Surge in cyber fraud losses for law firms and clients

The cost of these incidents has increased dramatically (figure 1), with claim costs for the first five months of this 2023 financial year already exceeding the entire 2022 year. This is mainly because much larger sums are being stolen and recovery is often not possible with cyber-criminals moving the money before the fraud is discovered.

All law practices must be on high alert when client money is being transferred, particularly as we head into a busy period of transactions before the holiday shutdown.

The most common cyber incidents notified to LPLC result from compromised email—where emails have been accessed by cyber criminals who have then impersonated either the client or the firm to redirect the payment of funds to the cyber-criminal’s account. We are also seeing cyber criminals impersonating people within the firm (both principals and accounts staff) by sending fake internal emails to confirm that bank account details have been verified when they have not.

Tactics used by cyber criminals continue to evolve, including using generative artificial intelligence tools such as ChatGPT to write convincing emails mimicking the writing style and tone of the firm or client author to trick staff about authenticity.

Despite increasing (and more sophisticated) cyber risk, we are still seeing firms that are not taking sufficient steps to proactively secure their systems, strengthen procedures for warning clients and to verify bank account details when transferring funds. Others are not adequately training staff in cyber risks and the firm’s procedures.

All law practices need to be hypervigilant and take time now to review and tighten up their policies and procedures for transferring client funds. Here are five essential and simple measures to take to avoid being at the end of a cyber incident and costly claim:

1. Be suspicious of, never rely on, and always authenticate emails or attachments (whether external or internal to the firm) that provide or change bank account details or purport to have verified the transfer of funds.
2. Without exception, always call the account holder on a known number before you pay to check account numbers by reading them out and back. A file note of the call should then be recorded on the file.
3. Warn your clients about the risk of email compromise and that they should always call to confirm bank account details are correct before paying.
   Tell them that your firm’s bank details will not change and that you will confirm them by either a face-to-face meeting, video conference, by phone (from a person and number at the firm known to the client) or by post.
   To assist with your cyber warnings to clients, LPLC has a template cyber security client brochure, How to Protect Yourself and ALWAYS call and verify before you pay email signature banner as an additional prompt.
4. Communicate to all staff the need for absolute vigilance and ensuring the call to verify before you pay and file note procedure is followed (both externally and internally within the firm) without exception.
5. Secure your technology as set out in LPLC’s cyber risk guide.

In particular, if you have not already done so, turn on multi-factor authentication. For more information about how to use MFA, the Australian Cyber Security Centre have step by step guides on their website about setting up MFA on a variety of different platforms including Microsoft.

Also regularly check forwarding rules in your email account for all mailboxes and if there are any rules you haven’t created, contact your IT provider. Forwarding rules are commonly used by cyber-criminals looking to divert money and intercept emails between law firms and clients. The Australian Cyber Security Centre also have guidance on how to review email security.

If your law practice and staff are not implementing these basic measures, it is only a matter of time before the firm will fall victim to cyber fraud. Act now so that it’s not you!

In the event your firm does experience a cyber incident, immediately:

• Contact the transferring and recipient banks. LPLC has a reference list for accessing bank information relating to cyber fraud and bank contact details in the event of a cyber incident. If it’s a PEXA transaction, call the PEXA Support Centre first.
• Call your IT provider to secure your systems.