attacks via ransomware use a seemingly innocent file, often sent as an email attachment, to encrypt or block access to the victim’s data, and sometimes lock the computer network as well, until a ransom is paid.
This can be catastrophic for law firms, who rely not only on being able to move quickly to analyse documents and complete deals, but who also need to maintain their reputation for security.
To prevent ransomware, firm members should never click on unknown links or unfamiliar websites, as downloads can start as soon as a connection is made. Similarly, email attachments should never be opened unless you are certain that they are safe. Opening it will start the malware running within the system.
Authorised push payment (APP) fraud
With authorised push payment fraud, the victim is duped into sending money to a fraudster’s account from their own. The scam can be by email, phone or even social media, with the fraudster tricking someone into believing they are dealing with their bank, solicitor or other professional who might legitimately request money from them.
It is the fastest growing fraud in the UK, with people being conned out of £209 million in the last six months of 2018 alone2. This amounts to a 44% rise on the first six months, with a total of £354 million lost in the year in over 84,000 individual scams.
The potential for this in conveyancing transactions is substantial. Home movers are under pressure and open to persuasion to act quickly to secure the property they want.
Law firms should advise clients to check emails carefully, including the address, header and footer and language of the email, and not to send money unless they are certain it is a genuine request. In particular, they should provide their bank details in writing at the start of a transaction and make it clear that the account details will not change during the course of the transaction and that they won’t ask a client for their bank details via email.
If a suspicious request for funds is made by telephone, the recipient should put the phone down, wait ten minutes, then call their solicitor to check, or preferably use a different phone. The reason for this is that fraudsters may stay on the line and pretend to be the law firm or bank when the target tries to call them.
Fraudsters are particularly fond of pushing victims into transferring money on a Friday afternoon, the most popular day for conveyancing, claiming a transaction may fail otherwise, and then taking advantage of the closure of law firms and banks over the weekend period to try and get away with the crime. In 2016, 75% of all cybercrimes reported to the Solicitors Regulation Authority (SRA) were so-called Friday afternoon frauds.
How all law firm staff can contribute to cyber security
An organisation’s personnel can be the weakest link if cyber security is not practiced diligently. However, where there is continual training and vigilance, people can be the biggest strength in keeping a firm and its clients safe from fraudsters. Implementing a culture of constant vigilance will go a long way to making a business hard to penetrate.
As well as ongoing training, staff need to know the dangers of responding to phishing emails, using weak passwords, failing to regularly change passwords, downloading files and giving away sensitive information. IT staff should ensure that protective software is in place and that everyone understands how to use it.
The IT system should also be regularly assessed to check for any weaknesses. Patches and updates need to be installed as soon as they are available. There have been some major ransomware attacks that would have failed had the target companies kept their software updated.
When dealing with conveyancing, all parties involved in the transaction should be checked to ensure they are genuine. Insurance-backed searches and lawyer checks can give assurance that transfers of money and property are made to verified individuals and companies.
Law firm cyber security trends
With a huge amount of sensitive information within their control, law firms are increasingly implementing software for data protection. GDPR compliance also requires careful handling of data and the ability to show effective security measures. Breaches need to be reported, and will be damaging to a firm’s reputation, meaning a need for strong cyber security protocols to protect both clients and the business.
As agile work becomes more popular, law firms need to ensure that all their staff’s devices are secure, as well as using secure cloud-based technology. Laptops, smartphones and tablets can be the weakest link in the cyber security chain. As an absolute minimum, every device must be password protected.
A survey conducted by Outpost242 found that a third of participating organisations had received an attack on their cloud system, with over a quarter admitting that they didn’t know how quickly they would be able to tell whether their security had been breached. As firms implement more agile ways of working, cyber security firms are working hard to ensure data cannot be hacked.
Password managers are becoming increasingly popular, along with two-factor authentication. Ideally all staff should already be using both, with the rise of cyber-attacks meaning that in the future it will be considered essential.
IT departments are starting to automate security procedures, to keep track of hardware and software, ensure patching and updates are always done without delay and to collect and analyse data and assess the system for weaknesses.
With regard to clients’ own security, the incidence of fraudulent attacks via mobile channels is increasing. As smartphones are used more and more for day to day business, fraudsters are finding ways to access information and users. The RSA’s 2019 Current State of Cyber Crime whitepaper states that 70% of fraudulent transactions originated in the mobile channel last year. As the conveyancing system starts to move towards portals accessible by mobile, security measures will have to keep up to prevent a new possibility opening up for criminals.
Searches for security and compliance
GlobalX can provide due diligence and money laundering checks to ensure parties to a transaction are genuine, ensuring safety and regulatory compliance.
Our fast, thorough service will ensure the home buying and selling process is fully informed whilst avoiding damaging delays. There are no subscription fees for our services, with pay as you go as standard.
Contact GlobalX on 0800 197 1757 now to find out more about our due diligence checks or click here to visit Conveyancing Due Diligence product page