How to identify a cyber attack
As well as taking steps to protect your systems against a cyber attack, it’s important to understand the different types of attack you might face.
If your firm is attacked, knowing what’s happened can help limit damage and restore your systems quickly.
This guide explains how to recognise and prevent the different threats.
The most common cybercrimes are phishing and vishing scams. They rely on people being tricked into sharing secure information. Law firms are a common target for a type of phishing attack known as “Friday afternoon fraud”.
Data breaches must be reported to the Information Commissioner's Office within 72 hours of being discovered. Everyone in your firm should know how to do this.
Supply chain attacks target less secure parts of your supply network. You should know how to monitor your suppliers and manage the risk.
‘Malicious software’, known as malware, is designed to cause damage to computer systems.
Ransomware, spyware and viruses are examples of malware.
Malware attacks trick you into installing malware onto a system. You can download malware by:
- opening an infected email attachment
- connecting an infected device, such as a memory stick, to your computer
- visiting a hacked website where malware can download to your device
- viewing infected advertising
- a hacker installing it on your system
Once malware is on your system, it can:
- record everything that is typed, such as passwords or financial details
- copy, change or delete data
- use the system’s resources to coordinate other attacks
- help hackers get into your firm’s network and other systems
Preventing malware infections
To prevent your system and devices, you should:
- keep firewalls up to date and keep anti-malware software up to date
- keep your operating system (for example, Windows) up to date
- create anti-malware policies for staff to follow
- train your staff on how to recognise an attack
What to do after a malware attack
If your firm has been infected by malware, you should follow the guidance on what to do if you or your organisation has been infected with malware on the NCSC website.
The National Crime Agency encourages you to contact Action Fraud.
Read more about what to do after a cyber attack
Ransomware is the most common type of malware. It prevents you from accessing files or data unless you pay a ransom.
- encrypt data
- block you from accessing files
- steal information
This could lead to:
- lost files
- paying ransom costs
- reputational damage
- damage to client relationships (you may not be able to meet client deadlines, complete on purchases or pursue court cases)
Paying ransom encourages and funds more ransomware.
Even if you pay the ransom:
- you might not get access to your data
- your computer system will still be infected
- attackers may increase ransom costs
- attackers may think you would pay ransoms in future
- data may have been stolen or encrypted during the attack
If your insurer covers data loss, it may have a policy on ransoms.
Limiting the impact of an attack
To limit the impact of a ransomware attack, you can:
- have good access control to limit the extent of the encryption to just the data owned by the affected user
- limit access to your data and file systems to those with a business need
- have a backup of your data
Criminals often target conveyancing firms with a scam called “Friday afternoon fraud”. This is a form of phishing attack.
Criminals hack into emails between you and your client and then:
- contact the client pretending to be you, asking them to pay their completion funds into the fraudster’s bank account, or
- contact you pretending to be the client or the client’s bank, to get access to the client’s bank account details
It’s called Friday afternoon fraud because many conveyancing transactions take place on Friday afternoons. But these scams can happen at any time.
How to recognise Friday afternoon fraud
You should check communications are genuine if:
- you receive unusual instructions that appear to have come from your client
- you receive instructions that change at short notice, for example you’re sent new bank details
- your client’s bank contacts you to report a security breach and asks for their account details
How to protect your clients
- tell your client not to email you on public wifi (public wifi is not password protected, so criminals can easily get hold of information)
- give your client your firm’s client account bank details at the start of any transaction and tell them they’re unlikely to change. You can give this information to your client directly, in a letter or over the phone. You should not do this by email as it is not a secure form of communication
- tell your client not to transfer money to a bank account whose details don't match the ones you gave them
- confirm any change in your bank details using a secure method. This might be in person or over the phone on a trusted number
- call your client before and after they send you money. This allows you to confirm the transaction is genuine and the money has arrived safely
- ask the client to send a small amount first – for example £1 - and check that your firm has received the money before they send the larger sum
How to protect your firm
If you’re suspicious of an email:
- call the client on a trusted number to confirm they sent the email
- pay a small amount – for example £1 – into the bank account and check it has been received before sending any more
You may want to ask your client to give you a password when you first start working for them.
