London firm Anthony Gold Solicitors is the latest to suffer a cyber-attack causing emails to be sent out apparently from a law firm’s address. Some 16,000 emails were sent on Monday under the subject line ‘Action Required – Matter for Attention’ and asking recipients to open an ‘urgent’ attachment.
The firm has warned recipients to delete the emails immediately.
Managing partner David Marshall told the Gazette that the firm’s email account had been hacked and emails were sent to around 16,000 addresses on its server. Marshall said an investigation was under way to determine how the hack occurred. ‘Fortunately the vast majority of recipients contacted us to query the email and we were able to tell them not to open the attachment,’ he said. ‘We apologise for this very unfortunate incident.’
This is the latest of a series of incidents involving cyber-criminals impersonating law firms and regulators in order to propagate malware. Last week the Law Society warned solicitors that scam email messages had been sent to solicitors suggesting that their profile on Find a Solicitor had been compromised. Any such message should be deleted, the Society said.
In the Anthony Gold incident, emails were sent out in the firm’s name on Monday, 11 December. Emails, seen by the Gazette, include a ‘secured attachment’ purporting to be from Anthony Gold, along with the message ‘kindly review’.
A source who received the email told the Gazette they contacted the firm straight away and received an apology in which the firm said a cyber-attack had occurred on a ‘handful’ of its email addresses.
The message from Anthony Gold said: ‘The sending of these emails did not compromise your personal data in any way. We regularly review our data security practices to ensure the security of our client and contact personal data. Yesterday, we acted swiftly to close down the affected email addresses and mitigate the situation.’
The firm, which has offices in London Bridge, Elephant & Castle and Streatham, now has a notice from Marshall on its website informing clients of the suspicious email.
Earlier this year the Gazette reported that international law firm DLA Piper was reportedly among the victims of a global cyber-attack.
Cyber security experts said such attacks should be taken extremely seriously. Peter Wright, managing director of technology firm DigitalLaw UK, said: ‘Often there are instances where an email impersonating a law firm is sent out from a bogus account. Usually, recipients know to not respond and delete the message. In this instance, given that the hacker has got access to the server a legitimate email from the firm has been used which could give it credibility.’
The apparent aim was to persuade clients to reveal log-in details in order to defraud them, Wright said. ‘They say that they believe no personal data was compromised by the sending of the email and that if people had opened the attachment and logged in they should change their password,’ he said. ‘That’s all very well, but I think they need to be a bit more assertive on this and tell recipients to change their details as a minimum starting point.’
Wright added: ‘The Information commissioner is not expecting law firms to have the world’s best protection system in place - but it does expect firms to know how to respond effectively if a breach does happen.’