Editor, Solicitors Journal

500 law firms targeted by scammers

9 Mar 2017News

SRA warns about sudden rise in malware attacks

Nearly 500 law firms have been targeted by scammers, the Solicitors Regulation Authority has reported as it warned malware attacks against solicitors were on the rise.

In an update to the profession, the regulator said firms have been sent emails by fraudsters trying to infiltrate IT systems.

Emails would typically start saying the senders required the firms’ services. After the firms responded, the scammers sent attachments or links to websites which might contain malware – harmful software including viruses and other programs allowing access to data.

Once clicked on or downloaded, the attachments allow the scammers to control or undermine a firm’s IT systems. Some of the emails relate to the sale of a property or the purchase of a business, the SRA said.

The regulator said it has seen emails being sent from a ‘Margaret’ and a ‘Mary Smollins’, from the email address ‘margaretgreen220@gmail.com’.

‘While genuine potential clients might indeed send information in this way, law firms should be wary of the risks of malware infecting their IT systems, and take action appropriate to their business,’ the SRA said.

The SRA’s Risk Outlook and associated papers have identified IT vulnerability as a major risk for law firms and have urged solicitors to regard cybercrime as a priority risk.

The latest version of the outlook warned that information security breaches could harm clients’ interests, result in financial loss, and cause reputational damage.

Law firms were ideal targets because many hold significant amounts of information and client money.

Common scams include ‘Friday afternoon fraud’ or being tricked into dealing with a bogus law firm.

According to the Law Society’s 2016 professional indemnity insurance survey, a quarter of firms have reported being targeted by cyber criminals, with nearly one in ten of these attacks resulting in money being stolen.

In addition to malware, a common form of cybercrime is phishing, which involves using email or phone to obtain confidential information such as a password through building a personal relationship with a solicitor or law firm employee.

Another is email modification, often used in Friday afternoon fraud, where scammers use details gained from hacking or social engineering to modify emails and redirect money due from a client, bank, or supplier.

A variation on the latter is CEO fraud, where a criminal impersonates a senior figure at a law firm through hacking their email address or purchasing a very similar email address, in order to impose authority and order money transfers.

Jean-Yves Gilg is editor in chief at Solicitors Journal

jean-yves.gilg@solicitorsjournal.co.uk | @jeanyvesgilg