tm blog

There has recently been a lot of headlines about clients mistakenly transferring their deposit to criminals at the point of exchange in a property transaction.

While this is a very real threat, as the recent Howard Mollett incident has shown, it is not the only cyber-related risk law firms need to be aware of.

Here are 2 more ways cyber criminals could damage your firm, without going anywhere near your clients:

1. Chief Executive Fraud (or President Fraud)

The term ‘Chief Executive Fraud’ (or President Fraud) refers to a targeted phishing attack, where an individual in the firm is sent a fake email which looks as though it has come from a Managing Partner.

Such requests typically ask for a sum of money to be transferred urgently, and may also “remind” the target that this was supposed to have been done the week before in order to panic them into complying.

According to Lockton Insurance, this is a common problem, and they receive around 2 calls a week from law firms claiming they’ve been a victim of Chief Executive Fraud.

The success of this type of fraud relies heavily on social engineering to create a stressful situation where the target feels under pressure to respond quickly to an email from one of their superiors – without questioning the validity of the message.

For example:

Dear Jo,

Did you send £20,000 to Michael J Hart?

Account details XXXXXXX 

I thought I asked you to do this last week, but Michael has just phoned to say he hasn’t received the money?

Please get this done today.

These highly-targeted attacks are typically the product of lots of research, from using sites such as LinkedIn to establish the company hierarchy, to monitoring the firm’s website and social media accounts for useful snippets of information.

2. Ransomware attacks

A “ransomware attack” is when a cyber-criminal infects a computer system with a piece of malware, which places a digital blocker on the system so that the victim firm can’t raise an invoice or continue business as usual. This can happen as a result of just one member of staff clicking a link in a rogue email.

The cyber-criminal will then hold the firm to ransom, with a message appearing on their computer screen asking them to pay them money for the digital release key.

In most cases, if the ransom is paid, the victim will be given the digital key which will give them back control of their systems. However, this can also result in their firm’s name being listed as an “easy target” online, on the dark web, for other cyber-criminals to take advantage of.

According to Lockton Insurance, there has been a 600% increase in ransomware attacks in the last 12 months, with consequences ranging from top fee earners being unable to raise invoices, and the cost of the time and resources it takes to fix the problem, through to delays in exchanging contracts in a property chain.

Here are some top tips to help keep your firm safe:

• Think about what type of information you share on social media and company news feeds
• Regularly back up your computer systems
• Pick up the phone and check with your colleagues if you suspect unusual email activity
• Regularly train your entire workforce on cyber risks
• Keep cyber crime on your board meeting agenda throughout the year
• Educate your clients about the ways they could fall foul to fraud
• Create and maintain a company culture that supports colleagues – even if they do make a mistake
• Develop a simple in-house process for colleagues to report near-misses
• Register for tmgroup’s free event on cyber crime in the property transaction

With thanks to Peter Erceg and Brett Warburton-Smith at Lockton Insurance

With cyber-crime making the headlines more and more frequently, it is becoming increasingly important that law firms of all sizes understand how to handle such a situation professionally and keep their reputation intact.

Here are some steps any law firm can take to help ensure that a cyber-attack or data breach doesn’t cost them their client base.

The focus must be on fixing the problem and retaining your clients trust

The key to surviving a cyber-attack with your reputation intact is in what you do beforehand – in planning, thinking, training and rehearsal – as delivering a slow, haphazard, confused, overly legalistic or contradictory response will only exacerbate the situation.

Your plan needs to focus on 2 key areas:
1. Fixing the problem as quickly as possible
2. Retaining the trust of stakeholders and clients whose information may have been compromised

Discuss what “worst case scenario” means to your firm

When creating your plan, a good starting point is to sit down with your senior team and conduct a cyber reputational risk analysis, in essence decide what your “worst case scenario” looks like.

Every law firm will have a different view on what defines a “worst case scenario”. You need to understand what this scenario is to be able to recognise when it is happening – and (just as importantly) when it isn’t happening.

This will help everyone to understand the magnitude of a situation, should something arise, and respond accordingly.

Create a cyber incident response plan for these different situations

In a high pressured situation, you don’t want to be making snap judgements, as this could lead to mistakes which could be difficult to recover from.

Set aside time to work through some of your “worst case scenarios”, and discuss what decisions will need to be made and who will be responsible for making them.

You should also make a list of the different phone numbers you will need. This list should include nominated individuals who will “take the helm” of the situation, as well as the people whose advice, support and technical services you will require to get your operation back up and running.

Having all of this information readily available will help ensure you are contacting the right people as quickly as possible, removing any unnecessary stress and delay.

