Cyber criminals have caused “substantial losses” to 50 law firms this year, ranging from £50,000 to £2m, the Solicitors Regulation Authority (SRA) has said.
Steve Wilmott, director of intelligence and investigations at the SRA, said a further 20 firms had fallen victim to e-mail redirection scams since Christmas, involving “very substantial” amounts of money.
Mr Wilmott said cyber criminals were becoming “very, very clever” and described how one firm, which lost over £2m, spent three hours on the phone with one of them.
Speaking at the SRA’s COLP and COFA conference in Birmingham this week, he said: “You may remember that in January this year many thousands of firms received e-mails purporting to be from the SRA, saying they were under investigation with a letter signed by me.
“Who would click and open it up? I would. They did and it was full of malware. They did that for four consecutive Mondays and then on the final Monday the criminals involved sent another e-mail, apparently from the Law Society.
“It said: ‘Hi, we represent you. We know you’ve been sent all these dodgy emails by the SRA. Click on this for advice.’ And that was full of malware.” This gave them access to the solicitors’ systems.
Mr Wilmott said the use of ‘ransomware’ – offering to unlock a virus in return for a sum of money – tended not to be reported by law firms.
He said ‘phishing’ e-mails sent to solicitors were usually quite sophisticated. “They will know a lot about you, because they will research you. They will look on social media sites, find out as much as they can about you and use that information.”
He went on: “A few months ago one of these criminals found out through social media that someone in finance liked dogs. Immediately the person felt comfortable and they talked about dogs. Next thing they were engaged in a fraud and they didn’t know it. So be very careful of what you put on social media.”
Mr Wilmott described e-mail redirections as a “real problem” and said the SRA had dealt with 20 such scams since Christmas involving “very substantial” amounts of money.
“You’re just about to send the proceeds from the sale of a house to another solicitor. Right at the last minute you get an e-mail from your corresponding solicitors saying that they’ve just changed their bank account. The solicitor sends the money to the account and it goes straight to the criminal.”
He said the worst e=mail redirection scams involved clients, where they are about to send a solicitor the deposit for a house.
“The client receives an e-mail from ABC solicitors saying ‘we’ve just a new bank account’. You send your deposit, your life savings, to the new account. It doesn’t go anywhere near the solicitor.”
On anti-money laundering (AML), Mr Wilmott said the SRA was investigating a “small number of substantial cases”. He said only two of three law firms were involved but the amounts of money involved were “quite serious”.
He said law firms were very reluctant to issue ‘suspicious activity reports’ (SARs), and accounted for only 1% of SARs issued last year – a total of 3,600, or one for every three firms.
Mr Wilmott warned that the Home Office would be launching another anti-money laundering campaign next month, targeting lawyers and accountants.
He added that the SRA had made AML visits to 270 firms this year and return visits to a further 20. Although 30% of money laundering officers were found to have had no training, it was a case of checking firms’ policies and procedures were up-to-date rather than taking regulatory action.
The increasing dangers of cyber crime were highlighted by the SRA in its Risk Outlook for 2015/16, published this summer.