Solicitors and law firms face increasing threats from cybercriminals. In their Spring 2018 Risk Outlook the SRA confirmed that they had received 640 reports of bogus firms copying the identity of real firms with intent to steal money in the 12 months to January 2018.
During the first quarter of 2018 email modification fraud was the most common type of cybercrime against solicitors (Risk Outlook 2018/19) accounting for more than 70% of all cybercrime reports. Almost all other cybercrime reports involve some form of forgery to deceive targets into responding, rather than explicit hacking of the firm's systems. In 2016, £9.4m of client money was reported as lost to cybercrime, with this increasing to £10.7m in 2017.
Another area of potential concern relates to remote working. Firms are increasingly using systems to help their employees work on the move. The use of video conferencing systems and smart, connected devices, such as internet connected printers, requires these devices to be fully secured or updated. Malware targeting these devices increased six-fold in 2017. This can be a serious, but a subtle threat, such as a compromised smart alarm or thermostat alerting a criminal when a building is unoccupied or a compromised video conferencing system, printer or home assistant being used to steal sensitive data.
It is imperative that firms have strict risk management policies in place to combat these new and evolving types of fraud, such as:
- Keeping systems updated
- Use of antivirus software on desktops and laptops
- Staff training: ensuring all staff are able to recognise the signs of email modification fraud and common phishing scams. Firms should train staff to be aware of the importance of never giving access or security information to anyone over the phone. Those receiving a call from a bank should return the call using the usual firm’s contact at the bank;
- All staff are aware of the protocol for remote access, with mobile devices encrypted and installed with systems to track and delete data in the event they are lost;
- Ensuring all work applications on phones/other devices are closed when not in use and that staff know how to create secure passwords;
- Clients should be informed of a firm's bank details in a secure way and advised that these will not be changed throughout the course of a transaction. Firms should always speak to their clients to confirm instructions to transfer money. If firms have encrypted or secure portals through which clients can communicate, then that will also help.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.