The Law Society has continued to receive reports of successful cyber-attacks.
It has been reported in numerous publications that there has been an increase in the number of cyber-attacks in recent times. The international police body, Interpol, has warned that cyber-criminals are taking advantage of the fear and uncertainty caused by the COVID-19 pandemic, as well as the increased number of people working from home.
Interpol secretary general, Jürgen Stock stated: “Cyber-criminals are developing and boosting their attacks at an alarming pace”, noting that criminals are shifting their focus from individuals and small businesses to major corporations, governments and critical infrastructure. It is likely that this increased risk will continue in the short-term, and possibly longer as society adapts to a new way of working.
The Law Society has continued to receive reports of successful cyber-attacks resulting in a financial loss to the client bank account. The majority of these attacks involved compromised email systems and payment redirection frauds. Email systems are often compromised by the installation of malware onto the system as a result of clicking on a link or attachment in a phishing email. This can provide the fraudster with access to the password for the account. If obtained, the fraudster can set up a rule on the account, resulting in all emails received being forwarded to the fraudster’s email address without the owner’s knowledge. As a result, all information received by email from a client, including personal details, bank details, passports, driving licences, and details of commercial transactions, will be compromised.
Alternatively, unencrypted emails can be intercepted during transmission and read. The fraudster then creates an email address similar to both the client’s and the solicitor’s and covertly “continues the conversation”, before requesting that funds be sent to a fraudulent bank account. It is important to note that these frauds are not only carried out in solicitor-client communications, and it is known that fraudulent activity has taken place in solicitor-solicitor and internal solicitor-accounts staff communications.
Any bank account details received in an email should be treated suspiciously and not acted upon without further verification. It is highly recommended that multi-factor authorisation be implemented on all email accounts of the practice. Also, if you are anyway concerned, it is recommended that you request your IT suppliers run an anti-virus and malware scan of the system and run a sweep of the email systems to ensure that no rules have been added to the mailboxes.
The Technology Committee previously issued the following top ten tips to help prevent being a victim of such an attack, which should be followed at all times.
Given the current pandemic and resulting restrictions, it is accepted that there will be occasions where a face-to-face meeting is not possible. Where a solicitor or client is required to transfer money to bank account details received by email, it is imperative that the individual setting up the transfer verifies the details received via a telephone call (see Point 6). It is also important that this individual verifies the telephone number and does not rely on that received in the email.
- Only send IBANs and BICs for your accounts or other accounts by post. It may be worth advising all current clients that bank account details should never be sent by email and if a client receives a request to do so, they should contact their solicitor by phone.
- Clients should be asked for their bank details by way of a copy statement at the start of a transaction.
- If a client does not give you copy bank documentation, then you should ask the client to write out the IBAN and BIC in full for you in their own handwriting and sign it.
- If another solicitor is sending you their account details, then they should do it by post, and you should still verify same with them. It is common for the fraud to involve only changing one digit or letter.
- If you have to write down bank account details yourself (for example, because you are getting them over the phone), then you must read the details back to the client for verification and you must memo this on your file. This is important because if the other person gives you an incorrect number by accident, it may cause the money to go astray.
- If you get an IBAN and BIC by email, including in an attachment, then you must ring the person to verify the details, and you also should memo that on your file. (Note: it should always be the person who is setting up the electronic transfer that verifies the account details).
- If somebody tells you that their account details have changed, this is an instant red flag. You should immediately raise a query and verify the account details through an alternative medium, such as by phone or post. In addition, let your clients know that your firm does not change its bank account details (if this is the case). Clients should be advised not to send any money to new account details without confirming the change by talking to someone in the firm.
- Typographical errors must be avoided. You cannot rely on the banks to verify the account name against the account number. If you put in a wrong number, then the money will go astray and may not be recoverable.
- Any internal mail asking you to request or affect the transfer of moneys must be verified by a phone call to the sender of the mail.
- The obligation on the client to provide accurate bank details and the risk of fraud should be mentioned in the section 150 letter and letter of engagement.
Also, a solicitor should consider including an email disclaimer at the foot of every email, in bold, informing all clients that they will never provide bank account details by way of email.
A solicitor should ensure that all computers in the practice (PCs, file servers, and mail servers) are protected by trustworthy internet security business products and are using the latest updates. Also, ensure that a firewall is turned on. Operating systems and other software should be kept up-to-date to ensure that there are no security gaps.
Solicitors can view helpful resources, including reports of attacks and best-practice guidance, in the Cybersecurity section.
This article originally appeared in the 26 January Member eZine. For more information, and to subscribe, visit eNewsletters.