The Magic Circle law firm Clifford Chance’s UK managing partner and solicitor, Michael Bates, has been impersonated by scammers in a bid to con unsuspecting members of the public.
The Solicitors Regulation Authority (SRA) have now warned law firms after the emails sent had misused the name of Clifford Chance and Michael Bates by inviting those recipients who received the email to view an attachment (which was not attached) in relation to a client matter.
The SRA was informed that the online scammers had clearly done their homework as the emails in question appeared to be genuine, however, with close inspection the internet fraudsters had spelt the London-based banking and capital market’s expert’s forename incorrectly.
The SRA was told the emails had the title “CE051218P (Clifford Chance) – Introduction” along with one email address used to be “cliffordchance.com@dsgconst.onmicrosoft.com”. It was verified to the SRA that the email was signed off with the misspelt forename “Micheal” and also provided a contact number of “0044 (0)7537 183432”.
However, the real Mr Bates, who was promoted to the UK managing partner last year, is not connected to the fake emails in any way.
A spokesperson for Clifford Chance said:
“We are aware of recent emails impersonating the firm as part of an attempted email scam, and have both published an alert on our website and worked with the SRA to ensure the details are available for anyone to easily verify. We recommend that anyone receiving a suspicious email deletes it and does not reply or, if there is genuine ambiguity, to contact us.”
The regulator stresses to law firms that when a “firm’s or an individual’s identity has been copied exactly (or cloned), due diligence is necessary” and warned that anyone receiving emails of a similar nature should conduct their own due diligence by checking the authenticity of the email.
Unfortunately, these kind of phishing-style fake emails are a common occurrence and is not the first time identities of solicitors and firms have been used in this way and will certainly not be the last.
Email modification fraud is now the most common type of cybercrime against solicitors, where cyber criminals intercept and falsify emails between a client and the firm. Just last month, during a presentation about cyber crime at the LegalEx conference, the SRA highlighted that the vast majority of cyber attacks reported to them involve email compromise – and everybody is now 20 times more likely to be a victim of cyber crime than a victim of in-person crime.
conveyancing and probate are at extremely high risk of email fraud due to the nature of work carried out as they deal with large amounts of money which have to be transferred to many accounts – this gives fraudsters a huge opportunity to impersonate a firm’s email domain to any recipient such as clients, suppliers or employees.
Whilst there is no silver bullet to protecting your firm from these kinds of attacks, guidance from the National Cyber Security Centre to law firms suggest that there is no single solution to email security and that firms must adopt a multi-layer approach to protecting themselves from cyber attacks.
The theory being that if one layer of defence is breached, there are additional layers of security that still offer protection. One such layer is to include the implementation of DMARC protocol on a firm’s domain – which actively blocks phishing attacks and prevents 3rd parties from impersonating your domain name to stop cyber criminals sending a perfectly legitimate looking email to staff or clients pretending to be from the firm.
Another layer would be to implement a cyber security policy within your firm by providing comprehensive staff training on the main cyber threats to create a cyber aware culture within your organisation. Staff who are well-trained and remain vigilant will be an asset to the business. Taking the time to have regular training sessions for all staff will be repaid as hackers fail to gain access.
As a conveyancer, do you have robust measures in place to safeguard your email system which identifies fraudulent email communications?
