UK law firms lost £11 million of client money to cyber crime: NCSC
2 August 2018
Law firms in the UK lost more than £11 million of client money to cyber criminals between 2016 and 2017, with as many as 60 percent of law firms suffering cyber security incidents in the period, the National Cyber Security Centre has revealed.
A detailed study carried out by the National Cyber Security Centre with assistance from the Law Society, the Solicitors Regulation Authority (SRA), Action Fraud, and the National Crime Agency (NCA) has revealed that be it phishing attacks, suffering data breaches, suffering ransomware attacks or supply chain attacks, law firms in the UK still have some distance to cover to ensure they are ready and equipped to ward off attacks from cybercriminals in the future.
In March last year, research by AXELOS revealed that as many as 73 of the UK’s top 100 law firms were targeted by cyber-attacks, compared to just 45 in 2013-14. 84% of the 73 firms also admitted that they had been victims of phishing attacks as well.
Less than a year later, security firm RepKnight discovered over 1 million stolen e-mail addresses belonging to employees at the top 500 law firms in the UK on the Dark Web, including 30,000 e-mail addresses belonged to a single law firm. These e-mail addresses were obtained by cyber criminals by compromising third-party websites like Dropbox and LinkedIn that stored sensitive personal information of millions of users.
The NCSC’s new legal threat report has come up with findings not much different from what AXELOS reported last year. According to the new report, law firms in the UK lost £11 million of client money to cyber crime in the last 12 months, with as many as 60 percent of them suffering cyber security incidents in the period.
The NCSC believes that while a majority of the threat actors are primarily cyber criminals with financial motives, a number of nation-state actors and hacktivists have also arrived on the scene, targeting law firms to achieve political, economic or ideological ends.
The menace of phishing scams
Phishing attacks have been a nuisance to the UK’s corporate sector for several years now, and law firms are no exception to the rule. In fact, the impact of phishing attacks on law firms has worsened over the years. For instance, the amount stolen from law firms through phishing in the first quarter of 2017 was 300% higher than the previous year.
In 2018 alone, the Solicitors Regulation Authority (SRA) has observed as many as 110 phishing scams carried out against law firms, even though the actual count could be many more considering that many phishing attacks go unobserved or unreported.
Based on such observations, the NCSC is now advising law firms to implement processes to verify (via independent means) invoices and account details for money transfers, keep changing account details for high-value transactions, encourage a culture where suspicious transactions are queried and rushed or improperly validated payments are refused, and educate clients about a firm’s invoice and money transfer processes.
If law firms follow these steps, they will be, to a large extent, be able to prevent phishing attacks where fraudsters trick employees into transferring large amounts of money to their accounts by masquerading as top executives or clients.
Law firms, not only in the UK but also in other Western countries, have also suffered data breaches in the aftermath of targeted cyber attacks launched by nation-state hackers, especially because large law firms often store and handle intellectual property on behalf of clients and such data is very valuable for enemy states.
According to Action Fraud, in the two years to March 2018, eighteen law firms reported hacking attempts and two New York-based law firms lost over $4 million after three foreign nationals successfully infiltrated their networks. Panama-based Mossack Fonseca lost as much as 2.6TB of data following the Panama Papers hack in 2016 and this resulted in the firm shutting down soon after.
Supply chain attacks on law firms
Hackers have also launched successful supply chain attacks on law firms through the exploitation of third-party data stores or software providers. Many law firms have lost sensitive data for no fault of their own as hackers have taken advantage of third-party suppliers failing to adequately secure their systems.
“A law firm’s position in the supply chain can also make them an attractive target. Cyber criminals can observe the process of a transaction and strike when money is about to be transferred. State actors can also target a law firm as a vector to gain access to corporate clients and their information,” the NCSC noted.
“Like all businesses, law firms are increasingly reliant on IT and technology and, as a result, are falling victim to a range of malicious cyber activity. Losing access to this technology, having funds stolen or suffering a data breach through a cyber attack can be devastating, both financially and reputationally, not only for the firm but also its clients,” said Ciaran Martin, Chief Executive of the NCSC.
“The NCSC is committed to supporting the legal sector as part of our role to make the UK the safest place to live and do business online and that’s why we feel it’s extremely important to offer the tailored advice and guidance outlined in this report,” he added.
In order to help UK-based law firms strengthen their cyber security practices and credentials and learn more about upcoming technologies that can help detect supply-chain attacks or phishing attacks, a joint industry and government initiative named The Cyber Security Information Sharing Partnership (CiSP) has been established.
CiSP helps businesses and organisations exchange cyber threat information in real time, in a secure, confidential and dynamic environment, and to increase their situational awareness.
“UK-based law firms are now able to sign up to a new, private CiSP group tailored to their needs – ‘Legal Sector’ – which gives access to a wealth of cyber security expertise and advice to help keep you safe online. This group will enable you to communicate and collaborate on cyber security matters with government and industry peers in a secure and trusted environment,” the report added.