By Legal Futures’ Associate The Cashroom
Recently, the National Cyber Security Centre (NCSC) delved into the cyber threats persistently bombarding the legal sector. The report suggested that throughout 2016/17, £11 million was lost to cyber criminals. Unfortunately, since this point the sophistication of hackers has only increased with their approaches becoming more intrusive and convincing.
Phishing attempts are overwhelming the sector, impersonation fraud through spoofed emails and copycat websites has increased exponentially and data breaches are a constant battle.
Whilst firms aim to protect their data and the sensitive information they hold on clients, it is clear that cyber hygiene protocols need to improve, clear systems need embedding and further staff training is crucial to secure a holistic cyber secure culture in most law firms.
Phishing, the Proliferation of Impersonation Tactics and Social Engineering Methods
According to Action Fraud, 84,624 authorised push payment (APP) fraud attempts were made on British businesses and consumers in 2018 alone. This represents a 93% increase on the 43,875 APP attempts made a year earlier. APP involves cyber criminals using social engineering tactics, sophisticated spoofing attempts and imitation techniques to persuade consumers to part with their sensitive details and money.
The total loss for 2018 highlighted the extent of the issue with more than £364 million being stolen as fraudsters used convincing social engineering methods to fool unsuspecting members of the public and law firm employees.
Of this total amount, consumers being persuaded to redirect a payment to a cyber criminal or malicious redirection fraud cost the UK £123.7 million in last year. Over 9,000 people lost an average of £13,666 to this fraud in 2018 with reports suggesting we are far from reaching a peak.
According to the ‘Cost of Crime’ report, completed by Detrica in partnership with the Office of Cyber Security Assurance in the Cabinet Office, phishing attempts cost the UK £27 billion per year.
Recent research by Sophos indicated that 2 out of 3 UK organisations have fallen victim to cyber criminals in the last two years, with 1 in 10 experiencing more than four attacks during this time.
Between the start of March and the end of July, the Solicitors Regulation Authority (SRA) has already released 137 serious scam alerts. Complaints vary from email fraud and website impersonation to older scams like letter, telephone and fax fraud.
However, the theme is clear – scammers are looking to convince the consumer that they represent the law firm and need the consumer to share their precious details.
‘The State of Email Security’ Report, completed by Mimecast, found that 94% of global IT decisionmakers had been significantly affected by impersonation attacks with many severely impacting on their business.
Over a fifth (21%) of respondents had suffered financial losses at the hands of impersonation phishing attempts, with 20% adamant they have lost customers and suffered reputational damage because of successful phishing attacks.
Despite the rise of impersonation fraud, spoofing and email fraud, law firms remain slow to embrace defences. In 2017, the National Cyber Security Council advised all UK businesses to ensure they were protected from email spoofing by adopting the use of Domain-based Message Authentication, Reporting & Conformance (DMARC).
Unfortunately, in 2017, security specialists Red Sift, found that only one top 100 law firm had set their DMARC settings to the full ‘reject’ policy. This means that any other law firm using DMARC were susceptible to identical spoofing of their email domain, making potential fraud attempts look that much more convincing.
Although this statistic had increased to 11 law firms in 2019, too many remain vulnerable to spoofing. When 6.4 billion spoofed emails are sent daily, failing to protect the domain could leave employees, clients and the law firm vulnerable to a convincing and successful phishing attack.
Security Breaches and the UK’s Response
Whilst the frequency and sophistication of these attacks rise, cyber security defences seem to move at a noticeably slower pace than is needed.
2018 data suggests that cyber criminals are outspending UK businesses by 10 to 1, with the annual spend of £96 billion a drop in the ocean when compared to the investment made by unscrupulous criminals.
Overall, ‘The UK Threat Report’ discovered 92% of UK businesses had suffered a data breach at an average of 4.65 per organisation. 40% admitted that they had been breached more than five times during this time.
Despite 82% of UK organisations experiencing an increase in cyber crime during 2018, UK organisations are still unprepared for the fight with many firms continually displaying poor cyber hygiene.
The report emphasised that 63% of firms were increasing their cyber security budget by between 11% and 30%, but this alone is not enough.
According to the Hiscox ‘Cyber Readiness’ Report 2019, the UK had the lowest average IT budget and the lowest average cyber security expenditure when compared with the world’s most powerful economies.
39% of respondents were set to complete employee security training, up from 34% in 2018 with new security technology dropping by 7% from 57% in 2018. The report also found that too few firms appoint a clear cyber security lead. Law firms will need to improve their processes if they are to reduce the threat in the future.
Here at The Cashroom, our qualified and experienced team can help to put your mind at ease by explaining the processes we have in place to protect the data you provide us with, enabling you and your clients to feel in control of your data. We have Cyber Essentials Plus accreditation, highly trained staff and processes designed to minimise risk. Our clients communicate with us via our Cashroom Portal. This is a secure communication tool which means we have been able to largely remove email traffic from our processes, avoiding a key area of vulnerability.