Law firms’ cyber fraud losses jump 40pc
Written by staff reporter
Losses to cyber fraud among UK law firms have jumped by 40% in the last year, according to a study by Hazlewoods. The business advisory says the value of funds lost to cyber frauds at law firms in the six months from November 2015 to April 2016 totalled £2.53m, up 40% from £1.81m in the same period a year earlier.
The study cites a sharp rise in the number of attempts by fraudsters to trick law firms into transferring funds to them by hacking the email accounts of the firms’ employees, or more commonly, their clients.
After gaining access to an individual’s email account – generally through a phishing email – the fraudsters then email an employee at the law firm asking them to transfer funds to a bank account. If the employee transfers this money, it is generally withdrawn from the fraudulent account almost immediately, making it virtually impossible to trace or recover.
This type of fraud is understood to be a particular risk for firms dealing frequently with large transfers of funds, such as those handling probate cases and conveyancing.
The firm says that while losses to cyber fraud are still relatively modest, they can still amount to more than enough to force the closure of some of the smaller law firms that have fallen victim.
The Solicitors Regulation Authority (SRA) is duty-bound to take a hard line on firms that lose client funds to cyber frauds, and in these cases expects firms to immediately replace the money lost from its own funds, without waiting for its insurance to cover the loss.
If this is not possible, the firm and its owners risk serious reprimands from the regulator. Director at Hazlewoods, Andy Harris, says that for smaller law firms, replacing what can be hundreds of thousands of pounds of client funds from their own accounts might be impossible, and that would bring the risk of sanctions from the SRA into play.
“Every law firm needs to ensure that all its staff are trained to be vigilant, and treat with suspicion any request for a transfer of funds. If a client requests via email that money be transferred, it’s critical that the firm verify the request over the phone or in person,” he added. “Some of these frauds involved the firms’ own email accounts being hacked, so all employees need to follow some basic data security rules – don’t use easily-guessed passwords, update your antivirus software on a regular basis, and don’t log into your email account when you’re on public wifi. All staff should also be given training on identifying suspected phishing emails.”