The UK lockdown has seen the legal profession come under increasing attack from cyber criminals who already had the sector on its list of top targets.
Both the Solicitors Regulation Authority (SRA) and the National Cyber Security Centre (NCSC) have issued warnings and urged law firms to be more vigilant than ever.
The SRA issued many scam alerts in the earlier days of lockdown, with a high proportion relating to email or website impersonation. As Paul Philip, chief executive of the SRA says, “Cybercrime is a priority risk for the legal sector and it is not going away during the Covid-19 pandemic.” Adding its weight to the warning, the Law Society has highlighted that cybercrime is a growing risk for its members, “partly because of the sensitive data and significant monies held.”
The situation should be cause for alarm. A June 2019 cyber survey of legal firms found three-quarters of those studied were not cyber ready. Although a Law Society online poll had found that that eight-in-ten legal practices had been subjected to at least one phishing attack in the previous 12 months, seemingly little action had been taken to address the situation.
One lockdown cyber scam has seen a law firm asked to set up a monthly standing order of £4000, according to the SRA. By the end of April 2020, 2000 Covid-19 related online scams had been tackled by the NCSC during lockdown, with sites removed including 555 malware distribution sites and 200 phishing sites.
In October 2019, the SRA Conference reported on a review of 40 law firms targeted in the past three years by cyber criminals. It was revealed that during this timeframe, £4m of client money had been stolen from just 23 of the 40 reviewed and the practice’s own money had been required to cover the losses to clients in 18 cases. Incredibly, there had been over 600 attacks on two of the firms studied during the 36 months under review.
About 50 per cent of attacks on law firms involve email modifications and conveyancing transactions are popular targets. The cyber criminals pretend to be a legitimate party in the transaction and can be handsomely rewarded. One scammer managed to get £400,000 transferred to them by the law firm they had targeted. The firm thankfully had cyber insurance but was still required to pay the £5000 excess on the policy, plus a compensation payment of £900 to the client. The SRA, highlights the need to stay alert, as email modification “relies on our complacency and trust.”
It is all too easy to click on a malware link, as a conveyancing firm employee discovered. That employee’s simple error of judgement led to the law firm suffering ransomware encryption and having to close for two weeks. The loss in revenue that resulted totalled £150,000 whilst £60,000 of attack costs were incurred, as the firm restored its operations.
The danger appears to be increasing. Cyber criminals are now mimicking the voices of legitimate personnel within firms, using Artificial Intelligence software, according to the SRA. Cyber insurance is becoming a priority for businesses of all sizes because, what is often unappreciated by small businesses is that attacking their systems allows criminals to gain access to those of bigger targets, on many occasions.
Cyber criminals are doing well for themselves during the pandemic, thriving on an environment in which employees can be less guarded and distracted by other things. If you recognise the risk that cybercrime poses to your business and need expert insurance advice, please get in touch.
Each applicable policy of insurance must be reviewed to determine the extent, if any, of coverage for COVID-19. Coverage may vary depending on the jurisdiction and circumstances. COVID-19 is a rapidly evolving situation and changes are occurring frequently. The information given in this publication is believed to be accurate at the date of publication shown at the top of this document. This information may have subsequently changed or have been superseded and should not be relied upon to be accurate or suitable after this date.