Cyber criminals caused “substantial losses” to 50 law firms this year, SRA says

The Cube

SRA: email redirection scams a “real problem”

Cyber criminals have caused “substantial losses” to 50 law firms this year, ranging from £50,000 to £2m, the Solicitors Regulation Authority (SRA) has said.

Steve Wilmott, director of intelligence and investigations at the SRA, said a further 20 firms had fallen victim to e-mail redirection scams since Christmas, involving “very substantial” amounts of money.

Mr Wilmott said cyber criminals were becoming “very, very clever” and described how one firm, which lost over £2m, spent three hours on the phone with one of them.

Speaking at the SRA’s COLP and COFA conference in Birmingham this week, he said: “You may remember that in January this year many thousands of firms received e-mails purporting to be from the SRA, saying they were under investigation with a letter signed by me.

“Who would click and open it up? I would. They did and it was full of malware. They did that for four consecutive Mondays and then on the final Monday the criminals involved sent another e-mail, apparently from the Law Society.

“It said: ‘Hi, we represent you. We know you’ve been sent all these dodgy emails by the SRA. Click on this for advice.’ And that was full of malware.” This gave them access to the solicitors’ systems.

Mr Wilmott said the use of ‘ransomware’ – offering to unlock a virus in return for a sum of money – tended not to be reported by law firms.

He said ‘phishing’ e-mails sent to solicitors were usually quite sophisticated. “They will know a lot about you, because they will research you. They will look on social media sites, find out as much as they can about you and use that information.”

He went on: “A few months ago one of these criminals found out through social media that someone in finance liked dogs. Immediately the person felt comfortable and they talked about dogs. Next thing they were engaged in a fraud and they didn’t know it. So be very careful of what you put on social media.”

Mr Wilmott described e-mail redirections as a “real problem” and said the SRA had dealt with 20 such scams since Christmas involving “very substantial” amounts of money.

“You’re just about to send the proceeds from the sale of a house to another solicitor. Right at the last minute you get an e-mail from your corresponding solicitors saying that they’ve just changed their bank account. The solicitor sends the money to the account and it goes straight to the criminal.”

He said the worst e=mail redirection scams involved clients, where they are about to send a solicitor the deposit for a house.

“The client receives an e-mail from ABC solicitors saying ‘we’ve just a new bank account’. You send your deposit, your life savings, to the new account. It doesn’t go anywhere near the solicitor.”

On anti-money laundering (AML), Mr Wilmott said the SRA was investigating a “small number of substantial cases”. He said only two of three law firms were involved but the amounts of money involved were “quite serious”.

He said law firms were very reluctant to issue ‘suspicious activity reports’ (SARs), and accounted for only 1% of SARs issued last year – a total of 3,600, or one for every three firms.

Mr Wilmott warned that the Home Office would be launching another anti-money laundering campaign next month, targeting lawyers and accountants.

He added that the SRA had made AML visits to 270 firms this year and return visits to a further 20. Although 30% of money laundering officers were found to have had no training, it was a case of checking firms’ policies and procedures were up-to-date rather than taking regulatory action.

The increasing dangers of cyber crime were highlighted by the SRA in its Risk Outlook for 2015/16, published this summer.


    Readers Comments

  • Richard Bass says:

    A great article Nick, Pentesec are currently reaching out to legal firms around the UK to help them preempt these cyber threats. I will forward them your article as it underlines the risks all companies are facing in 2015, risks that are beatable. If you would like any information for additional security articles please get in touch as I’d be happy to help you.

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Will solicitors finally be fans of transparency now?

Since the introduction of the SRA’s transparency rules in December 2018, I have been an advocate for law firms going further then the regulatory essentials.

A two-point plan to halve the size of the SRA

I have joked for many years that you could halve the size (and therefore cost) of the Solicitors Regulation Authority overnight by banning both client account and sole practitioners.

Key cyber and data security questions to ask a legal IT provider

One of the growing priorities that law firms face when considering a legal technology provider is cyber and data security, such as their responsibilities and cyber incident management.

Loading animation