Spear Phishing – the latest threat

Technology 03/03/2017

The Technology Committee is re-issuing an updated version of this note due to the seriousness of the consequences for solicitors if they are successfully targeted in a spear-phishing scam. A similar practice note appeared in the Gazette in September 2016.

Spear phishing is a criminal hacking enterprise that sends an email or emails that appear to be from individuals or businesses you know in an attempt to obtain your credit card, or bank account numbers, or passwords, or to attempt to convince partners or staff of your firm to transfer funds to an incorrect bank account to the criminals’ benefit.

There have been instances in Ireland and Britain where incorrect bank account details were received to firms by phone from persons impersonating clients, resulting in the transfer of funds to persons other than the client.

Law firms are particularly targeted due to the potential high value of funds held. The scam is tailored to each targeted firm. Firms that practice in conveyancing or regularly transfer large sums of money are at particular risk.

Everyone should be particularly wary when bank account details change mid-transaction or when a sudden email changing account details is received on a Friday afternoon or just before a holiday period. This is when normal procedures have a greater tendency to be rushed or overlooked, and criminals intentionally target firms at these times.

An example of spear-phishing is where a fake internal email within the company or firm is sent by the criminals to say that a bank account has changed (for example, an email instruction from a partner to his or her secretary to change payment details). The targeted staff member then sends the funds to the fraudulent account, unaware that the email they received was not sent by the authorising party, but by a criminal enterprise.

The Technology Committee strongly urges all firms to adopt the following ten tips to mitigate the risks of spear-phishing:

  1. If somebody tells you that their account details have changed, this is an instant red-flag marker. You should immediately raise a query and verify the account details through an alternative medium, such as by phone, fax or letter. In addition, let your clients know that your firm does not change its bank account details (if this is the case). Clients should be advised not to send any money to new account details without confirming the change by talking to someone in the firm.
  2. Do not rely on the banks to verify the account name against the account number. If you put in a wrong number, then the money will go astray and may not be recoverable. Typographical errors must be avoided.
  3. Clients should be asked for their bank details by way of a copy statement at the start of a transaction.
  4. If a client does not give you copy bank documentation, then you should ask the client to write out the IBAN and BIC in full for you in their own handwriting and sign it.
  5. If another solicitor is sending you their account details, then they should do it by fax or letter, and you should still verify same with them. It is common for the fraud to involve only changing one digit or letter.
  6. If you have to write bank account details down yourself (for example, because you are getting them over the phone), then you must read the details back to the client for verification and you must memo this on your file. If the client rang you, ring them back at the number on file (not by pressing the call-back button) or contact them by another method to confirm the change in bank details.
  7. Only send IBANs and BICs for your accounts or other accounts to clients or external parties by letter or fax.
  8. If you get an IBAN and BIC by email, including in an attachment, then you must ring the person to verify the details, and you also should memo that on your file.
  9. Any internal email asking you to request or effect the transfer of monies must be verified by a phone call to the sender.
  10. The obligation is on the client to provide accurate bank details and the risk of fraud should be mentioned in the section 68 letter and letter of engagement.

In addition, the Technology Committee reminds all solicitors that ransomware continues to be a major threat to solicitors’ firms across the country.

Please consult our practice note on crypto-ransomware.