The impersonation of lawyers to commit advance fee frauds has been added to the list of large-scale cyber-attacks from which the government’s National Cyber Security Centre (NCSC) is trying to protect the public, it has emerged.
The news comes as law firms have been taking action to take ownership of spurious versions of their domain names from people who were using them to try and defraud recipients.
The NCSC runs the active cyber defence (ACD) programme, which seeks to reduce the harm from what it calls “commodity cyber-attacks” against the UK.
Its aim is to “protect the majority of people in the UK from the majority of the harm caused by the majority of the cyber-attacks the majority of the time”.
Other NCSC work seeks to disrupt targeted attacks from “very sophisticated actors”.
A report on the second year of the ACD programme, published yesterday, said it has added lawyer impersonation to its work.
“Impersonation of the legal system is used as a common lure in advance fee fraud attacks,” said the report, written by NCSC technical director Ian Levy.
“Both bogus law firms, and impersonation of legitimate law firms, are techniques used by fraudsters in an attempt to increase the credibility of their attacks.
“Increasingly, we’re seeing scammers use real law firms and other entities to try to make their attacks look more legitimate.
“If someone is partially hooked by an email, searching for the law firm or other entities in the mail and finding they’re real is probably enough to push them over the edge.”
Cyber-crime disruption company Netcraft runs a takedown service on behalf of the NCSC, and the report said that last year it began targeting these kinds of attacks.
Mr Levy explained: “Specifically, we started performing takedowns against fraudster email addresses being used in advance fee fraud attacks that target UK citizens by using terminology specific to the UK legal system such as barrister, solicitor, Queen’s Counsel, and common chambers used by barristers.”
Every month since has seen Netcraft conduct at least 200 takedowns, and nearly 800 in April 2018.
He added: “We don’t really have enough data to make any firm conclusions about UK legal system attacks yet, although it’s interesting that we’re seeing a few hundred attacks a month of this flavour. Hopefully we’ll be able to say something more concrete next year.”
The report said the NCSC neither sought nor claimed to thwart every possible attack against the UK.
“In broad terms, we intend to raise the cost and risk of mounting commodity cyber-attacks against the UK, thereby reducing the return on investment for the criminals…
“Cyber-crime really does run on a return on investment model and if we can affect that, we can demotivate attackers from targeting the UK. ACD services are relatively simple, but run at large scale. This seems to have the right sort of effect.”
Meanwhile, top City practice Linklaters has used the World Intellectual Property Organisation’s (WIPO) dispute resolution procedure to take over the domain name ‘liinklaters.com’ from a man based in New York, and ‘linklatersllp.com’ from a company in Chicago.
The WIPO panels recorded that, while the domain names had not been pointed to active websites, they appeared to have been used to send “fraudulent email communications” pretending that the sender was a Linklaters employee.
In one of the cases, the email offered job opportunities, but was actually aimed at obtaining users’ personal and financial information.
The Solicitors Regulation Authority (SRA) has had to issue five ‘scam alerts’ since last December about the misuse of Linklaters name, including the emails from ‘liinklaters.com’.
London firm Lewis Silkin similarly succeeded at WIPO earlier this year in claiming the domain name ‘lewissllkin.com’, which had been registered by a man in Germany.
The panel said: “According to the complaint and unrefuted by the respondent, prior to the present proceeding, the respondent was using the disputed domain name in connection with email communications for phishing and other fraudulent purposes including an attempt to divert funds meant for the complainant to a third party bank account.
“According to the evidence provided in the complaint, the respondent has used the disputed domain name to send fraudulent electronic mail communications, designed to appear as they were from the complainant by impersonating individuals from the complainant’s firm and using content that forms part of intercepted electronic mail correspondence between the complainant and its clients.”
Linklaters has also recently used the dispute resolution service offered by Nominet – which runs the .UK domain name registry – to claim ownership of the web address ‘linklatersllp.co.uk’, another subject of an SRA alert.
According to the alert, the email enclosed a supposed notification of bank account details for invoice payments.
The domain name had been registered by ‘cdlp’ – it is not clear what this is – at a physical address in Luton that is home to a florist’s shop.
As at WIPO, Linklaters was able to take ownership of the address through Nominet’s summary procedure as cdlp did not respond to its complaint.
The independent expert appointed by Nominet said the solicitors had shown that the domain name was an abusive registration.
Central London law firm Russells went through the same process recently to claim ownership of russells-solicitors.co.uk, which had been registered by a man in New York, as did Stockport firm O’Neill Patient, after a firm of VAT advisers in Hampshire registered oneillpatlent.co.uk.
The SRA continues to push out a large number of scam alerts – there have been 15 just this month, with top City firm Herbert Smith Freehills among the victims.