Recently we were lucky enough to have Steve Wilmott, Director of Intelligence and Investigations at the Solicitors Regulation Authority in the studio to discuss cyber security matters as part of our upcoming Practice Management & Compliance channel programme, ‘Cyber Security for Law Firms’. Here is an exert from that forthcoming interview:
Interviewer: Why might law firms be targeted for cyber security attacks and what parts of the firm are particularly vulnerable?
Steve Wilmott: Well, law firms are very reliant on information and they use that information to simply move clients’ money from one account to another, whether it be to a client or whether it be to another law firm, for example, if there was a conveyance in a house purchase. And they rely on that information to have the right bank account and the right details so that an individual or a firm receives the money when they should. Now what we’ve seen in relation to phishing, and we call it – and another terminology is e-mail diversion, is within the course of that transaction a firm may receive an e-mail very late in the transaction to say we are the corresponding firm, we’ve just changed our banking details, don’t send the money to our usual account, this is our new account, please send it there. Law firms are hugely attractive to criminals and organised crime, and the main reason is they hold huge amounts of money in their client accounts, sometimes many, many millions of pounds. Only two years ago the Financial Action Task Force – when they undertook a money laundering evaluation of law firms internationally – said the same, that law firms are hugely attractive to organised crime for that very reason.
Interviewer: Attacks and breaches can come from different sources, so what are the main categories that these fall under?
Steve Wilmott: Well, the one that we’re seeing by far is criminal attacks, and they’re simply designed to obtain money criminally, through a criminal act, from solicitors’ firms. We get one or two where it may well be a disgruntled employee and that usually involves a destruction of data, destruction of information, which can have an effect on a law firm, but the principal one is trying to obtain money from law firms through a criminal act.
Interviewer: And in what ways do a law firm’s own employees present a risk to cyber security?
Steve Wilmott: Well, all law firms should have practices and procedures in place to make sure that the person they are speaking to is genuine, and that they keep their passwords, in particular, secure. If they receive, for example, instructions to send money to another bank account via e-mail or the internet then it’s very wise to make sure that there is a policy in place to ensure the veracity of that change by making further inquiries and not just relying on the initial contact. What we’ve also found as well is that clients of law firms are receiving information from criminals, for example, they’re just about to pay a deposit on a house, or Stamp Duty to a solicitor, and what we found there is that they’ve also received similar e-mails and those e-mails have said we are your solicitor, we’re just about to receive money from you, but we’ve just changed our bank account, please send it to this account. It’s still the same law firm, but it’s another bank account, and of course that bank account is operated by criminals, and substantial amounts of money have been stolen direct from clients in that respect rather than law firms.
Interviewer: So if a solicitor or a law firm thinks they’ve been the subject of an attack what’s the best thing for them to do?
Steve Wilmott: If you think you’re under attack and whether this be by e-mail or by telephone contact then immediately stop the contact. If it’s a telephone call then stop that telephone call. Do not use the telephone that you are using, so do not use any numbers to call that have been given by the individual that has contacted you. So terminate the call and use another telephone, and use trusted contacts that you can call to try to ensure the veracity of that original call. Now they can be very clever, sometimes the telephone screen that identifies the caller, the criminals can manipulate that so that it looks as if it is from a genuine bank, so ignore that. Also ignore any other call, telephone numbers, other than the ones that you know and trust. But the main thing is if you have any form of concern whatsoever then you must terminate that transaction and seek independent means of establishing the veracity of that contact. The second thing is if you have been the subject of a fraud then immediately contact the police, your insurer and your bank, importantly, and the Solicitors’ Regulation Authority, all of which can help you in various means to assisting in trying to establish, one, who’s done this, two, what the impact on that business will be and, thirdly, trying to recover some of the money that may have been taken. Perhaps, the three most important things is security software, keeping passwords safe and also, actually, making sure that your banking details are as secure as can be.
A big thanks to Steve for giving up his time to come and speak to us on this important subject. Until next time…
http://www.lawcolmedia.com