Decide how and when you are going to communicate with those affected

Don’t make the mistake of thinking you can hide your breach from your clients; they have a right to know that their data has been compromised. It is also far better your clients hear the news directly from your firm, then to find out through a third party, rumour or through the media. 

When communicating the news to your clients, it is best to adopt a personal approach. For example, if only a small number of clients have been affected, it is in your firm’s interests for a senior individual to phone them.

However, if hundreds of clients have been affected, you will need to adopt a speedier and more realistic approach. For example, sending out an email explaining what has happened and what your clients need to do next.

As part of your planning process, it can help to put together an email template which can be quickly edited and sent out in the event of a cyber-attack. You should also write some guidelines on how quickly you will be prepared to talk to your clients, looking at possible triggers, and the pros and cons of sending out various communications.

Have a back-up communication plan for if your systems are still compromised

You also need to think about how you would communicate if your systems were still compromised.

For example, if you can’t send out an email or display a message on your website because your systems have been taken down.

In such a situation, could you relay the message via phone or Facebook?

Be prepared for the media to get in touch

Once you have communicated the news to your clients, you need to be prepared for the media to get in touch. Remember, emails can be forwarded!

It is wise to nominate 2-3 individuals in advance who are prepared to step forward; to avoid your one point of contact being on holiday if a situation occurs.

It is equally important that your nominees have media training, as they may have to answer questions when they only have access to limited information, but will still need to reassure everyone and communicate effectively.

Brief your colleagues before going public

Before you communicate any news to your clients, you need to make sure you have briefed your internal staff first. (You can put a template briefing document together as part of your planning.)

This will help to ensure that anyone in meetings or taking phone calls is knowledgeable of the developing situation, and is responding consistently in line with the organisation’s key messages.

Your clients won’t expect you to be invincible – but they will expect a professional response

No one is immune to the threat of a cyber-attack, and as time goes on it will become almost inevitable that every law firm will experience some kind of data breach.

While it is unreasonable for a stakeholder or client to expect an organisation to be invincible, they will expect your law firm to demonstrate a well-considered and speedy response to correct the situation.

With thanks to Jonathan Hemus from Insignia (http://insigniacomms.com/), Crisis management, training, planning & consultancy

Last month saw the SRA publish their Risk Outlook for Spring 2015 which showed that little - in terms of the risks faced by firms - has changed much since their Autumn Update. The key areas of concern for the SRA remain bogus law firms, money laundering and the misuse of money or assets.

Some the figures associated with these issues are staggering.

In 2014 the SRA received over 700 reports of bogus firms which is the highest ever recorded. In 2013 the SRA received 548 reports about bogus law firms, up from 312 in 2012, so it is easy to see why bogus law firms are now seen as a real risk by the SRA to all sizes of law firms and should the rise in firms reported continue at the same rate in 2015 the figures will be near 1000.

Sadly this is reflected nationally across the whole economy with KPMG reporting a significant increase in fraud cases. There is little evidence to suggest that this trend will decline.

The SRA aim to visit 500 firms to audit their Anti-Money Laundering (AML) processes. Image copyright Images Money.

The SRA are now well into their assessment of a number of firms who are subject to the auditing of their current AML processes. They are aiming to visit 500 firms and their activity has been driven by an increase in reports concerning AML compliance - a handful of cases the likes of which they have not been seen before - as well as pressure from law enforcement agencies.

At a recent conference in March Steve Wilmott, Director of Intelligence and Investigation at the SRA, said that they will be looking at systems and procedures, record keeping, training and the activity of the MRLO at the firm. If they were to visit how confident would you be of passing their inspection?

Another area to feature in the Spring report is the misuse of money or assets.  The report revealed that things have changed little since Autumn with poor financial controls continuing to ‘provide opportunities for financial misconduct to occur.’

Within the update, the regulator states that they have seen recent cases where ‘poor systems and controls have been a factor in the misuse of money or assets’, citing that the root of the problem lies in inadequacies in training and supervision, as well as failure to control access to accounts.

So what can firms do to reduce these key risks? Well there is certainly quite a lot of information and service available which I will touch on.

1. 1. Use ‘Find a Solicitor’ on the Law Society website.
2. 2. Check the SRA website for updates on scam alerts.
3. 3. Make independent verification checks using Lawyer Checker which is only £10 and widely available.
4. 4. Online AML verification is readily available, inexpensive, comprehensive and instantaneous and covers UK and International clients from about £4 per name.
5. 5. Reliance on bank statements, passports and utility bills should be consigned to the past.
6. 6. Use secure search websites that are username and password protected and can provide an audit trail for every case.