Four things legal practitioners must do now to protect their firm from cyber fraud.
1. Enable Multifactor Authentication (MFA)
2. ALWAYS call before you pay – no exceptions
3. Warn your clients
4. Check your email rules regularly
Are you a principal or practice manager in a firm who thinks you need multifactor authentication (MFA) because you know you are likely to be a target, and it is worth the minor hassle and your staff agree?
Does your firm have a process to ensure bank account details provided in an email are confirmed before transferring funds without exception?
Do you warn your clients to be alert to the potential for email compromise by fraudsters at their end?
Do you check your email rules regularly to make sure you have made them and not fraudsters, who have infiltrated your email account?
If you answered NO to any of these then read on as there are some cyber habits you need to adopt now. We see repeated spikes in cyber claims because firms variously failed to do one or all of the above. Don’t be the next victim.
Enable multifactor authentication on your business devices.
There are a myriad of ways that cyber criminals can get access to your passwords and once they do they can metaphorically just unlock your digital door and walk in unless you have the added security of MFA.
Without MFA cyber criminals can gain access to your email account, sit silently in your account watching your email exchanges, wait for an opportune time to pretend to be you and trick an email recipient, usually a client, into redirecting funds into a fraudsters bank account.
Firms who have had recent cyber claims tell us they don’t have MFA but they have a policy of always calling to check bank account details before they pay but they didn’t on this occasion!
With MFA enabled just a click on your mobile phone app to authenticate you as the email account holder provides you with the security that only you have access to your email. The most effective option is to set it up so you tap to authenticate every time you log in, but you can also set it up to only request authentication when you log into a new device or via a new IP address. It is well worth it to avoid telling a client you have lost their money and the personal stress and anxiety of sorting it out!
Don’t delay any longer. At a minimum, talk to your IT service provider to have MFA implemented NOW.
We can’t say it any more plainly than that. If you have any questions, please contact us. We’re very happy to help.
Implement a no exceptions process to call and confirm bank account details before you transfer funds.
Put in place a safety net to protect client and trust money with clear procedures for transferring money and checks and balances to make sure they are followed every time.
The procedure should include taking down phone numbers and other contact details, preferably in person, for the client and relevant parties at the start of a matter. Record them on the file.
Always call to check requests to transfer money and bank account details. Use the recorded or known contact information. Contact details provided by email should not be relied upon as they may have been altered or set up by the cybercriminal and you may end up speaking to them instead of the intended recipient.
Make a file note of the discussion recording the account details and payment instructions and check them against your records.
As a final check, implement a policy ensuring that the staff member making the bank transfer confirms that the checks have been done by sighting the file note. This should not be done by email as we have seen internal emails intercepted and changed.
Warn your clients to be alert to cyber risks at their end.
You might be aware of cyber security risks and doing all the right things to protect yourself from infiltration but what about your clients?
Recent claims have shown that clients are not aware of the cyber risk and have paid money to fraudsters accounts based on emails they thought were from their lawyer. Often the law firm sends an email with details of a bank account that the client needs to pay money to. Then shortly afterwards the client receives another email purporting to be from the law firm with different account details. The clients fail to appreciate the second email is fraudulent and pay the money to the fraudulent account.
It is important to warn clients at the start of the retainer about cyber risks and how your firm will communicate about bank account details. Ideally bank account details should be provided at the start of the matter and preferably not by email. LPLC has a sample brochure called Cyber security – how to protect yourself you can use or adapt to give to clients.
Set out in your retainer letter how you will communicate account details and what you expect your client to do. In particular, require the client to always call to confirm the account details. Watch our short video about warning your clients about cyber security.
Check your email rules regularly to make sure fraudsters are not in your account.
If cyber criminals can gain entry to your email account they can sit and watch the email traffic, often for many weeks. They set up email rules that divert emails with certain words like 'settlement', 'bank account' or 'BSB' in them. They will intercept any emails containing bank account details, change them to divert money to themselves and on send. They will prevent relevant emails you or your client might send from getting to the recipient. Fake emails they send are either immediately deleted or moved to an unused folder like the RSS Feed folder.
Cybercriminals can, and often do, harvest all your contact email addresses and send further phishing emails to everyone you know from your email account. This often results in your inbox being inundated with bounce backs or return emails and a switchboard full of people calling to ask what is going on.
Check your email rules regularly and make sure they are ones you created. Anything suspicious may indicate your account has been compromised. If you detect any rules that you didn’t create, change your password immediately then contact your system administrator or IT provider and report it.
The Australian Cyber Security Centre have a number of step by step guides to assist with securing email accounts.