Mark Gilbert, Chief Technology Officer at tmgroup, explains the practical steps you can take to build awareness of cyber crime and fraud in your law firm.
Be aware of different types of email attacks (especially spear-phishing)
Spear-phishing is similar to phishing, but operates under a more targeted approach. Instead of sending a ‘blanket email’ to multiple recipients, spear-phishing emails are based on information that has already been obtained about the recipient.
For example, their name, email address, and whether they are a customer of ‘X’ Bank. This can contribute to the confusion, and the success of the attack.
This is one of the most sinister types of cybercrime as criminals continue to adapt their approach to deceive their victims. Examples include :
Invoice fraud: ‘Invoice fraud’ refers to incidents of intercepted communications between a law firm and their client, enabling a criminal to “invoice” the client for services ahead of the law firm sending their legitimate invoice.
When the legitimate invoice arrives, the client is confused that they have already paid and the money has left their account – yet their real bill remains unpaid.
Friday afternoon fraud: ‘Friday afternoon fraud’ is a type of cyber-attack that takes place on the cusp of a property transaction completing, where clients receive emails that appear to have come from their solicitor asking them to transfer their deposit to an alternative bank account.
When successful, victims lose their deposit and are unable to complete on their purchase.
Chief Executive Fraud: (or President Fraud): Incidents of ‘Chief Executive Fraud’ (also referred to as ‘President Fraud’) occur when an individual receives an email that looks as though it has come from a Managing Partner.
Success relies heavily on social engineering to create a stressful situation where the target feels under pressure to respond quickly to an email from one of their superiors - without questioning the validity of the message.
Talk openly about cyber crime and near-misses in your law firm
It is important that everyone working in a law firm understands the different forms a spear-phishing email can take, as well as how to spot a rogue communication if one arrives in their inbox.
It is equally important to take positive steps to improve your business culture by establishing a clear reporting process for near-misses with no personal consequences for the end user. This will help to ensure that cyber crime is kept high on the agenda and that any mistakes are dealt with quickly.
You can also look into alternative and safer methods of communication. For example, introducing 2-factor authentication and secure online portals.
Encourage everyone to ‘stop and think’ when replying to any email
It is far too easy in a busy office to rush through routine tasks, yet this can leave employees exposed to criminal behaviour.
Consider putting up posters around the office to encourage employees to think twice. Simple messages such as ‘Don’t assume an email, text or phone call is authentic’ and ‘Listen to your instincts – you know if something doesn’t feel right’ can be surprisingly effective.
Create a ‘Cyber Incident Response Plan’ to help boost awareness
Another useful exercise is to workshop a ‘Cyber Incident Response Plan’. This will include agreed responses to “worst case scenarios”, alongside named individuals responsible for executing them. It will also feature a detailed list of contact details of the people required to get your operation back up and running.
By working on the response plan together, employees will begin to understand the breadth of the problem and the cost of getting it wrong.
Explain the dangers of ‘Shadow IT’ (plugging in rogue USB sticks)
The term ‘Shadow IT’ refers to IT activity that goes on around a law firm under the radar of the official IT department.
For example, employees plugging in USB sticks they have picked up at events, or sharing files across popular file-sharing websites; both of which can act as a gateway for cybercriminals and result in ransomware attacks.
(A ransomware attack is when a cybercriminal infects a computer system with a piece of malware, which places a digital blocker on the system so that the victim firm can’t raise an invoice or continue business as usual. The cyber-criminal will then hold the firm to ransom, with a message appearing on their computer screen asking them to pay them money for the digital release key. As recently seen with the attacks on the NHS.)
HR and IT departments need to work together to help promote positive messages across their law firm to raise awareness of these risks, and curb ‘Shadow IT’ behaviours.
1200 Delta Business Park, Swindon, Wiltshire SN5 7XZ