Head of Marketing & Customer Engagement
Concern has been raised in the legal profession as a result of the highly publicised Mishcon de Reya £1 million fraud case, in which the firm’s client was tricked into purchasing a London home from a seller who was deceitfully acting as the owner.
Even while the growing threat of fraudulent buyer deposit redirection and rogue homeowners makes conveyancers an obvious target, all businesses should be on the alert for this kind of fraud. A law firm is an attractive target for hackers because it has access to significant financial assets and a wealth of important client data.
Every day, there are more incidents of cybercrime, which range from hacking and malware to distributed denial of service and phishing scams. Here are some recently reported cybercrime data to qualify our claim:
- According to the National Fraud Intelligence Bureau, 159 buyer deposits were stolen in 2016, an increase of 85% over the previous year.
- According to the Office of National Statistics, there were 5.8 million cybercrime cases in 2016, or 40% of all criminal activity that was reported.
- Cybercrime is presently projected by Action Fraud to cost £193 billion annually.
- According to the BIS Information Security Breaches Survey, 81% of big organisations have suffered a security breach, with costs averaging between £600,000 and £1.5 million per company.
Under-reporting is a major problem. Many cybercrimes go undetected out of concern for judgement and repercussions. You have a professional obligation to find, stop, and fix breaches, including cyberattacks. This obligation is enforced by industry regulators.
You face new challenges from indemnity insurers who’ll want to see procedures in place to prevent crime when renewing policies and determining premium rates, including run-off cover, in addition to your regulatory requirements under the SRA Code of Conduct. To address the dangers presented by cyber criminals and help in the recovery of possible losses suffered, there is a compelling justification for the necessity for distinct cyber insurance coverage, over and beyond Personally Identifiable Information (PII).
Don’t forget about your other compliance obligations. The Data Protection Act of 1998, the Money Laundering Regulations of 2007, the Proceeds of Crime Act of 2002, the Terrorism Act of 2000, and the brand-new EU General Data Protection Regulation, which will take effect in May 2018, are just a few.
Although the stakes are high, there are many things you can do to minimise risk by building a strong, dependable, and secure cyber environment. For more information on how to manage risk within your IT infrastructure, see our website. Operating systems, email attachments, file transfers, data backups, passwords, and other topics are covered.
Because of the significant economic risk that cybersecurity creates, we’re expanding on our prior guidance here with our eight best tips for preventing fraud so that you may actively strengthen your defences:
1. Be alert of unusual behaviour and money requests to avoid the risk of fraud
The Solicitors Regulation Authority (SRA) estimates that “Friday afternoon frauds” are responsible for 75% of cybercrime reports. In some cases, hackers intercept and change emails sent between two parties (a lawyer and a client), usually containing bank account information in an effort to divert money.
Start asking questions if you have any suspicions, as many times as needed and ideally using a known phone number. You could do this by setting up a mock run with a £1 transfer. You are prepared for the real deal after the receipt has been verified. Those concerned will value your thorough investigation and testing if it turns out to be entirely legitimate.
2. Evaluate the methods you conduct to welcome new clients
What background checks do you run on new clients who choose your firm to handle their legal issues? A quick peek at someone’s passport, driver’s licence or utility bill is no longer enough for this purpose. So that you can be sure that your clients are who they say they are, that they have the financial means to pay for your services, and that your hard-earned profits aren’t ending up in the greedy hands of extortionists, find out as much information as you can about both their identity and credit history.
Furthermore, let customers know up front that you won’t ever ask them to send money to an account other than the one that has already been provided. Do this both in person and in your client care documents. If they do, they will be able to keep an eye out for similar interactions and will know to get in touch with you right away.
3. Describe the procedures you use to manage customer funds
In addition to the above-mentioned factors, money is of course the main temptation. The SRAs reported that £7 million in customer funds were lost to cybercrime in the previous year. Make a separation between client and office funds, allocate tasks to your cashiering team members, set reporting lines, and outline timeframes for each step of the process while keeping the SRA Accounts Rules top of mind.
For instance, you might declare that only authorised employees should move funds and establish a practise of taking deposits as late as possible to ensure that there is never too much money on hand. You’ll provide better service to your customers and reduce the possibility of financial theft.
4. Begin preparing for disaster recovery and continuity of operations
Prepare meticulously detailed disaster recovery and business continuity plans, so that you can come up with an appropriate series of responses to unexpected events and planned crimes. These will include details about the many types of crises you might encounter, what to do in such a circumstance, the major staff members’ responsibilities, the stages of recovery, emergency contact information, results analysis, and records of practise or actual catastrophe events. The ultimate goal is to position your company in the best possible position to handle catastrophic incidents with the least amount of disturbance to the daily operations of your company.
5. Set a risk management plan and maintain a close eye on the activity
Set your preventative and investigative actions within a risk management policy since prevention is always preferable to cure. These could range from physical security tools like CCTV cameras and burglar alarms, to IT-based solutions like SSL encryption and antivirus software. Your policy will cover risk classification, management, and communication.
Examine every aspect of your company carefully for any indications of odd activity that might signal the start of an attack. To completely eliminate criminals in their tracks, it is vital to be ready to combat potential violations as quickly as possible.
6. Report all incidents, both successful and unsuccessful attempts
You have a responsibility to do this because the legal community cannot effectively fight cybercrime unless we have a thorough understanding of the scope of illegal conduct and the tactics used. By having more two-way talks, it will be easier to spot trends, spot scams early on, alert others to potential problems, and take the proper action.
Alert your insurers, the SRA, Action Fraud, and/or the Information Commissioner’s Office.
7. Try to involve your staff in best practises risk management by taking into account their job in your company
Limit some tasks in your company, such as software installation, to designated individuals. These basic measures can greatly decrease risk exposure. All it takes is one weak point to leave your company vulnerable to attack.
The use of unauthorised devices and removable drives should also be limited if you have remote and home employees because they both create security threats and expose your entire network to flaws. Establish some secure guidelines for your workers to follow, and then train them in IT best practises.
8. Review your IT providers and systems
The relevance of using the most recent operating systems, conducting automated backups, installing firewalls, and employing specialised anti-virus and anti-spyware software for security against hackers has already been lightly mentioned. Software is easily accessible that can further cut down on danger. Your concerns and the accompanying financial information will be protected by anti-money laundering checks, credit screenings, conflict of interest searches, document capture for verification of identification, and breach alerts.
Another option is to hire additional back-office services, such as completely outsourced payroll and cashiering. Discrepancies will be quickly identified and you’ll be made aware of questionable activity thanks to your outsourcing provider’s meticulous attention to detail.
Keep in mind the SRA Code of Conduct here. Make that outsourcing agreement, whether they pertain to cloud software or other outsourced services, permit you to uphold your obligations to protect your clients. To guarantee that your provider complies with international security requirements, enquire about any ISO certifications.