Cyber Security is a topic that has been at the top of everyone’s agenda at some point in the past few years. Details of a successful hack, attempted cyber-fraud or effective cyber-activism appear in the news on a weekly basis.
This prompts all CIOs, IT managers and security professionals that now, more than ever, security must be on the minds of all those who work with computers, from technology companies such as IT Group to solicitors, barristers and corporates alike. With the Law Society’s Gazette has reported that law firms lost £85 million in the past 18 months, and 1 in 10 law firms was successfully targeted.
In April 2016, the Telegraph reported on a couple who had lost over £200,000 through an email discussion with their property solicitor; or so they thought. Cyber-criminals are continually finding new avenues of attack in an attempt to swindle, con and fraudulently gain from their illegal activities. The worrying trend this past year has been the increase of the interception of email conversations between those in the law industry and their clients, breaking into email accounts and diverting large payments resulting in a loss for both the client and the law firm.
By breaking in to the account of a solicitor, a cyber-criminal is able to read, delete and potentially alter the contents of the message. Instructions to send money to a bank account could have been sent legitimately but the sort code and account number altered. Alternatively, the email could have been sent to trick the client into paying outright; similar to the well-known ‘Friday afternoon fraud’.
Even if you successfully adopt best practice techniques to reduce the risk of these threats (don’t panic, some of the basic advice and tips are set out below!), there is one further technique that we encounter regularly at IT Group. Email Spoofing is when a malicious attacker tricks your email into displaying an email address that is different to the actual originating email address. Using Forensic tools, we can determine when an email address is made to look different from the true address, but most email programs are incapable of performing this function (for now). This often-used technique could be used to supply bank details or instructions that appear to come from the law firm. The best way of defending against this attack is discussed below.
Ultimately, the methods to mitigate the chances of any of these attacks occurring are based on old fashioned simple housekeeping:
Ensure that all passwords used inside the law firm are of a sufficient strength. You will undoubtedly all have been told to ensure you use both letters and numbers and ideally non-alpha numeric characters such as “£$% etc, but did you know that simply changing the letters to numbers (for example, l3tme1n instead of letmein) adds no extra security from the majority of hackers? Consider using a random password generator and using that as your password.
Additional methods that can significantly improve security is the use of Two Factor Authentication, which can be implemented on the majority of email services. This requires any user on a new/different computer logging into your email system for the first time to input a code that has been sent (usually via text, or some other similar method) totally separately. This second factor should not be available in the majority of cases to the hacker and access will therefore be denied. This is currently considered one of the strongest methods that can be used. Simple Apps such as Google Authenticator make this process very straightforward creating a code on a mobile phone to be input into the computer to add the two factor protection.
Of course, the ultimate defensive measure is one of the oldest security methods in the book. When instructions come in for a payment to be made, ring the company/client and ensure that the bank details are correct – preferably from a voice you recognise if at all possible. By bypassing the email process, you could be eliminating the chances of a hacker sitting between you and the client intercepting the email. On the flip side, encourage your clients to ring you before making any payments if payment details are received just to check they are originating from you. This will help to minimise the risk of an attacker successfully getting a client to transfer money to the wrong account.