What to do when your law firm’s email is hacked [10 steps]
 In Industry Insights
2

Cybercrime occurs on an industrial scale. Law firms are attractive targets to hackers because of the amount of money that flows through our client accounts and the volume of transactions.

For all the advances to communication it has brought to legal practice over the past twenty years, our reliance on email makes lawyers vulnerable to hackers and fraudsters.

Most – if not all – firms are regularly subject to phishing attacks. It takes just one person to click on a malicious email to open the door.

Covid certainly hasn’t helped. Working from home has exacerbated existing points of failure.

What do you do when the worst happens?

The scenario

An email arrives into your finance department with instructions for a damages payment in a commercial dispute matter. There is nothing to suggest it’s anything but genuine. The details look perfect. It’s come from your colleague’s account. And it’s part of an email chain.

But something’s off. The payee is a company that just doesn’t sound right.

Your cashier’s spidey sense is tingling so they double check with the solicitor.

Good job they did. They have just thwarted a significant fraud.

Had they not, the thieves would have made off with your client’s money and you would have to put things right.

SRA Accounts Rules 6.1

SRA Accounts Rules 6.1

In unrelated news, your finance team asks for a raise.

Good save! But don’t stop there…

When you experience a near-miss like this, there are certain steps you have to take:

  1. Seal the doors
  2. Investigate and patch the holes
  3. Alert the authorities
  4. Notify affected clients
  5. Report to regulators
  6. Notify other clients and third parties
  7. Insurance notification
  8. Review systems
  9. Update training
  10. Get cyber insurance

1. Seal the doors

Get your IT security team on the case immediately. They will probably:

  • Change all email login, device and server passwords. If passwords have been compromised, this should stop the hack continuing.
  • Suggest home Wi-Fi routers are secured, if your team is remote working.

Inform everyone that the firm might be under cyber attack and you are taking steps to make the situation safe. In the meantime, the entire team needs to be ultra-vigilant and follow management instructions carefully. Anything slightly odd needs to be reported straightaway.

If you think any clients are at immediate risk of transferring money to the hackers, make sure you pick up the phone.

2. Investigate and patch the holes

You will probably have to be led by your IT security team. In the background they are likely to:

  • Run server scans
  • Execute malware and virus scans
  • Access mail servers and change settings

Having stopped the immediate threat, the next thing you want from your IT security team is to investigate the scale of the breach and the point of failure. Was it intercept fraud, a compromised email account or (the nightmare) have they got inside your case management system?

You may not get a complete picture before your must determine your next steps.

3. Alert the authorities

First and foremost, this is an attempted fraud. A criminal attack. Luckily unsuccessful, but you would probably still call the police if someone had tried to force open your window.

Report to Action Fraud. They look at all types of fraud and spot patterns and the small amount of information from each attempted fraud can build a big picture to catch the criminals and alert the public. The Action Fraud reporting tool can be found here.

4. Notify affected clients

For those clients you know to be affected (the litigation client in our scenario), you must alert them. This puts them on notice to improve their own security and be extra vigilant.

They can also choose to be placed on a protective register, so the criminals have a very hard time using their details to raise funds from financial institutions. You can always offer to pay the 2 year fee of £25. Details here.

5. Report to regulators

Two reports are likely:

  • Information Commissioner’s Office (ICO) – any personal data that has been accessed through the attack is now in the hands of the criminals. This may include bank account details, addresses and other sensitive information. The risk to clients is high – the fraudsters may use this information to target your clients in the future or sell the data. The ICO self assessment tool is available here. Don’t forget the 72 hour time limit for reporting.
  • SRA – if you have decided to report to the ICO, the attack is probably also serious enough to report to the SRA. It’s likely that confidential client information is now “out in the wild”. Although you are unlikely to be hauled over the coals for being the victim of a cybercrime, SRA will want to know what steps you are taking to mitigate the risk and how serious the breach is. They also publish warnings through their Scam Alerts.

6. Notify other clients and third parties

Other than the immediately affected clients, you may need to notify other affected parties. Sometimes IT security teams cannot be certain that the rest of the firm’s data is unaffected. Which means you may have to make a difficult call on whether to draw attention to the hack.

You could do this personally by letter or email, or cast the net wider with a website notification or, in extreme cases, a press release.

Hopefully you can include assurances that your systems picked up the issue and prevented harm. Maybe include any additional steps you have taken to reduce the risk of this happening again.

7. Insurance notification

If there’s no loss, you shouldn’t have to notify professional indemnity insurers, right? There are two reasons why you might want to in any event:

  • A notification will cover you in case something has slipped through the net and there is a future claim to be made.
  • It’s an opportunity to explain how well your systems worked in identifying the issue, and how organised your response was. That can’t hurt.

8. Review systems

The immediate threat has gone. It’s time to reflect on how worse it could have been and what you should do to improve your cyber security.

At this point, lots of firms start seriously considering the government-back Cyber Essentials scheme.

9. Update training

Don’t let a good emergency go to waste! Whilst it’s still fresh in everyone’s mind, make sure your team is up to speed with your IT security policies and best practices.

Some firms regularly send round thwarted examples of phishing scams to educate staff. As the fraudsters get more sophisticated and they find new ways to entice us to click a link, this will become increasingly important.

10. Get cyber insurance

Cyber attacks are sadly a fact of life and insurance is a cost of doing business. If you don’t know whether your PII policy adequately protects the firm against the latest threats, speak to your broker.

We have access to standalone policies, which often provide much better coverage and specific disaster recovery services. Contact us for more information.

Recent Posts

Start typing and press Enter to search

Get your FREE COLP Insider email delivered fortnightly

We’ll never share your email address and you can opt out at any time, we promise

 

I do not want to subscribe

What is the LSAG AML Guidance
The Legal Sector Affinity Group (LSAG) Guidance 2021 – What solicitors need to know [Long read]Industry Insights
Solicitors escrow account and shieldpay
Law firms cannot act as pure escrow agents – here’s what you can doIndustry Insights