Sophisticated Law Firm Email Domain Impersonation Fraud Concerning

A plethora of email scams using legitimate law firm details have been increasing in recent months.

In September alone, the Solicitors Regulation Authority (SRA) has issued three separate and sophisticated fraudulent emails using the details of SRA regulated firms and solicitors.

The fake emails are an excellent example of the sophisticated social engineering tactics employed by cyber criminals attempting to successfully commit impersonation fraud.

Earlier this month, a member of the public informed the SRA of false emails misusing the name ‘Doyle Clayton and Associates’ and ‘Doyle Clayton Solicitors.’

The attempted release of funds scam also used the details of legitimate firm partner, Daren Clayton. The email requested the recipient make a payment of £850 to the law firm and barrister in order to pay for ‘law firm consultation/mobilization/notarization fees,’ using the email domain ‘law@doyleclaystonfirms.com.’

The actual firm, Doyle Clayton Solicitors Limited, operate using the domain ‘doyleclayton.co.uk.’

On September 10th, the SRA alerted their members of two further scam alerts concerning the misuse of emails.

In particular, an email pertaining to belong to Howard Kennedy LLP attempted to provide false bank details to unsuspecting clients.

The fake email used both a genuine SRA regulated firm and legitimate employee of the firm. The email used the fake domain ‘eva.holford@howardkennnedy.com’ sneaking in an additional ‘n’ to avoid detection.

Howard Kennedy LLP’s actual domain ‘@howardkennedy.com’ is almost too similar to differentiate from the fraudulent.

The content of the message informed recipients that the firm’s bank account ‘is on hold’ and that payments should be diverted into an alternative account. An attachment pdf containing the updated bank details was provided for clients.

Email malicious redirection fraud was a lucrative tool in the criminal underworld last year accruing £123.7 million from UK account holders in 2018 alone, according to a UK Finance report.

Of the 7,544 malicious redirection scams completed, over 9,000 payments were made with an average individual loss of £20,750. These statistics highlight the importance of ensuring the people you are communicating with are legitimate.

Email fraud in general continues to be the most frequently used by attackers which is why it is perceived as the most dangerous threat.

According to a recent survey, conducted by Dimensional Research and Barracuda Networks, over 600 IT professionals cited phishing as their top threat.

82% of respondents’ organisations had been sent at least one email threat in the past year. 93% were anxious about business email compromise (BEC) with 79% concerned about insider threats and hijacking attacks launched through malicious emails slipping through the cyber security net.

In addition to the obvious financial and reputational threats caused by a breach, 78% admitted that reduced productivity as resources and time are spent on rectifying the attack are a huge business concern. Additionally, 36% found business disruption and digital downtime a costly byproduct of a successful breach.

How secure is your firm’s email security? Are you worried by the technological and human vulnerabilities exposed through email fraud?