Skip to main content

Is the legal profession a soft touch for hackers?

By Jaini Gudhka
Risk Manager

In recent months, there has been a significant rise in the number of legal firms being targeted for fraud, from bogus law firms and bank impersonators conducting identity fraud to email hacking and the interception of post. These attacks have financial, operational and reputational consequences for both the firms involved and their clients...

In the case of a fraud in relation to a property sale, a large sum of money was stolen by hackers who hijacked an email account to send an email to a client’s solicitor, advising them to transfer the property sale proceeds to the hackers’ own bank account.  From the solicitor’s point of view, this request appeared to be legitimate and by the time the client discovered the fraud, several days later, the proceeds could not be reimbursed.


Traditional measures to beat a modern attack

Hackers use extremely smart techniques which make their crimes almost imperceptible, but in the above case duty of care and possibly money laundering concerns should have arisen as soon as the request to change the destination of funds was made. 

We recommend that solicitors consider the following:

• how and at what stage verification occurs that the destination account for proceeds of sale aligns with client identity checks
• what checks would be conducted if one of the parties in a dual authority transaction were to request a different destination for the funds?
• what client identity / ultimate owner questions are raised when an account without an ID is requested for funds transfer?

While robust IT security is an absolute must in this day and age, it can never guarantee 100% protection and should be partnered with tried and tested checks and balances.

People can be a firm’s best defence, or indeed its biggest weakness.  Ensuring everyone is educated in the risks, prepared to ask awkward questions, and knows how to investigate anomalies, is critical in the fight against fraud.  Just recognising that something is outside of the usual protocol can be enough to protect a firm.  


What can You do to Protect Your Firm and Your Clients?

All firms are likely to have some of the following controls in place, but need to challenge whether they are doing as much as possible.  Is everything as up to date and robust as it could be, and are employees up to speed and fraud-savvy?   Key controls and measures include: 

• Encourage your employees to be vigilant and to assume that any unusual request has potential to be a fraud attempt;
• Protect your operating systems with up to date security software;
• Ensure secure wireless connections such as a virtual private network (VPN) software is used to encrypt any wireless communications. 
• Encourage strong and unique passwords by introducing a “resilient password policy”. 
• Establish clear procedures for email usage on all devices;
• If your IT is outsourced, how secure do you feel about your service provider?  Ensure you ask questions of them to understand how your systems are protected.

Click here to read the full guidance document