Data recently published by Lloyds Bank suggests that email impersonation fraud is up 58% from the previous year and that those working in Law Firms are most at risk.
Of all successful attacks of this kind last year, close to 20% of victims were Law Firms. Next most at risk were HR firms, IT workers and finance companies. It’s also reported that one in five victims had to make redundancies as a direct impact of the financial losses suffered from the attack.
What does email impersonation fraud look like?
Email impersonation fraud can take many different forms
- Phishing - This is the simplest way for attackers to cause a breach. They will often target large numbers of users or law firm clients in the hope that just one person will fall victim and give the information that they need. They will often use similar domain names that are hard for busy staff or clients to spot; often changing a single letter from a legitimate firm’s genuine domain. E.g. lawyer@lawfirm to lawyer@lawflrm. The attacker might suggest that you should send payments to a different account or divulge details of a sensitive transaction. Some of these emails might also appear as notifications from well-known and trusted communication tools such as Dropbox, Microsoft SharePoint etc in an attempt to get the user or client to log into a fake site to gain their credentials.
- Interception - Criminals can intercept legitimate emails and make small changes to them such as changing an account number on an invoice. These types of attacks are very difficult, if not impossible to spot because they are contained within a legitimate email thread.
- Spoofing - Again difficult to spot, criminals can, in essence, ‘highjack’ a law firm’s legitimate unprotected domain and impersonate a member of staff, usually a managing partner, and use this authority to make requests of unsuspecting staff or clients. The vast majority of UK law firms do not protect their domains from this kind of attack. Requests may be sent to the account department to transfer a large sum of money or a fake invoice sent to the client for immediate payment to a bank account owned by the attacker.
Is there anything law firms can do
Whilst there is no silver bullet to protect a firm from these kinds of attack, there are a number of simple and inexpensive things that firms can do to dramatically lessen the risk of these types of attack from being successful.
- To avoid sensitive data being stolen it is vital that firms implement cyber security measures so that they are not exposed to cyber criminals. To shield yourself from email impersonation fraud you should install Lawyer Checker’s OnDMARC’s service. This sophisticated web-based system effectively secures your firm’s email by actively blocking phishing attacks and preventing 3rd parties from impersonating your email domain to any recipient such as your clients and employees. Firms should be very wary about communicating via email or any other service that provides notifications by email with a firm that has not implemented OnDMARC on its domain.
- Where money is being transferred from the firm to a client, firms can verify the identity of their client by using Lawyer Checker’s Consumer Bank Account Checker (CBAC) search to verify the details. Whether you are sending or receiving client monies CBAC validates the source or destination of funds.
- Staff training is essential. Firms need to adopt a no blame culture to encourage staff to report successful phishing attempts. This helps to minimise any impact of compromise. Staff should be educated about the dangers of phishing, trained how to spot phishing attempts and how to react if they make a mistake.
- Gain Cyber Essentials Certification. Cyber Essentials is a scheme backed by the Government for law firms and other businesses to be able to certify that their basic arrangements that protect from most cyber-attacks are sufficient. It’s a relatively quick and painless process and can provide the assurances to other firms that you’re safe to do business with. Again, law firms should be very wary of dealing with other firms or suppliers that do not have Cyber Essentials in place.
Cyber criminals are becoming more sophisticated in their attacks and cyber crime is showing no signs of slowing down in 2019. It is therefore imperative that all firms put strong security measures in place to avoid sensitive data from being stolen causing irreparable reputational damage.
