As those of you who read my blog last year will know, the recent GCHQ Survey “The cyber threat to UK legal sector” identified phishing as one of the 4 most significant cyber threats to UK law firms.
Phishing describes a type of social engineering where attackers trick users into disclosing confidential information or clicking on a bad link. Phishing attacks most commonly arrive by email as it can reach users directly and hide amongst the huge number of benign emails that busy users receive. Phishing can target both law firms and their clients, with cyber actors spoofing a firm’s email address to make messages to clients more convincing.
Phishing is the most common cyber attack affecting law firms and is particularly prevalent in areas of practice such as conveyancing. According to the Law Society’s online cyber security poll in June 2018, approximately 80% of law firms have reported phishing attempts in the last year. Its relative low cost/low tech to high reward relationship makes it a popular and lucrative method for cyber criminals.
It is a growing problem too as increasing numbers of phishing attempts are successfully getting through to end users. According to Osterman Research’s “IT Security: Office 365 Benchmarking Survey” from September 2018, mass phishing attempts getting through to end users have increased by 25%, while the number of spear phishing attempts (phishing directed at specific individuals or companies) has increased by 26%.
And while many law firms may assume that if they are using an email system from a household name that they are fully protected, this is actually not the case. Even a technically mature and fully featured platform like Office 365 doesn’t provide full protection from phishing – in fact according to the study carried out by Osterman Research, 78% of organisations have felt the need to deploy one or more additional layers of email security on top of Office365.
Law firms unfortunately are particularly susceptible to phishing as they are dealing with large financial transactions and much confidential client data. The Solicitors Regulation Authority publicised 110 phishing scams against law firms in 2018, while noting that “there are likely to be many more that go unreported”.
It gave the case study of a “mid-sized law firm with a multi-million pound turnover” where a senior partner broadcast on social media full details about a business trip to Barcelona.
A criminal gang based overseas used this information to initiate a phishing attack against the firm’s accounts team. An accounts clerk received an email from an account spoofing the senior partner’s email address, instructing her to pay an invoice and imploring confidentiality.
Even though the firm had in place a number of policies and procedures that systemised the payment of invoices, they were able to persuade the accounts team to bend the rules, under the pretext of urgency, confidentiality and seniority.
The criminals also knew that the accounts team were tied up in installing a new accounting package and training on the new system, as a staff member had mentioned it on Facebook. It was at this time that the criminals convinced the clerk to make an authorised payment of £35,000.
So how can law firms mitigate the risk from these types of attacks and protect their firm in 2019?
Well sadly it’s not as easy as installing a piece of anti-virus software or a firewall. The increasing sophistication of these attacks, as highlighted by the case study above, mean that a multi-faceted approach is needed if you are to protect your firm effectively. This should include as a minimum:-
· Having in place staff education and formal business processes around opening emails, handling “urgent” rushed transactions and changes of bank details.
· Ensuring you are using a wide array of technical security tools (not just a firewall and antivirus) and that these are being actively monitored and updated by a cyber security specialist.
· Considering getting Cyber Essentials certification. Whilst certification to this government backed scheme does not guarantee to mitigate every security threat, it does ensure your firm is operating to a minimum standard of good practice in cyber security management.
Should this article have raised any questions, or you would like more information on any of the risk mitigation measures mentioned above, please do not hesitate to contact me on 01494 444065 or by email at email@example.com when I will be happy to arrange a free consultancy call to advise your firm on how to go about putting in place strategies to minimise the risk from cyber security threats.
This blog forms part of our series of informational resources for senior partners, practice managers and compliance officers at law firms. To read more articles please visit my blog, IT in Law Firms.
Epoq IT work with small and medium size law firms, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information please visit our website http://epoq-it.co.uk/law-firms-solicitors-and-legal-services-businesses/