Daylight Robbery by Alan Cousins, Paris Smith
This blog post was also featured as a column in the June 2016 issue of Legal Practice Management magazine. To read the issue in full, download LPM magazine.
In a recent edition of LPM magazine my fellow columnist, Richard Hill, set out some very important steps to foil a cyberattack. In this article I hope to raise awareness of a growing threat that involves breaching clients’ IT defences rather than our own – one that’s proving scarily effective.
Criminals can find out, from a range of public sources, that your client is expecting a substantial sum at the end of a transaction. They’ll then hack your client’s email account and monitor all activity to do with the transaction – taking note of the law firm and names of lawyers involved. At this point they can send emails to your firm as the client (virtually indistinguishable from genuine emails), or vice versa by using an email address that’s confusingly similar to those used in your firm (perhaps one letter in the address is different). These criminals will then send an email to your firm as the client, asking to change the recipient bank account for the expected monies. In this way, criminals are routinely getting away with persuading law firms to make payments into fraudulent bank accounts.
Most articles of this nature advise how to prevent a successful attack, but I want to stress the importance of planning what to do immediately after one happens.
First, draw up a new page for your disaster recovery plan – which will help you recover after that awful moment when you realise you’ve just made a large payment into a fraudulent bank account. Time is of the essence, so remain calm and take immediate steps to have the recipient account frozen, pending investigation and (hopefully) the return of the purloined funds. You need to list the contact numbers for the main banks’ fraud report lines. This is the first number you should call – be prepared to give them all the relevant details related to the payment. You also need to call your own bank’s relationship manager, who can make separate enquiries and break through barriers that may otherwise be encountered. There’s nothing like being put on hold listening to Greensleeves while crooks get away with your hard-earned cash! Follow instructions and within an hour you should know if there are still funds within the recipient bank account.
Next, note down the bank’s incident reference numbers and advise your client of the incident and the steps being taken. Know what your policy is on reimbursing the client (or not). It may take 30 days for the recipient bank to complete their investigations and reimburse funds. You need to devise a PR statement in case the incident gets out to local media, and advise staff and partners of the incident – asking them to be vigilant and follow procedures. You then need to instruct your IT manager to check your own IT for any breaches. Notify the police via their national fraud and cybercrime report facility, and report details to the SRA cyber-fraud reporting service (see the SRA website). Compliance officers for finance and administration (COFAs) will decide whether the incident represents a breach of SRA accounts rules and report as appropriate. Set out what cover you have for fraud and cyberattack losses in your plan. You should also set up an internal crisis team to manage the incident and establish whether procedures need updating.
Finally, it’s worth considering your client communications and terms of business. You should require clients to be vigilant in preventing their email accounts from being compromised and emphasise the importance of complying with your firm’s bank account verification protocols.
It’s a sobering thought that criminals who perpetrate these frauds are very patient and determined people, and firms that have busy teams undertaking transactions, such as residential conveyancing, are being hit every day. QBE, which insures one in 10 law firms in England and Wales, recently showed that around £85m was stolen across the legal market during the past 18 months.
Whatever we do to prevent it, the criminals seem to find ever-cleverer ways to get around our precautions. So be prepared, have your recovery plan notes to hand, and perhaps find a more secure way (rather than email) to communicate with your clients.