Keeping law firms and client funds safe from cyber criminals

Craig Matthews and Adrian Jones from the Legal Software Suppliers Association outline some of the risks from cyber criminals give helpful tips to lawyers

Cyberattacks can take many different forms.  The most complicated, those that make headline news, normally involve direct hacking attacks of government or large corporate networks to either disrupt their business or simply to add the scalp to the hacker’s resume.  These attacks are often very complicated and involved highly talented software engineers to work their way through the very best firewalls and intrusion detection applications available not to mention all the other security modules these firms will have deployed on their network.  The reason these attacks are deemed news worthy is that they are relatively rare.  The most frequent cybercrimes, phishing scams, are conducted through, in relative terms, simple methods and happen all of the time.

Phishing scams are designed to convince the end user to provide the hacker with their username and password so the hacker can gain access to your PC, network or email account.

It is more likely that you will fall foul to one of these phishing scams than a full scale hacker attack.  You of course must still ensure your firewall, intrusion detection application and other hardware and software security devices are properly maintained, up to date and appropriate for the risk profile of your firm, but even the most complexity security designs can be breached if a user unwittingly gives their credentials to a hacker.

So how can you avoid falling foul to a phishing scam?  The key is education.  Following the simple lessons below could greatly assist in reducing the likelihood that your firm will fall victim to a phishing scam or password theft.

Managing your credentials

Don’t give them out. The simplest way to for a hacker to break into your computer system is with your credentials.  Never provide your credentials to a third party.  No reputable firm will ask you to disclose your username and password to any service they provide and most certainly would not ask you to disclose your username and password to any services they do not provide.

Don’t log into any web sites or portals unless you know and trust them

Often phishing scams will involve the victim receiving an email with an attachment.  Upon opening the attachment, the victim is asked to enter their username and password to download the contents.  Don’t!  You should never need to enter your credentials to download an attachment sent to you.  If you are at all in doubt contact the sender to verify the contents of the email.  If the attachment is particularly sensitive, we would recommend asking the sender to upload the document to a portal or deal room site and provide you with access to it rather than sending it via email.

Don’t save your passwords

Most web browsers will ask you if you want to save your username and password.  Don’t!  Saving your credentials to your web browser will mean that anyone who gains access to your machine can gain access to all of the applications you use.  You can also see a list of all usernames and passwords saved on the web browser in plain text.  We recommend that you turn the save password or remember password setting off on all devices and all browsers.

Don’t write your passwords down

Whilst you may not be giving out your credentials writing them down and sticking them to your monitor is equally as risky.  Whilst we all trust our fellow co-workers you may have third parties walking through your office and any of these could see and make a note of your password.  Not writing down your username and having just your password on show is no less of a risk.  Most corporate networks and email accounts will follow the same pattern meaning that if someone has your password they can easily guess your username.

Use strong passwords

A great number of computer users still use weak passwords.  Just as a hacker with your password can guess your username, a hacker with your username can guess a weak password.  Your password should be at least 8 characters long and should contains a mixture of upper and lower case letters, numbers and special characters.  Your initials and date of birth, whilst it may meet the minimum security requirement, is still a weak password as it would be easy for anyone who knows you to guess.  The more obscure your password the better.

Change your password

If you are given a password the first thing to do is to change it.   You immediately reduce the number of people who know your password to just one person.  You should also frequently change your passwords.  Approximately every 45 days is a sensible time frame.

Use different passwords

It can be difficult to keep track of your different passwords for your different applications however this shouldn’t prevent you from having a different password for each application.  If you were to ever unknowingly give out your passwords or have your account hacked far less harm will be done if the hackers only have access to one account and not all of your accounts.

Ensuring your staff understand the risks in providing their credentials to even trusted third parties and by following the rules above you will greatly reduce the likelihood that your firm will become a victim of cybercrime.

Tips to help prevent cybercrime:

• Within the engagement letter sent to any new clients you should clearly set out that as part of cyber safety measures clients will never be directly contacted by email or telephone regarding bank accounts, change of bank accounts, or any other financial information.  Also provide a senior contact name that your client should speak to if they have any concerns or questions about fraud.
• Ensure that procedures are in place that certify the entire firm complies with the above
• If cyber safety is taken seriously consider asking your client to break any large transfer into two amounts, sending an initial £1, once that is confirmed the remaining amount can be transferred shortly after.
• All communications with your client that requests, or contains any sensitive, or financial information should either be via a) secure client portal, b) password protected document such as a PDF, or c) sent via printed and franked letter, never by email or telephone.
• Use a third party service such as GB Group’s Bank verification service or lawyerchecker.co.uk to validate banks accounts before making a transfer. Never accept changes of banking details at face value and always verify with the relevant parties directly before accepting any changes.
• Consider having an employee fraud training and awareness program within the firm, give regular updates of fraud trends and areas of risk.  The program should focus on compliance, fraud prevention and where responsibilities are held.  The responsibilities should include what to do in the event of suspected fraud.  Adopt security measures from the ground up and ensure all members of staff are part of this process.
• Consider having a set of fraud mitigation warning flags, and where a transaction falls into the following categories you should undertake additional checks:

• No estate agent is involved in the sale of the property.
• The transaction involves a relative.
• The transaction is under a Power of Attorney.
• The property has recently changed hands.
• The property is funded through other parties.
• The purchase contract involves payments to other parties.

The Land Registry has launched a monitoring service called Property Alert, which will notify if there has been certain activity involving the register of the monitored property, allowing you to decide whether or not the activity is suspicious.  This allows you to take immediate action if something happens to your property that you are not expecting. This is a service you should be recommending to your clients.