Solicitors face continuing threats from cybercriminals who target law firms because of the money and information they hold. Attacks can also threaten a firm’s own operations or its reputation.
Cybercrimes and scams include:
email modification fraud – where criminals intercept and falsify emails between a client and their firm, leading to bank details being changed and money being lost
phishing and vishing – where criminals email or phone to obtain confidential information, such as a password, through gaining the trust of a solicitor or other member of staff
malware – harmful software that includes viruses and ransomware programs, which encrypt files and demand a ransom in return for decrypting the files
CEO fraud – where criminals impersonate a senior figure at a firm through hacking, or having a very similar email address, to impose authority and order money transfers
identity theft – where bogus firms copy the identity and brand of a firm.
There has been a continuing increase in the reports of cybercrimes to us. We received 157 reports in 2017, up 52%, compared to 103 in 2016. And there were 76 reports in the first half of 2018, which is 10% more than in the first half of 2017.
In 2016, £9.4m of client money was reported to us as lost to cybercrime, increasing to £10.7m in 2017. This has dropped in 2018. But we suspect there is some underreporting, particularly where money is replaced promptly. This is because we are seeing fewer reports than we would expect given the media reporting of the frequency of these attacks.
Many of the reports show that firms have stopped client money being stolen by having appropriate defences in place, such as up to date systems and training their staff to recognise suspicious activities. The Law Society's review of professional indemnity insurance claims also shows that most attempted cybercrimes do fail, though the consequences of successful attacks remain very serious.
Email modification fraud accounted for 80% of all cybercrime reports in the second quarter of 2018. When used to steal conveyancing money it is also known as 'Friday afternoon fraud', as many of these transactions take place on Friday afternoons.
The large sums of money involved means that conveyancing will always be a target for email modification fraud. However, more than half of the email modification fraud reports now relate to other areas of work. This suggests that criminals are shifting to a wider range of targets as conveyancers are now more aware of the threat.
Almost all other cybercrime reports also involve some form of forgery to deceive staff into responding, rather than explicit hacking of the firm’s systems.
What firms can do
The best defences against many cyberattacks are to:
keep systems updated
use antivirus software on all devices
backup important information frequently and securely, and learn how to restore the system from a backup
encrypt mobile devices and install a system to track and delete the data if devices are lost
avoid using administrator accounts (those with the privilege to access other users’ accounts and install software) for regular work that does not involve maintaining the IT system
make sure all staff know how to recognise the signs of email modification fraud and common phishing scams
plan how to respond to an attack or other incident.
Firms should not let any unused internet domain names expire, for example when they merge, close or change brand. A criminal who falsely re-registers the old name can potentially get access to email histories including client confidential material, bank correspondence and the information needed to reset passwords. It also makes it easier to hold themselves out as a solicitor. Keeping control of obsolete domain names is an inexpensive way to prevent this fraud.
Data breaches that might be serious breaches or misconduct should be reported to us through our Report Team. We are also interested in evidence of other cybercrime that affects firms and their clients. These can be sent to our Fraud Intelligence Unit. We want firms to be clear on what, and when, they should report concerns to us over issues that may lead to regulatory action. We have consulted on giving clarity around these practical decisions. The Reporting Concerns consultation responses are being analysed and we will share our findings shortly.
We consider each breach reported to us on a case by case basis. When necessary, we have taken regulatory or disciplinary action against firms when they did not:
take reasonable steps to protect themselves or check their client’s instructions