You are here:
  1. Home
  2. News
  3. Blog
  4. Beware of the phish – how to stay ahead of the scammers

Beware of the phish – how to stay ahead of the scammers

03 May 2017

UPDATED 10 May 2017 Following great discussion on social media, it is probably helpful to highlight that the risk from using cloud storage systems is in particular from using the free online versions which the original post refers to. Read Peter's update about Dropbox, regulatory compliance and how a law firm was penalised by the ICO for having used a cloud storage system designed for private users for business purposes


Targeted phishing emails and other online scams aimed at law firms are becoming ever more sophisticated. With the imminent arrival of the General Data Protection Regulation in May 2018, spotting the warning signs is more imperative than ever – and non-compliance is simply not an option, says Peter Wright

Phishing emails are fraudulent emails appearing to come from legitimate sources. They often direct you to a facsimilie of a trusted website (like a bank’s) or entice you to open a legitimately-named attachment, or otherwise get you to divulge private information. This is then used by cybercriminals to commit identity theft.

Targeted phishing emails now look ever more genuine. You could receive an email that you think is from a client. It could be sophisticated enough to have an email signature with a contact phone number. The person at the other end will sound plausible. It's only when you do a little investigating that you realise that this isn't the usual contact number for the client. Only trust the verifiable contact information you have for the client on your own system. Don't simply go back to your last email and scroll down to the signature for contact details, as the email and the information could be fraudulent.

Don't assume that because an email is internal it is safe – I have heard of some firms' email account servers being compromised to the point where internal emails have been hijacked. If you receive a request that you were not expecting, it’s worth a walk to someone else’s desk just to double check the request is genuine. Better this than for a six-figure sum to vanish from your client account, which is precisely what has happened to many other law firms recently.

Multi-channel attacks

Criminals are now attempting cyberattacks through many different channels - phone, email, social media. I have heard of an accountancy firm in Europe who received an email from a purported client who said it wanted to buy a company that minute. Within two hours, the firm received a series of emails and phone calls from the 'client' reiterating its instructions. It was only when the actual client returned from holiday that the firm found out that it was a scam and hundreds of thousands of euros had been paid into a fake account and transferred away by the fraudsters.

If you receive instructions in this way, think like a journalist - they won't publish a story without two sources. If you receive major financial instructions by email, get your two stages of authorisation:

  • call the client on your trusted contact number for them
  • confirm their wishes to be sure you are speaking to the real person before going ahead.

Make sure that whatever medium you are using to either store or transmit personal data - in particular, data relating to your clients - is secure and encrypted. Avoid free cloud-based systems like Dropbox or Google Drive to communicate with clients or receive confidential data. They are not secure or encrypted, and you are effectively in legal and regulatory breach by using them for client-related activity as their servers are based in the cloud and most likely in the United States.

Regulation is coming

There is an added imperative to take your data protection obligations seriously with the EU General Data Protection Regulation (GDPR) becoming law in the UK and across Europe in May 2018, which will continue to apply to all businesses exporting goods or services into the European Single Market, regardless of any future legal and regulatory settlement reached by the UK with the EU. 

The GPDR has many major requirements. The biggest risk for law firms is the notification of a breach to the Information Commissioner's Office (ICO) within 72 hours. The ICO will want to know:

  • what systems and information has been compromised
  • that your firm has isolated the cyber attack so that data is no longer being compromised
  • worked out what personal data has been compromised and how
  • what steps you are taking to
  • how you will ensure it doesn't happen again.

I heard of one small, two-partner insolvency practice who had a breach recently. By the time it had spoken to its insurers, and the insurers had instructed their own solicitors and given their views on the notification and their concerns over conceding any issues around liability, almost three weeks had passed before it notified the ICO.

72 hours may seem like a long time, but many firms don't know about a breach for weeks or even months after it has happened. My advice is to carry out a cybersecurity breach simulation, working out the necessary resources and lines of communication including who will be responsible for reporting the breach to your insurers, bank, clients, staff, or the police. A stakeholder delaying your report to the ICO could lead to regulatory action being taken against your firm.

If firms have already not begun work on achieving compliance with the GPDR, they will find it impossible to achieve full compliance by May 2018. At this point, it's a matter of working out how uncompliant you wish to be. You will have to cherry pick what you can and cannot afford to comply with, and put the rest in place as quickly as possible.


UPDATED 10 May 2017: Following great discussion on social media this weekend, it is probably helpful to highlight that the risk from using cloud storage systems is in particular from using the free online versions – which the original post refers to. 

Dropbox in particular is an interesting example. It is true that they are one of the more secure free cloud storage solutions available, with some security features and encryption in place, the following should be considered from a regulatory compliance perspective:

  • The free version of dropbox does not allow for a choice of jurisdiction as to where user data is stored. This choice is available but is for paying business customers only

  • The differentiation between the free version of Dropbox and the business version is an important one. The Terms and conditions of Use for the freely available versions of Dropbox state that:
    IF YOU USE THE SERVICES FOR ANY COMMERCIAL, BUSINESS OR RESALE PURPOSES, DROPBOX AND ITS AFFILIATES, SUPPLIERS OR DISTRIBUTORS WILL HAVE NO LIABILITY TO YOU FOR ANY LOSS OF PROFIT, LOSS OF BUSINESS, BUSINESS INTERRUPTION OR LOSS OF BUSINESS OPPORTUNITY. DROPBOX AND ITS AFFILIATES ARE NOT RESPONSIBLE FOR THE CONDUCT, WHETHER ONLINE OR OFFLINE, OF ANY USERS OF THE SERVICES.
    OTHER THAN FOR THE TYPES OF LIABILITY WE CANNOT LIMIT BY LAW (AS DESCRIBED IN THIS SECTION), WE LIMIT OUR LIABILITY TO YOU TO THE GREATER OF $20 USD OR 100% OF ANY AMOUNT YOU'VE PAID UNDER YOUR CURRENT SERVICE PLAN WITH DROPBOX.”
    The UK is not a jurisdiction that makes this type of limitation of liability unlawful. And it makes it quite clear that they will not be held liable for losses from failing to keep your data secure. This will fall squarely on the user if the user is a business, like a law firm.

