Cybercrime and Law Firms
Cybercrime is now the most prevalent crime in the UK according to the Solicitors Regulation Authority (SRA). Law firms are proving to be an attractive target for cyber attacks as they often hold personal, business-critical and commercially-sensitive information.
A recent study carried out by the National Cyber Security Centre revealed that in 2015 alone, an astonishing 62 per cent of law firms were the victim of a cyber attack of some sort.
Email hacks in conveyancing transactions
The most common type of cybercrime in the legal sector consists of email hacks against conveyancing transactions. By ‘hacking’ we mean that a third party has gained unauthorised access to computer systems, networks or data. £7 million of client losses were reported in the past year from criminal attacks during conveyancing transactions, according to the SRA. Of these, 75 per cent were committed by hackers modifying emails directly, often on a Friday afternoon when conveyancing staff are usually at their busiest with most completions taking place.
Typically, criminals alter bank details in the client’s email to the solicitor or vice versa so that funds go to the criminal instead of where they should be going. In the worst cases, the hacker builds up a rapport with the client in advance. They purport to be an employee of the client’s solicitor’s firm before sending an email which seeks to amend the bank details to which the client’s funds, in readiness for an exchange or completion, should be sent.
At Attwaters Jameson Hill we have clear policies in place to protect ourselves and our client’s money, ensuring that we are doing everything possible to mitigate the risk of a cyber attack being successful. Key features of our policies include:
When giving out our bank account details:
- Ensuring that wherever possible we only send our bank account details by post at an early stage in the transaction
- Not sending our bank details via email either as an attachment (password protected or otherwise) or in the body of an email without first warning our clients that emails can be intercepted, and therefore any details received must be independently verified by the recipient
- Confirming our bank details in a follow-up telephone call in those cases where we have had to send these via email
When receiving our client’s bank account details:
- Telephoning our client to confirm any written information (via email or otherwise) is accurate and came from the client
- Making sure that the telephone call is made by a member of staff who is familiar with the client and/or has had dealings with them previously in relation to the matter.
It is also important for law firms to carry out identity checks on other third-party law firms to ensure that funds are not unwittingly being transferred to a bogus lawyer or law firm. At Attwaters Jameson Hill we adhere to such policies to protect our client’s money, assets and sensitive information.