3 minute read
Professional Indemnity Risk Alert: Email-Based Cyber Crime
Professional Indemnity Risk Alert: Email-Based Cyber Crimes
In February 2021 we sent out a Risk Alert in relation to a recent rise in cyber crime targeted at law firms, specifically account takeover, identity fraud, and scams.
Since our Risk Alert and Newsletter, law firms have continued to be the target of cyber criminals, with a growing number of recent attacks specifically focussing on email communications between law firms and their clients. Given the increased frequency and focus of these incidents, we are now issuing this second alert to encourage vigilance and help prevent further attacks.
Recent examples include: • A law firm client’s email was hacked and the firm was induced to pay monies to a fraudulent bank account. • A firm’s emails were hacked and messages were intercepted. Fraudulent bank details were sent to the client, inducing them to make a fund transfer of over £100,000. • A fee earner’s email was hacked, and over 1,000 emails were sent from their email address, either requesting payment to a fraudster’s account, or attempting to initiate conversations with clients. • Domain names were set up, closely matching a fee earners’ email addresses. Emails were sent to clients requesting funds to be transferred to a fraudster’s account. In one incident, over £500,000 was transferred.
Immediate actions
Raise awareness: Share this note with all employees in your firm so that everyone is aware of the ongoing risks.
Update policies: Whenever an email relating to the transfer of significant funds is sent to/received from a client, we advise the firm to contact the client by telephone or video call, using the original client details on file, to ensure that the requesting email has not been intercepted or modified. As a matter of practicality, firms need to consider the threshold amount of a transfer that they consider significant.
Update retainer letters/email footers:
We advise that when communicating with clients, firms should highlight that any requests for payment should always be verified by the client using the telephone details contained in the original retainer letter before ANY payment is made.
Readiness: Consider and record the firms’ readiness to deal with these risks, and what plans and procedures are in place to minimise or recover from a cyber attack. When were these plans and procedures last reviewed/updated?
Check your insurance: Review your cover with your broker, particularly in relation to cover for theft and cyber incidents.
Consider signing up to the National
Cyber Security Service (NCSC): The NCSC is urging as many law firms as possible to sign up for its free early warning scheme, which warns of potential cyber attacks on your network.
In the event of an attack
Know your obligations: Certain cyber crime incidents involving personal data need to be reported to the Information Commissioner’s Office within 72 hours. Any cyber crime that has accessed people’s emails, led to a loss of client money, or is successful (even if any financial losses have been repaid) must be reported to the Solicitors Regulation Authority.
Report to Action Fraud: 24/7 live cyber reporting for business 0300 123 2040.
Report to insurers: Contact your cyber and professional indemnity insurers as soon as possible. Some cyber insurers have strict notification requirements and cover can be prejudiced if these are not followed. It is important that you contact their helplines as soon as you are aware of an incident or potential incident. Their helplines are often available 24 hours a day.
For More information or resources; Please contact;
Nam Qureshi, Vice President, FINPRO, Marsh Specialty, 3rd Floor 45 Church Street, Birmingham, B3 2RT
t: +44 (0)121 626 7909 m: +44 (0)7825 100 997
Connect with me on LinkedIn (Nam Qureshi)
Follow Marsh on:
Twitter: MarshGlobal LinkedIn: Marsh Facebook: @MarshGlobal YouTube: TheMarshChannel
www.marsh.com
