Law firms have access to large sums of electronic money and the need for large volumes of genuine transactions may mean that any fraudulent payments will be difficult to spot. Fraudsters also know the busiest days to strike, such as a Friday which is busy for conveyancing firms. All of this puts the legal sector towards the top of a fraudster’s hit list.
The remote, faceless existence of an internet fraudster means that online attacks can be hard to spot, particularly for any unsuspecting employees within a firm who are not aware of current threats. As digital technology advances, fraudsters also continue to develop new, increasingly sophisticated uses of technology to steal funds. Malicious software (Malware) is not only used to carry out an attack, but also used widely by fraudsters to carry out reconassience work beforehand to increase their likelihood of a successful attack as well as cleaning up the “crime scene” on a firm’s PC network before disappearing and leaving no trace.
Many cyber frauds start with a phishing email which is specifically targeted to capture secure information or trick the recipient into downloading malware by disguising it as a genuine email message. These emails are often made to look like they’ve been sent by your bank and may contain hyperlinks or attachments to fake websites or malware downloads. Malware describes software which is deliberately designed to deceive a PC or its user. It can allow a fraudster for example to secretly and remotely view information on a PC network or capture keystrokes and passwords which could be used to access a firm’s online bank accounts as well as many other operations.
Ransomware is a specific type of malware which severely restricts access to a computer, device or file until a ransom is paid by the user. It has the ability to lock a computer or encrypt files. A demand is then displayed informing the user that it will not be unlocked until a sum of money is paid. A time limit is usually imposed for the ransom to be paid, or the code to decrypt the data will be deleted and the data will not be recoverable.
This is a crime which occurs when a fraudster issues a threat and demand via online methods to a potential victim. As with Ransomware, the demand is usually aimed at forcing a payment to the fraudster in a digital currency such as bitcoin or they will carry out their threat. Threats will vary but have previously included fraudsters stating that they will leak confidential data about a firm’s clients on the internet or a threat to post thousands defamatory comments on a review site causing reputational damage.
Payment Impersonation Frauds
Fraudsters use email to target firms with impersonation frauds. Typically these will be emails disguised to look like they have been sent by a known beneficiary of the firm, quoting alternative bank account details for a settlement or payment that is due to be paid. These frauds can also target your clients if fraudulent emails sent to them falsely advise that your firm has changed their account number for where clients need to send funds. Another common impersonation fraud is where an employee receives an email which appears to have been sent by a senior person within the firm asking for an urgent and confidential payment to be made. With both of these types of impersonation fraud, if the recipient does not check that the email is from the genuine sender as opposed to a fraudster, any payments sent to the fraudster’s account are likely to be lost.
Legal bodies have been very proactive in organising fraud awareness seminars for their members and along with events hosted locally by firms themselves, the sector is considered to be one of the most astute when it comes to fraud vigilance. However, even though we see many reports of fraud attack prevention, there are still too many firms who do still fall victim. This is often down to employees who have not received the appropriate fraud education, or those who do not receive it frequently.
A fraudster’s preference for cybercrime as a method to commit fraud is only likely to develop further in the future, with attacks becoming more complex and difficult to detect. Law firms will need to adopt the mentality of “when we get targeted” rather than “if we get targeted” and those best prepared for a cyber fraud attack will have multi-layered controls in place. This will include a robust ongoing employee awareness programme as well as clear plans on how to respond in the event of an attack.
Lloyds Banking Group supports “Take Five”, a Government campaign
Author: Paul McCluskey, UK Head of Professional Practices for Lloyds Banking Group, SME Banking