What a difference a year makes… In 12 months, cybercriminals stole more than £11m of client money and 60% of law firms reported a cyberattack. Yet a recent survey found that only 41% of firms have a documented cybersecurity policy and just 31% have a formal cybersecurity training programme.
Law firms are an obvious target for cybercriminals, given the money and information they hold. The trusted position of lawyers may be abused, with cybercriminals generating a sense of urgency to prevent recipients of hacked emails asking questions.
When one firm was hacked in 2017, hackers sent 16,000 emails to its contacts with the subject line ‘Action Required – Matter for Attention’ and enclosing a ‘secured’ attachment. In this case, recipients did query the email and the firm was able to promptly alert its clients of the scam. No firm ever wants to spread damaging news such as this, but its quick action will likely have reduced the risk to clients and the long-term impact on the firm’s reputation.
The large amounts of money changing hands in conveyancing transactions increases the risk yet further, and the Solicitors Regulation Authority (SRA) reported in 2017 that around half of all law firm cybercrime involved conveyancing.
Since 2015, the SRA has been warning of ‘Friday afternoon fraud’, when law firms are tricked into revealing sensitive banking information or clients are duped into sending money to a cybercriminal’s account. A cyberattack has become a ‘when’ not an ‘if’, and the focus is increasingly on how firms prepare for and respond to an attack.
The Legal Ombudsman (LeO) recently published guidance on its approach to dealing with cybercrime. This includes two conveyancing-related case studies which show how a firm’s policies and procedures will be scrutinised by LeO in its decision-making.
- In the case of ‘Mr M’, the firm had provided bank details by email and hackers subsequently sent another email providing different bank details. The firm’s unsecure web-based email service had been hacked two months previously, but the firm had not taken any action. The firm had also not warned Mr M about the risk of cybercrime and bank details were not included in the client care letter. LeO ordered the firm to reimburse the lost deposit and the costs incurred in having to abort the purchase.
- In the case of ‘Miss C’, bank details had been provided in the client care letter, and clear warnings about the risk of cybercrime and that bank details would not change were included in the client care letter, email footers and the draft completion statement. Hackers sent an email asking Miss C to transfer the deposit to a different account, which she did. This time, it was the client’s email that had been hacked, and LeO found that the firm had taken all reasonable steps to make Miss C aware of the risks.
Reducing the human risk
It is crucial to ensure that staff are aware of cyberrisk, can spot suspicious activity and know what steps to take when they do. If your firm is in the 69% which don’t have a cybercrime training programme, Central Law Training can help. Our brand-new e-learning course is designed to raise awareness of key cybercrime threats in relation to conveyancing transactions and to outline practical steps that you and your staff can take to stay safe and secure online. It includes the latest guidance from the Law Society and the SRA.
The course includes interactive activities and short animations, designed to illustrate key points and make these more memorable. When you have worked through the course materials, you will have the opportunity to take a short quiz to check your recall and understanding.
To find out more about our new interactive e-learning courses, contact Wendy Harbottle on 07970 546524 or firstname.lastname@example.org.