Professional Indemnity Risk Alert: Email-Based Cyber Crime

Read the latest updates from our Partners at Marsh

In February 2021 we sent out a Risk Alert in relation to a recent rise in cyber crime targeted at law firms, specifically account takeover, identity fraud, and scams. Additionally, in Issue 3 of our Risk Dimensions Newsletter, we looked at recent cyber crime scenarios and what action law firms might take to mitigate risk.

Since our Risk Alert and Newsletter, law firms have continued to be the target of cyber criminals, with a growing number of recent attacks specifically focussing on email communications between law firms and their clients. Given the increased frequency and focus of these incidents, we are now issuing this second alert to encourage vigilance and help prevent further attacks.

Recent examples include: 

A law firm client’s email was hacked and the firm was induced to pay monies to a fraudulent bank account.

A firm’s emails were hacked and messages were intercepted.

Fraudulent bank details were sent to the client, inducing them to make a fund transfer of over £100,000. 

A fee earner’s email was hacked, and over 1,000 emails were sent from their email address, either requesting payment to a fraudster’s account, or attempting to initiate conversations with clients. Domain names were set up, closely matching a fee earners’ email addresses. Emails were sent to clients requesting funds to be transferred to a fraudster’s account. In one incident, over £500,000 was transferred.  

Immediate actions
Raise awareness: Share this note and the resources below with all employees in your firm so that everyone is aware of the ongoing risks.

Update policies: Whenever an email relating to the transfer of significant funds is sent to/received from a client, we advise the firm to contact the client by telephone or video call, using the original client details on file, to ensure that the requesting email has not been intercepted or modified. As a matter of practicality, firms need to consider the threshold amount of a transfer that they consider significant. 

Update retainer letters/email footers: We advise that when communicating with clients, firms should highlight that any requests for payment should always be verified by the client using the telephone details contained in the original retainer letter before ANY payment is made.  
Readiness: Consider and record the firms’ readiness to deal with these risks, and what plans and procedures are in place to minimise or recover from a cyber attack. When were these plans and procedures last reviewed/updated?

Check your insurance: Review your cover with your broker, particularly in relation to cover for theft and cyber incidents. 

Consider signing up to the National Cyber Security Service (NCSC): The NCSC is urging as many law firms as possible to sign up for its free early warning scheme, which warns of potential cyber attacks on your network. Learn more and sign-up.

In the event of an attack

Know your obligations: Certain cyber crime incidents involving personal data need to be reported to the Information Commissioner’s Office within 72 hours. Any cyber crime that has accessed people’s emails, led to a loss of client money, or is successful (even if any financial losses have been repaid) must be reported to the Solicitors Regulation Authority. 

Report to Action Fraud: 24/7 live cyber reporting for business 0300 123 2040.

Report to insurers: Contact your cyber and professional indemnity insurers as soon as possible. Some cyber insurers have strict notification requirements and cover can be prejudiced if these are not followed. It is important that you contact their helplines as soon as you are aware of an incident or potential incident. Their helplines are often available 24 hours a day.

Available resources on these issues include:Information and cyber security (Solicitors Regulation Authority)COVID-19: Cybersecurity Checklist for Remote Working (Marsh)Dreamvar: The Final Chapter? (Marsh)Hybrid Working: COVID-19 and the Rise of Cyber Fraud (QBE)Fraud Prevention Toolkit (QBE)Cyber Security: Top 12 Tips to Protect Against a Cyber Attack (Aviva)Cyber Security: Social Engineering (Aviva)Cyber Attacks on Solicitors Firms and Cyber Insurance – The SRA’s Thematic Review on Cyber Security (Beale & Co)Risk Dimensions  Newsletter Issues 4 – The effect of the pandemic on notifications and claims (Marsh)