At The Strategic Partner, we provide outsourced compliance solutions for several firms. Although cybercrime is prevalent across the industry, since 1st March 2023, we have had four reported instances of Cybercriminals infiltrating law firms’ systems. What is concerning about these more recent instances is that they have ALL followed the same pattern and profile, which indicates that a team of cybercriminals are actively targeting law firms and their staff.
Typically, the cyber-attack cases we see are random with limited commonality other than with the intent to obtain data or infect a system with Ransomware.
However, the pattern of the recent attacks has all been the same:
- Contact has been made by a criminal to a member of staff who has been requested to share their password. Typically, this has been through a link in an email which takes the user to the form.
- If the email address is not protected by 2 Factor Authentication, criminals will have direct access to the account.
- If the email address is protected by 2 Factor Authentication, an access request is made, and a recorded message is sent to the individual with a request to approve the login.
- When the account has been accessed, emails are sent (not always immediately) to clients requesting monies with the account details changed to an account controlled by the criminals. These are usually genuine emails that have been masked to contain altered details.
- The emails are well written, not the usual poorly worded content that is easier to spot.
- When the firm realises they have been subject to a successful cyber-attack and subsequently changes the password on the infiltrated email account, they create a new domain and change one letter and start emailing clients directly, using the client database that has been obtained. The email addresses are so similar that most will not notice it. For example, they will change an ‘I’ to an ‘l’ in the email address. The criminals will also use multiple employees’ names on the fake email account – which tend to be property lawyers – and we assume information is obtained from a Firm’s website (for example, the profiles listed on the meet the team page).
The reason for the concern, in this instance, is that early signs indicate all these attacks are from the same team of criminals, as:
- The process followed is the same on each occasion.
- The same bank is being used and the same sort code.
- The same hosting provider is used for fake email addresses.
- Law Firms are the definite target (we have not seen this on our out-of-sector clients in the same way)
While it may seem obvious that you should not reveal your password or consent to a 2-factor authentication request, people are being caught out. Firms will be well advised to:
- Inform their staff never to disclose their password for any reason to any person.
- Enable 2-factor authentication on all email accounts.
- To only approve a 2-factor authentication request if they are 100% sure they are the person logging in.
- Provide cybercrime training across the firm and give practical examples of how criminals can access systems.
- Make it easy to report an issue and provide a safe space to do so – fear of ridicule or repercussion may inhibit someone from reporting the issue sooner.
We hope this information is helpful and a timely reminder to continue to be vigilant to the risks of cybercrime.
Is a lack of understanding and training putting your firm at risk?
As these successful phishing attacks demonstrate, it is vital that all firms should be taking steps to build up cyber-resilience, not just within their IT department or service provider, but from the ground up. Now could be the time to re-evaluate the firm’s systems defence, including running checks on incoming emails and running a cyber-security audit – read our previous guidance here on factors to consider: Cyber Security Audit – Considerations.
All firms must ensure they have evaluated risk, remain compliant and ensure that all staff are aware of the potential cyber-security dangers with a robust strategy put in place and followed for improving cyber defence.
Our Regulation and Compliance Services
At The Strategic Partner (TSP), we have developed a compliance product that addresses each key stage of managing a compliant law firm. From implementing policies and IT system reviews to file audits and supervision, we work with you to implement a proportionate and sensible approach to compliance.
Our packaged risk and compliance solutions provide guidance and support to firms on a range of topics and include: –
- Our Risk, Regulation and Compliance Service (including AML),provides firms with the necessary Policies Control and Procedures (PCP’s) – that are in line with CQS requirements and the standard of the relevant quality mark – alongside training, supervision structure, an annual independent assessment and reporting. This solution ensures that firms and their staff are compliant and remain so. It also clarifies what to do in the event of a mistake and/or a breach occurs.
- Our extended service, Risk, Compliance, AML Guidance and Register Administration, provides an outsource solution for firms where The Strategic Partner not only manages and maintains the risk registers and provides guidance to all staff (inc. Partners), we also produce monthly risk and compliance reports.
The combination of these two solutions provides a law firm with a robust and cost-effective risk and compliance strategy that ensures staff have access to expert guidance as it is needed.
The Strategic Partner has developed a range of training courses to assist firms with their training challenges. We have provided training to firms of all sizes, and our clients range from sole practitioners through to multi-office, multi-service firms with overseas offices. Our courses are constantly evolving to ensure they are kept relevant with changing regulations, requirements and industry topics. Our training can be delivered to firms and their staff on both a 1-2-1 or Group basis, find out more about our training courses
About The Strategic Partner
The Strategic Partner is a law firm knowledge hub. We work with law firms and professional indemnity insurers, advising and guiding on compliance and risk management techniques to assist and reduce instances of claims or regulatory breaches.
We offer a range of services and consultancy tailored to the Legal sector. We have gained a wealth of knowledge and experience in the overall management of law firms and work with them to achieve profitability, stability, and efficiency. Our goal is to become a valued and respected partner to our member law firms, consistently providing high-quality services and solutions.