Posted by Julian Bryan, managing director of Legal Futures Associate Quill Pinpoint
The well-publicised Mishcon de Reya £1m fraud case, when its client was duped into buying a London property from a seller dishonestly posing as the owner, has sent ripples of alarm throughout the legal community.
Although conveyancers are an obvious target for the increasing threat of rogue house-owner and buyer deposit redirection fraud, it’s not just conveyancing practices that need to be on their guard. As a legal practice, you’re tempting prey for cyber criminals, not only because you hold large sums of money, but also vast volumes of valuable client information.
The number, variety and sophistication of cybercrime grows daily, ranging from distributed denial of service attacks and phishing scams to hacking and ransomware. To qualify my argument, here are some recently quoted cybercrime statistics:-
- The National Fraud Intelligence Bureau’s 2016 figures show 159 recorded losses of buyer deposits, an 85% year-on-year increase;
- The Office of National Statistics quotes 5.8m cybercrime incidents, which equated to 40% of all recorded criminal activity in 2016;
- Action Fraud estimates the cost of cybercrime at £193bn per year; and
- The government’s information security breaches survey revealed that 81% of large organisations have experienced a security breach, with the cost per company being, on average, between £600,000 and £1.5m.
And this is only the tip of the iceberg. Under-reporting is a big issue. Many cybercrimes go unreported for fear of criticism and disciplinary action. You have a professional responsibility, enforceable by industry regulators, to identify, contain and remediate breaches, cyberattacks included.
Aside from your regulatory obligations, you face new pressures from indemnity insurers who want to see plans in place to thwart criminals when renewing policies and setting premium rates. There’s a plausible case for the need for a separate cyber insurance policy, over and above professional indemnity insurance, to address the risks posed by cyber-criminals and assist the recovery of potential losses incurred.
And that’s not forgetting your other compliance responsibilities: the Data Protection Act 1998, Money Laundering Regulations 2007, Proceeds of Crime Act 2002, Terrorism Act 2000 and new EU General Data Protection Regulation applicable from May 2018 to name a few.
The stakes are high but there’s much you can do to mitigate risk by creating a robust, reliable and secure cyber environment. See our Desktop security: 10 top tips article for more in-depth advice on how best to manage risks within your IT infrastructure.
Because cyber-security is such a serious business risk, we’re extending our earlier guidance here with some top tips on combatting fraud so that you can take proactive steps to tighten your defences:
Beware of outside-of-the-norm behaviour and requests for monies
According to the Solicitors Regulation Authority (SRA), 75% of cybercrime reports are so called ‘Friday afternoon frauds’. These cases involve criminals intercepting and altering emails being sent between two parties (solicitor and client), mostly bank details in order to redirect funds.
If you’re suspicious, raise queries, several times if needs be, and ideally via a known telephone number. As part of this, you could set up a dummy run with a £1 transfer. Once receipt’s been confirmed, you’re ready for the real McCoy. If it turns out to be completely legitimate, those concerned will appreciate your stringent questioning and testing.
Review your new client intake procedures
When new clients instruct your firm for their legal matters, what checks do you carry out on them? A cursory glance at someone’s passport, driving licence or utility bills is no longer sufficient for purpose. Seek out as much detail as possible on both identity and credit history so that you’re confident your clients are who they say they are, have the means to pay for your services and that your hard-earned profits aren’t ending up in the greedy hands of racketeers.
Also, tell clients upfront – both face-to-face and within your client-care documentation – that you’ll never ask them to send money to a different account than that already provided. That way, they can be on the lookout too and immediately contact you should they receive any communications of this nature.
Define your client-money handling processes
Following on from above, money is of course the biggest incentive and the SRA’s referred to £7m of client money being lost to cybercrime in the last year. With the SRA Accounts Rules at the forefront of your mind, make a clear distinction between client and office monies, assign duties to your cashiering team members, designate reporting lines and outline timescales throughout.
For example, you may specify that only appointed staff should transfer money and make it a habit to take deposits as late as practicable so there’s less money on account at any given time. As well as giving your clients a higher level of service, you’ll lessen the risk of financial theft.
Create disaster recovery and business continuity plans
To form an adequate series of responses to unexpected emergencies, attempted crime amongst them, produce carefully written disaster recovery and business continuity plans.
These will contain information on the types of crises which could befall you, how you should act if they do, roles of primary staff members, phases of recovery, emergency contact numbers, anticipated outcomes and records of test or genuine disaster situations.
The ultimate objective is to put your firm in the strongest position to deal with critical incidents with minimum disruption to the running of your business.
This is yet another area we’ve written about extensively.
Develop a risk management policy and monitor activity
Prevention is always better than cure, so set out your preventative and detective measures within a risk management policy. These may comprise IT-based solutions such as SSL encryption and anti-virus software to physical security devices such as CCTV surveillance and burglar alarms. Your policy will address how to classify, deal with and communicate risks.
Analyse your business closely for signs of unusual activity that could indicate the beginnings of an attack. The sooner you’re able to counteract possible violations, the better, to effectively stop criminals in their tracks.
Report every failed and successful attack
There’s an onus on you to do so, and the legal profession can only clamp down on cybercrime if we truly know the extent of unlawful activity and methodologies employed. With more two-way conversations, trends can be recognised, scams identified at an earlier stage, alarms raised to others and appropriate responses carried out.
Notify the SRA, Action Fraud, Information Commissioner’s Office and/or your insurers.
Consider your employees’ role in your business and engage your workforce in best-practice risk management
Restrict certain tasks in your business, for example software installation, to assigned personnel. Small steps such as these can go a long way to minimising exposure to risk. One weak link is all it takes to open your business to intrusion.
Similarly, if you employ home and remote workers, you’ll want to restrain use of unapproved devices and removable media, both of which carry their own security risks and can uncover your entire network to vulnerabilities. Set up some safe parameters for your staff to adhere to then educate your personnel in IT best practice.
Evaluate your IT systems and suppliers
We’ve already briefly mentioned the importance of running the latest operating systems, performing automated back-ups, installing firewalls, and using dedicated anti-virus and anti-spyware software for protection against hackers.
There’s readily available software to reduce risk even more. Anti-money laundering checks, credit screens, conflict of interest searches, proof of identity document capture and breach warnings will preserve your matters and their associated finances.
Or, you can go a step further and enlist extra back-office services, such as fully outsourced cashiering and payroll. Your outsourcing provider’s keen attention to detail will immediately highlight anomalies and alert you to dubious goings-on.
Remember the SRA Code of Conduct here. Ensure outsourcing agreements – be it for cloud software or outsourced services – allow you to comply with your client protection duties. And ask about ISO certifications for reassurance that your supplier conforms to international security standards.