Is email now your law firm’s weakest link in the fight against cyber-criminals?

The UK public have endured a long decade of Governmental austerity measures that have stretched the household budget, making it more difficult to save money. Cyber criminals who understand the difficulties that have been woven into the social fabric of the public consciousness have targeted this as an exploitative weakness.

Just last week, I became an intended victim of social engineering and rather convincing phishing tactics after an email from a law firm hit my inbox.

The message, claiming to be from a reputable full-service law firm, informed me that I had been left a substantial inheritance by a gentleman named Kenneth Kern.

The email looked legitimate, providing a Solicitors Regulation Authority (SRA) number for the organisation, website address, a bricks and mortar address in Holburn, London and an array of email addresses which included a contact us address.

Fraudsters can be very convincing pseudo-lawyers

In addition to the meticulous details, the language used, especially the legal lexicon, was formal, authoritative and convincing. It would be easy to see why anybody would respond to the message.

However, upon closer inspection, the SRA number belonged to another firm and the email address was slightly different to the legitimate firm, containing an additional ‘I’ to the original firm’s email domain.

Law firms and their clients will always be a target for cyber criminals given the huge sums of money transferred in the property completion process and the sensitive information stored within law firms.

SRA scam alerts

In 2016/17, the SRA alerted the public to 237 scam alerts. Although this number reduced to 217 last year, there have already been 29 scam alerts in May, 27 in April, 31 in March and almost one per day in June 2019.

As the perceived legitimacy and number of attacks increases, it is imperative that law firms are doing everything in their power to ensure their data, client information and money is safe from persistent fraudsters.

Unfortunately, and despite Governmental advice from the National Cyber Security Council (NCSC), a huge number of law firms are failing to implement even the most basic cyber security protections and so reduce the threat of cyber criminals diverting client monies to their accounts.

How can a law firm help prevent cyber criminals sending scam emails to the public?

Although it is nigh on impossible to stop an invisible force from proliferating the sector with dangerous emails, there are measures that should be taken to make the job of a cyber criminal job a lot more difficult.

Having issued ‘Email security and anti-spoofing’ guidance in 2017, it is surprising how few firms have fully embraced Domain-based Message Authentication, Reporting and Conformance (DMARC) services.

A recent report found that only ten of the top 100 law firms have configured their DMARC settings to the full ‘reject’ policy setting. According to the data, this number has only increased by nine firms from one firm using DMARC to its fully protected level in 2017.

DMARC prevents fraudsters from spoofing or exactly copying an email domain. The email I received did not directly spoof the law firm’s email domain, yet the addition of a single ‘I’ could easily be overlooked. Failing to implement a service that stops fraudsters from directly copying a domain allows cyber criminals too much freedom to look legitimate and could be the difference between an attack succeeding.

DMARC and Cyber Essentials

All law firms should therefore look to fully embed and configure DMARC, slowly building up to a ‘reject’ policy setting.

Similarly, the NCSC and a raft of legal regulators including the Council of Licensed Conveyancers, Lexcel and the Law Society’s Conveyancing Quality Scheme (CQS) all advocate their law firms gaining Cyber Essentials certification.

Considered by the Government to be the minimum starting point in cyber security, Cyber Essentials ensures your firm considers the vulnerabilities on all devices connected to the internet, encouraging firms to plan for how to make their online security secure.

Unfortunately, despite being recommended by regulators and the Government, too many law firms are yet to prove they have considered steps to defend their online presence through cyber certifications.

Lawyer Checker can help protect your business, prevent data breaches and remain trusted!

These measures are no longer just good practice, they are becoming consumer expectations. Don’t get left behind by remaining vulnerable to cyber crime, let Lawyer Checker help.

Martin Parrin, Lawyer Checker

Talk to Lawyer Checker about:

Protecting your legal firm’s financial transactions from fraud Reassuring your clients through Cyber Essentials accreditation Sleeping better by protecting your firm’s email from impersonation

Lawyer Checker Logo

Lawyer Checker are committed to helping you, your team and your firm offer the best protection to your clients and their money through enhanced risk management and increased due diligence when transmitting funds. Lawyer Checker’s products help prevent this financial and reputational damage by safeguarding lawyers from threats such as Bogus Law firms, Friday Afternoon Fraud, email modification fraud, and email spoofing attacks.

Talk to the Author or request help with your cyber security