Lloyds Say Legal Sector Most At Risk Of Business Email Compromise
Data recently published by Lloyds Bank suggests that email impersonation fraud is up 58% from the previous year and that those working in Law Firms are most at risk.
Of all successful attacks of this kind last year, close to 20% of victims were Law Firms. Next most at risk were HR firms, IT workers and finance companies. Its also reported that one in five victims had to make redundancies as a direct impact of the financial losses suffered from the attack.
What does email impersonation fraud look like?
Email impersonation fraud can take many different forms
- Phishing- This is the most simple way for attackers to cause a breech. They will often target large numbers of users or law firm clients in the hope that just one person will fall victim and give the information that they need. They will often use similar domain names that are hard for busy staff or clients to spot; often changing a single letter from a legitimate firm’s genuine domain. Eg [email protected] to [email protected] The attacker might suggest that you should send payments to a different account or divulge details of a sensitive transaction. Some of these emails might also appear as notifications from well-known and trusted communication tools such as Dropbox, Microsoft SharePoint etc in an attempt to get the user or client to log into a fake site to gain their credentials.
- Interception- Criminals can intercept legitimate emails and make small changes to them such as changing an account number on an invoice. These types of attacks are very difficult, if not impossible to spot because they are contained within a legitimate email thread.
- Spoofing- again difficult to spot, Criminals can, in essence, ‘highjack’ a law firm’s legitimate unprotected domain and impersonate a member of staff, usually a managing partner, and use this authority to make requests of unsuspecting staff or clients. The vast majority of UK law firms do not protect their domains from this kind of attack. Requests may be sent to the account department to transfer a large sum of money or a fake invoice sent to the client for immediate payment to a bank account owned by the attacker.
Is there anything law firms can do.
Whilst there is no silver bullet to protect a firm from these kinds of attack, there are a number of simple and inexpensive things that firms can do to dramatically lessen the risk of these types of attack from being successful.
- All firms should implement DMARC on their Domains. This is a security protocol developed collaboratively by some huge names such as Microsoft, Yahoo and Paypal. It can be complex but there are some really cost effective tools out there such as this one https://www.lawyerchecker.co.uk/ondmarc which can make it much simpler for a relatively small cost. Firms should be very wary about communicating via email or any other service that provides notifications by email with a firm that has not implemented DMARC on its domain.
- Where money is being transferred from the firm to a client, firms can verify the identity of their client by performing a Consumer Bank Account Checker search to verify the details.
- Staff training is essential. Firms need to adopt a no blame culture to encourage staff to report successful phishing attempts. This helps to minimise any impact of compromise. Staff should be educated about the dangers of phishing, trained how to spot phishing attempts and how to react if they make a mistake.
- Gain Cyber Essentials Certification- Cyber Essentials is a scheme backed by the government for Law firms and other businesses to be able to certify that their basic arrangements that protect from most cyber-attacks are sufficient. It’s a relatively quick and painless process and can provide the assurances to other firms that you’re safe to do business with. Again, law firms should be very wary of dealing with other firms or suppliers that do not have Cyber Essentials in place.