Gone Phishing – an overview of the SRA's scam alerts
by David Burrows of Lawyer Checker
In January 2015 we saw 6 scam alerts, which consisted of 3 letter-based scams, 2 email-based scams, and correspondence using the name Elizabeth Wendy Wilkinson.
Fast-forward to January 2016, the scam alerts are on the rise, having increased to 11 for the month, with prevalence in one particular area. 8 email-based scams have been brought to light, 1 letter-based, 1 with the use of a fraudulent website, and another using social media advertisement. The alerts have nearly doubled since 2015 and it appears email-based scams are in the ascendency.
It is clear that no matter how strong your network, the weak link will always be an employee within the firm. Any one of these users has the ability to unknowingly let a hacker into the system and cause potential devastation. A recent survey carried out by LexisNexis has reported that law firms rely on email more than any other form of communication to collaborate with clients and third parties on privileged information. Worryingly, only 22% (of the sub 100 law firms) reported the use of email encryption.
Zain Javed, Technical Director at Xyone Cyber Security said:
“The most common form of attack comes in the form of ‘Phishing’, which is the fraudulent attempt to steal personal or sensitive information by masquerading as a well-known or trusted contact, most often via email. In the two years up to 2015, reported losses doubled to nearly $1bn (£675m).
“Scam emails often arrive in the form of a generic template and we are surprised how many people still fall for them. Information gained from an employee’s personal social media account, company website, job boards and other publicly available information can enable attackers to gain victim’s trust in order to get them to click on a link or download an attachment. They might even ask the victim to reply back, after which they will be engaged in an exchange of messages to elicit confidential information.
“It is crucial for employers and employees to be aware of all the risks, which our free awareness training can offer. This includes how to identify these type of emails, as well as what to do if a staff member has inadvertently already engaged with an attacker”.
Mark Sundin, Hosting Specialist at e-know.net said:
“PwC’s Global State of Information Security Survey 2016 finds that security incidences increased by 38% in 2015 compared to the year before and that employees are cited as the primary source of compromise. While these findings are alarming, they are not overly surprising given the frequency of human error. What is also interesting is that security incidents attributed to business partners have also increased by 22%, making a holistic approach to email encryption and messaging security more important than ever.
“One of the major talking points in 2015 was information security and what law firms need to know in order to manage risk and ensure proper compliance. Email is a great example of a tool we take for granted but are unaware of the pitfalls and potential liability when communicating with customers. Despite the concerns raised by the SRA and ICO, un-encrypted email is still the most used means of collaboration. Law firms practicing conveyancing are a key link between home owners or buyers and finance providers, with a great deal of communication taking place over email. Personal information, banking details, and other sensitive information is being transferred between the firm and personal email addresses without protection of any kind. This is leaving the correspondence open to scamming, targeting phishing attacks or other forms of theft.”
Hackers are becoming increasingly sophisticated, as technologies become progressively shrewd in exploiting simple deficiencies within an organisation’s security that leave them exposed. It is hard to deliver complete piece of mind, but awareness of ongoing issues that could affect and have affected law firms in the past is no longer enough. Firms need to have a solid plan of action to improve their cyber security policies.