  • The leading case of a law firm facing action from the UK Information Commissioner remains ACS Law, where a law firm was penalised by the ICO for having used a cloud storage system designed for private users for business purposes. The ICO made it clear in issuing a monetary penalty notice that a law firm was held to a higher standard compared to other data controllers as it should have understood its responsibilities as a data controller, and as a result the amount of the fine was commensurately higher. Consequently where a law firm depends on a free or very low cost cloud service that is not intended for business use they could face regulatory action for any data protection breach from both the ICO and the SRA along with civil liabilities to any of the data subjects affected.

It should be emphasised that there is no issue with businesses that are paying a premium for the Dropbox business service and again, the original post stated only the free version. Any business users should consider looking at Dropbox’s subscription services which allows for users to specify that data should remain in the European Economic Area, as well as requiring two-factor identification on all accounts. 

Furthermore the issue here is not the use of the Dropbox or other free cloud software in and of itself. It is more the use of such products in organisations without any internal governance, policies or procedures, such as where business related files and data are being uploaded to the cloud by members of staff because it is convenient, without any awareness of the risks, such as cryptolocker, the most common form of ransomware. I know of one law firm where a Partner was using a free version Dropbox to take instructions from a client and inadvertently found their system locked down with ransomware, requiring a full re-set from their backup. Once they were back up and running, the same partner went back into Dropbox and compromised the system once again through not being aware of both the risks and indeed his own firms data protection and cyber security policies which would have required data to be scanned before uploading on to the system. A free version of Dropbox did not require downloaded documents to pass through the firm’s normal communication channels that had been set up to scan and detect viruses and other malware. 

In order to ensure compliance, firms need to ensure that their data is kept securely and inside the EEA, preferably inside the UK for added post – Brexit certainty. One highly recommended option is having a private encrypted cloud for a firm on its own servers so that staff can enjoy all of the benefits of agile remote working without having onerous security measures getting in the way of flexibility is one solution, while still maintaining a secure off-site backup that fits in with any disaster recovery plan is an ideal solution.

More: The Law Society’s cybersecurity support: we are developing partnerships with cybersecurity companies to help law firms to prevent cyber attacks, and handle them if they do occur. Explore our cybersecurity pages for products and services to help you with your firm's cybersecurity concerns.

Tags: cyber security

About the author

Peter Wright is a solicitor and managing director of Digital LawUK. He is chair of the Law Society Technology & Law Reference Group. Follow Peter on Twitter

  • Share this page:
Authors

Adam Johnson | Adele Edwin-Lamerton | Alex Barr | Alex Heshmaty | Alexandra Cardenas | Amanda Carpenter | Amanda Jardine Viner | Amy Heading | Andrew Kidd | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Waldron | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bob Nightingale | Caroline Roddis | Caroline Sorbier | Catherine Dixon | Christina Blacklaws | Ciaran Fenton | David Gilroy | David Yeoward | Douglas McPherson | Dr Sylvie Delacroix | Duncan Wood | Eduardo Reyes | Elizabeth Rimmer | Emily Miller | Emma Maule | Gary Richards | Gary Rycroft | Graham Murphy | Hayley Stewart | Ignasi Guardans | James Castro Edwards | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Julian Hall | Julie Ashdown | Julie Nicholds | Justin Rourke | Karen Jackson | Kate Adam | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Poulter | Larry Cattle | Laura Devine | Leah Glover and Julie Ashdown | LHS Solicitors | Lucy Parker | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Matthew Still | Meena Toor | Melissa Hardee | Neil Ford | Nick Denys | Nick Podd | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Rachel Brushfield | Ranjit Uppal | Richard Coulthard | Richard Heinrich | Richard Messingham | Richard Miller | Richard Roberts | Rita Oscar | Rob Cope | Robert Bourns | Robin Charrot | Rosy Rourke | Saida Bello | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Sophia Adams Bhatti | Steve Deutsch | Steve Deutsche | Stuart Poole-Robb | Susan Kench | Suzanne Gallagher | Tom Ellen | Tony Roe Solicitors | Vanessa Friend

Tags

access to justice | anti-money laundering | apprenticeships | archive | artificial intelligence | Autumn Statement | bid process | brand | Brexit | British Bill of Rights | Budget | business | careers | centenary | charity | city | communication | Conservatives | conveyancing | court closures | court fees | courts | CPD | criminal legal aid | cyber security | David Cameron | development | Diversity Access Scheme | diversity and inclusion | education and training | elderly people | emotional resilience | employment law | equality | European Union | Excellence Awards | finance | George Osborne | human rights | human trafficking | immigration | in-house | International Womens Day | Investigatory Powers Bill | IT | Jeremy Corbyn | justice | knowledge management | Labour | law management | Law Society | leadership | legal aid | legal professional privilege | LGBT | Liberal Democrats | library | Liz Truss | Magna Carta | mass data retention | mediation | members | mention | mentoring | merger | modern slavery | morale | National Pro Bono Week | Parliament | party conferences | personal injury | Pii | politics | president | pro bono | productivity | professional indemnity insurance | represent | retweet | risk | rule of law | security | social media | social mobility | SRA | staff | strategy | stress | talent | tax | tax credits | team | technology | Theresa May | Time capture | training | Twitter | UKIP | value proposition | website | wellbeing | Westminster weekly update | wills