Cyber 'vultures' capitalising on homeworking lawyers

Firms have been told by the regulator to be extra vigilant around cyber security, with a specialist solicitor warning that criminal hackers have become increasingly sophisticated and targeted.

The Solicitors Regulation Authority (SRA) issued the warning to law firms and staff amid an increase in reports of cyber-attacks against businesses whose staff are remote working.

It said it has received reports of firms being targeted, including a case where criminals attempted to create a standing order for £4,000 a month from a firm’s client account.

Peter Wright of Digital Law commented that while lawyers have the tools to be as productive while working from home as they were before lockdown, they are not as safe from being exploited by cyber-attacks.

He warned that hackers have capitalised on the fact that most of the workforce is working at home using home wifi; and personal devices that are “not designed for the sort of mass intensive use they have had to handle during the lockdown”. 

“The legal profession’s email addiction continues to leave us more vulnerable than most sectors of the economy to exploitation by the phishing email”, he added. 

“These attempts to encourage recipients to click on malicious links or provide confidential information have become increasingly sophisticated and targeted during the lockdown.”

Wright described the volumes of scam email traffic out there as “staggering”. 

Google disclosed this month that every day it was blocking more than 18m coronavirus-themed scam emails.

The National Cyber Security Centre (NCSC) reported a 400 per cent increase in cyber-attacks across all businesses in the UK during the first two weeks of lockdown; and Action Fraud reported a spike in attacks on smaller businesses.

SRA chief executive Paul Philip said: “Cybercrime is a priority risk for the legal sector and it’s not going away during the Covid-19 pandemic.

“Criminals are always looking to take advantage and they know that security arrangements are likely to have changed as people move to homeworking.” 

Wright also highlighted the risks associated with business platforms such as LinkedIn and warned lawyers not to accept a connection request from someone they don’t know. 

“One scam”, he explained, “involves users receiving connection requests from hackers posing as recruitment consultants. 

“Once connected, they contact the user and flatter them, saying they have been headhunted for a prestigious role. 

“The hacker then sends a spreadsheet as an attachment on LinkedIn, asking the recipient to confirm certain pieces of information.” 

He said this spreadsheet contains macros that need to be enabled and, once downloaded and enabled, it could then give the hacker access to the machine. 

They could then hack into the network and business systems; or install ransomware, lock the machine and demand a ransom payment in Bitcoin in return for unlocking it 

Meanwhile, the Law Society this week launched a new cyber security campaign following the increase in fraud and scams. 

The campaign includes revised guidance on preventing frauds and scams, online training, advice on how to safely deliver legal services online and how to utilise effective legal technology during the crisis.

Law Society president Simon Davis said cyber criminals and fraudsters are “circling like vultures”.

He said: “It is important we are equipped to protect against these threats.

“Protecting clients’ data will rightly be a priority for many firms. 

“We have a dedicated in-house team who will be on-hand to provide bespoke support to members, field queries, and facilitate thought leadership.”

He said the Society will continue raising awareness of the dangers of online fraud during the pandemic crisis and how to prevent it.

The SRA’s information for firms on cyber risks during lockdown was updated on 9 April 2020.

Details of the Society’s new campaign can be found here.