Law firms getting duped out of client funds, warns regulator

Solicitors are getting hit by a growing tide of cyber-enabled fraud, resulting in the loss of money and confidential information.

Law firms are at risk from poor cyber-security
Law firms are at risk from poor cyber-security

The Solicitors Regulation Authority (SRA) has seen a big increase in scams targeting the legal profession. In 2014 it issued 183 scam alerts, up from 97 the previous year. It blames the internet which provides anonymity for the fraudsters and makes it less expensive and more efficient to perpetrate their crimes.

The most worrying scam seen by the SRA is the interception of solicitor-client emails. Zulfana Bagum, a risk analyst at the SRA, recently wrote in a blog that she has seen a number of cases where “fraudsters have illegally gained access to email accounts to intercept genuine emails between the solicitor and client in conveyancing transactions”. This is followed up with emails to clients and solicitors attempting to misdirect funds.

By identifying ongoing cases, the fraudsters can produce convincing emails. “For example, where the solicitor is acting for the client in the sale of a property, the fraudsters hack into the client's email account to send an email to the solicitor. Pretending to be the client, they will ask the solicitor to send the proceeds of the sale into an account they are operating,” Bagum said.

Some law firms are taking extra precautions to ensure that requests to change transaction instructions are confirmed by speaking to the client.

The other scams being seen by the SRA are:

  • Phishing emails purportedly coming from law firms, dressed up with genuine names and logos.
  • Cloned websites posing as genuine law firms. The SRA recommends that law firms search the web on a regular basis to see if anyone is using the name of their firm or one of its partners.
  • Vishing telephone calls, in which fraudsters call a law firm to obtain sensitive information such as bank details or login credentials. In one incident, a vishing fraudster managed to steal £1 million from a law firm's client account.
  • Malware infections which detect attempts to connect to bank websites and redirect users to fake sites used by fraudsters.  

Wieland Alge, VM and GM EMEA at Barracuda Networks said: “Phishing has flourished in recent years and cyber-criminals are using increasingly sophisticated methods to target businesses. The attacker usually researches personal information about the targeted individuals in order to make their messages sound more convincing. The availability of personal information via social media has made this process a lot easier for cyber-criminals.

“There are two well-established countermeasures to mitigate the risks for organisations. One is protecting the employees by proper email and web security systems. The second one is protecting your databases using properly configured web application firewalls (WAFs).”

Sam Hutton , CTO, Glasswall Solutions, said: “The digital files that lawyers use every day are instrumental to running an effective practice. But, with files such as PDFs, Word and Excel being the prime threat vector of choice and used in over 90 percent of successful attacks, every one of them could be a source of security vulnerabilities and threats. Attackers look to embed malware into the documents the legal team use, compromising data protection and confidentiality – and ultimately gaining access to the organisation's network and the sensitive information held.”

Hutton said that traditional security has relied on trying to detect known malware. “Law firms must now turn security on its head and focus on ‘known good'.  With appropriate controls in place to give insight into the threat footprint of a digital file, security policies can be implemented to ensure files only enter the organisation's network once they have been identified as a safe and trusted file,” he said.

Mark Edge, UK country manager at Brainloop, said: “For the solicitor market, the result of sensitive information falling into the wrong hands can be catastrophic. However, technology is playing an increasingly important role in solicitor firms as they tackle the complex area of information security.

“By sending digital communications via a secure collaboration platform , a link can be sent to the recipient so they can read the message via a secure online platform. This provides added security for both businesses and partners alike.”