The legal sector continues to be at the forefront of cyber-attacks from fraudsters attempting to access and extract both office and client money from a legal practice. Legal Abacus has recently focused on this issue from a variety of angles. Here Jason Mitchell looks at how cybercrime affects the role of the COFA…
The issue has been prevalent for some time and criminals have become more and more sophisticated in their techniques. This presents a very real threat to law firms, where there has been a notable increase in the number of funds misappropriated by such attacks.
If there are shortages in client or office money, reliance cannot always be placed on third parties to foot the bill. Banks or professional indemnity insurers, for example, have been taking a firmer stance within the legal sector.
COFAs play an important role within the firm and are responsible for implementing and maintaining suitable accounting systems and procedures to help safeguard client money and maintain sound financial and risk management principles. As a result, COFAs need to ensure systems are in place to prevent and detect the risk to both office and client funds from external cyber-attacks.
Any successful criminal extraction of client funds is a material issue and a risk to the practice: any shortages in client funds may need to be covered from the firm’s own funds. If such shortages are of a significant value or if office funds have been misappropriated in the first instance, there is clearly risk to the practice of a financial instability.
It is not only the immediate financial impact that is a risk to a practice: law firms also hold sensitive information, so any breach of data is covered by the Data Protection Act and can also risk the firms’ reputation
How are firms being targeted?
COFAs need to understand how their firms are being targeted so they can help implement systems necessary to prevent and detect cybercrime activity.
The two prevalent tools of cybercrime are bogus emails and telephone calls.
Untargeted attacks, such as phishing emails which pretend to be from a bank and ask the recipients to send across their bank details, have been around for some time. With just a little common sense these types of emails are quite easy to spot, as they are typically badly written, have formatting issues and are from suspicious email addresses.
A disturbing variety of this scam is when an email appears to be received directly from a client or colleague in the firm. It will contain very specific and accurate details of the underlying legal transaction - such as final funds being returned to the client, specific amounts involved, names of parties involved, etc - and will simply request funds are sent to their separate bank account.
These emails form a targeted attack and can be very convincing. You can see why such an email could be perceived as genuine.
The attack could also be a telephone call to the firm, supposedly from a client along the same lines – again, with very specific information.
Take another example. Several completions on conveyancing transactions are typically processed through a firm’s client account on Friday afternoons around 2.30 pm. A telephone call is received shortly thereafter, supposedly from the bank, with very specific details of the transaction. The caller states that the transactions have been stopped because the payments are suspected of being fraudulent. The caller then specifies that the funds can be released if they are proved to be genuine. The caller asks for sensitive information, such as a PIN, relating to the bank account.
In reality, the transactions were never being withheld in the first instance: the legal firm has been contacted to release sensitive information at a time where it is vulnerable because of the urgency to complete conveyancing transactions.
These are real examples of where legal practices have been tricked into providing bank details or sending funds to alternative accounts.
How do the criminals obtain this specific data for such a targeted attack? It’s generally because they obtain access by covertly hacking database systems and emails and even obtaining general information from social media websites.
A targeted attack is usually not actioned overnight: it involves building a long-term picture of the legal practice and its primary transactions. This is done by manipulating the firm’s email or accounting system, that of your clients or that of another legal firm acting for other parties in the underlying legal transaction.
It is then possible to pinpoint when law firms are vulnerable. These include periods when firms are under time pressure, noting when key individuals acting on behalf of the clients are away from the office on holiday, or are working part time etc.
Systems to aid prevention
With such sophisticated targeted attacks, it is certainly challenging for the COFA to implement and monitor accounting systems to aid prevention.
Normal IT infrastructure policies help safeguard access to the accounting systems: these include firewalls, malware software and having strong passwords which are updated frequently. It’s not uncommon for many legal firms to outsource these IT requirements to specialist providers to help safeguard client information, funds and data.
There should also be firm policies to restrict the use of data sticks, websites visited and home and out-of-office working practices.
One of the main ways the COFA can assist with cybercrime prevention is by educating the individuals in the legal practice and having a set framework of procedures about managing client and office monies.
The COFA can assist in ensuring all individuals in the law firm remain vigilant and apply professional scepticism on any instructions or requests involving withdrawing client money from the practice. It’s vital that specific bank account information and PINs should never be supplied over the telephone. A review to identify time-critical periods in the firm may assist to highlight when a practice may be most susceptible to such a targeted attack.
Examples of other practical safeguards include the following.
- The terms of business with the client should state that any funds will only be paid to them through a bank account nominated at the outset. Any request to pay funds to an alternative account will only be granted in exceptional circumstances and after all the necessary checks have been made.
- Any requests to send funds to an alternative bank account should be checked with the fee earner responsible or a principal in her or his absence. In particular, the clients should be contacted by telephone using their contact number on file to ensure the instructions did in fact come from them.
- If any telephone calls are received which require follow-up action, such as contacting the client or bank, it’s wise not to attempt the call immediately and to use a different line. Quite often fraudsters can remain on the line, leading you to believe you have called your client or bank to confirm the instructions.
- Only those individuals in the firm that require the information should hold specific details of the office and client bank account.
- In accordance with SRA Accounts Rule 21, the number of people authorised in the firm to withdraw from the firm’s client accounts should be stringently applied. The number of authorised people should limited to the minimum level required.
It is essential the procedures applicable to the firm are implemented, documented, communicated and followed by everyone in the legal firm.
Where cybercrime has been successful, it has often been because individuals have departed from the firm’s established procedures. This has had significant repercussions on any insurance cover.
Procedures should also be in place to deal with a suspected cybercrime attack on the practice. These include immediately notifying the relevant authorities, such as the bank, SRA, police, insurers etc.
Hopefully these notifications will never be required but clearly firms need to be well prepared and vigilant throughout.
First Published in Legal Abacus Jan/Feb 2016 Author: Jason Mitchell ACA, Legal Sector Specialist at Francis Clark LLP Chartered Accountants.