Law firms advised to upgrade email providers 

Lawyers have been urged to stop using web-based email such as Yahoo, AOL and Hotmail. That’s the latest advice from the Legal Ombudsman (LeO). According to LeO, firms must invest in more secure corporate email solutions if they want to avoid becoming a victim of cybercrime.  

Furthermore, should a complaint be brought against a firm by a client following a cyberattack, LeO would look unfavourably on any business still using web email. 

The recommendation forms part of wider advice which sets out what LeO expects from service providers.  

As a very minimum this includes:  

  • Keeping browsers, servers, operating systems, anti-virus software, malware protection and firewalls up to date  
  • Making sure all devices are encrypted and require a password when switched on 
  • Ensuring staff use a suitably complex PIN or password and that they change their passwords if a firm suspects systems have been compromised 
  • Making sure staff are trained to recognise scams and unsolicited emails 
  • Creating a security-focused culture  
  • Considering ways to mitigate the risk of using removable media 
  • Investing in a corporate email solution  
  • Warning clients about cybercrime.  

The guidance also includes a case study which highlights how a firm’s email was hacked resulting in a client sending a deposit for a house to a fraudster’s account. In this instance, despite the email provider confirming that its account had been hacked two month’s previously, and its users’ details compromised, the firm had failed to take any steps to protect against the increased risk. The firm also failed to warn clients about the dangers of cybercrime at any point. Furthermore, the firm’s bank details were not included in its client care letter, and the client had to email to ask for them. 

Due to a complete lack of cybersecurity measures, the firm was ordered to reimburse the client’s lost deposit, as well as the costs he incurred in having to abandon the purchase. 

Commenting on the responsibilities of law firms, the LeO guidance states:  

“Cybercrime is now one of the most prevalent types of crime in the UK and because of the amount of money and sensitive information you handle, lawyers are an obvious target.  

“In the last year there has been an increase in the number of complaints we have received where money or data has been lost to cybercrime. The most common example we see relates to modified email fraud where the criminal impersonates the lawyer and asks the client to send their house deposit to another bank account.  

“While being the victim of an attack will not in itself mean your service has not been reasonable, we have directed a number of lawyers to reimburse clients for losses they have incurred where the lawyer failed to take reasonable steps to protect themselves and their clients from the risks, and/or where they have not taken appropriate steps after being informed of an attack.” 

The best way to prevent email scams causing damage to your law firm is to ensure these threats never reach your inboxes. For example, DMARC technology stamps out email fraud by actively blocking phishing attacks and preventing third-parties from impersonating an email domain. Designed specifically for the legal profession OnDMARC from Lawyer Checker protects staff and clients from receiving and falling victim to email modification fraud. 

 You can read the LeO advice in full here