The Solicitors Regulation Authority in the United Kingdom has recently released an alert in relation to law firm email scams following a sharp increase in law firm cyberattacks.
According to SRA figures, around 500 UK law firms have been targeted by hackers. One of the most common law firm email scams witnessed in recent weeks involves an attacker sharing an email to a solicitor pretending to be a new client. While the hacker could claim to have any number of legal issues in the initial email, one of the favored themes is a property or business that is about to be bought or sold.
Legal services are sought and, when the solicitor answers, the hacker sends an email including a malicious email attachment. The email attachment does not include the malware, instead a malicious macro is embedded in the document. A realistic explanation for the inclusion of the macro is provided in the document to allay suspicion. If the macro is turned on, a script is run that installs the malicious payload. The download occurs silently so the solicitor is unlikely to be conscious that their computer has been infected.
The malware then gathers and steals sensitive data, or allows access to the solicitor’s computer allowing the attacker to search for any useful data. Keyloggers can also be downloaded to log keystrokes on the infected computer and collect login information for email and bank accounts.
The SRA has stressed there is a high risk of attack, suggesting UK solicitors should treat cybercrime as a priority risk. Action should be taken quickly to address the risk and ensure that the firm’s data are secured. The SRA warns that a cyberattack can cause massive damage to a firm’s reputation and could result in major harm to clients. Clients and the law firm can suffer serious financial losses as a result of these scams.
Not all cyberattacks on law firms include malware. Phishing is also a major danger. Many law firm email scams attempt to get solicitors to reveal sensitive information such as login details, passwords, or other confidential data. These law firm email scams are not easy to spot. Hackers invest considerable time and effort into building up relationships with solicitors through email or over the telephone to build trust. Once a personal relationship has been created it is far easier for the scammers to fool solicitors into revealing sensitive data.
The seriousness of the danger is clear from the reports of cybercrime received by the SRA from solicitors over the 12 months. The SRA says in excess of £7 million of clients’ money has been stolen from solicitors in 2016.
The counsel given to law firms on reducing cybersecurity risk is:
- Ensure all data are backed up and stored safely on a drive that is not linked to a computer
- Make use of secure cloud services for holding sensitive data and accessing and processing data
- Keep software updated. Patches and software/system updates should be applied swiftly
- Solicitors should think about using encryption services for all stored data, especially on mobile devices
- Antivirus and antimalware systems should be downloaded and set to update definitions automatically. Constant scans of systems should also be set up.
As an extra protection against law firm email scams, solicitors should use an advanced antispam solution to stop phishing and other malicious emails from being sent.
To safeguard against malicious links and redirects from malvertising, solicitors should think about implementing a web filtering solution. A web filter can be used to prevent visits to web pages known to host malware.