If you’re suspicious about any communications later, you can ask them for the password to confirm they’re the person contacting you.
You may also want to think about investing in an encrypted email service.
Joint property and title fraud advice note – practical guide on how to spot potential fraud
IT Security: keeping information and money safe – advice from the Solicitors Regulation Authority (SRA)
Cyberfraud and Fraud Protocol for England and Wales – guidance from the Conveyancing Association
Phishing scams try to trick people into sharing personal or financial information by posing as someone trustworthy such as the police or your bank.
Phishing attacks usually happen through email and can infect your computer with malware, disguised as an attached document or link. They can also happen by phone (known as vishing), text message or social media.
Bigger firms are attractive to criminals because of the large amount of client data and money they hold. Smaller firms are also at risk if they have not taken the necessary cybersecurity measures.
Types of phishing
There are two main types of phishing:
- mass emails sent out to thousands of people
- ‘spear phishing’ - targeted emails sent to individuals where a criminal impersonates a client or someone the person knows at their firm
Recognising a phishing email
Check for emails:
- with poor grammar and spelling
- asking for personal or financial information
- with links to a website you don’t recognise
- requesting urgent action
- encouraging you to open any attachments
- where the sender’s email address may look unusual or unfamiliar
Preventing a phishing attack
- treat emails containing links or attachments with caution
- only open attachments from trusted sources – if in doubt, contact the sender to check if they actually sent the email
- check that links match the text that contains them by hovering your cursor over it – the web address should appear
- contact your IT department if you’re concerned
These emails target a particular individual or firm. They can appear to be from a client, supplier or someone in your firm with their email signature and phone number, such as:
- a senior partner or director asking for payment of an attached invoice, which could contain false bank details or even a virus
- a security alert appearing to come from within your firm, asking you to change your password
- consider the sender and their request carefully
- call the person and check the email is genuine
If you’re unsure how to recognise these emails, you should:
Protecting your firm
Cyber attacks usually succeed because of human error. Make sure your staff:
- recognise phishing emails and their risks
- create strong passwords and change them regularly
- are given extra support and training if they handle financial or sensitive information
- know to report a suspicious email to your firm’s compliance officer for legal practice or compliance officer for financial affairs – they are responsible for informing the Solicitors Regulation Authority (SRA)
You must make sure that you have appropriate cybersecurity in your firm. You should have:
- email filters to scan and approve or block emails
- up-to-date malware and virus software
- an incident response plan in case of attack
Reporting a phishing attack
You must tell the SRA immediately if you lose client money or information through a phishing attack. It will expect you to:
- tell the client
- repay any client money you lost
- take steps to reduce risks of a further attack
It is usually difficult to get your money back after a phishing attack. But you must tell the SRA about the attack even if you manage to recover the money.
If you lose clients’ personal data you must report it to the Information Commissioner’s Office within 72 hours of discovering the breach.
If you receive a suspected phishing email, you can report it to:
The cyber threat to UK legal sector – National Cybersecurity Centre 2018 report on how law firms can protect themselves against cyber crime
Vishing is a phone-based phishing scam. A criminal will pretend to be from an official organisation, for example a bank, and ask you for personal or financial information.
This may be used to steal money or commit identity fraud.
Recognising vishing calls
The most typical vishing call is a recorded message in a computer-generated voice. It says there has been suspicious activity on a credit card or bank account and tells you to call a number to sort things out.
Calling this number takes you to another recorded message which asks you to enter your card number and other details. Once criminals have your information they’re free to use it as they want.
You may get a vishing call from a real person. They’ll often pose as someone from your bank and ask you to confirm details about your identity, including your account number. They may rush you to give them the information.
Criminals may also pretend to be from an IT support company in order to get remote access to your computer system.
Preventing a vishing attack
- never give out personal or financial information – real banks will not ask you for this
- train your staff to recognise vishing calls
Reporting an attack
Your firm’s compliance officer for legal practice or compliance officer for financial affairs must tell the Solicitors Regulatory Authority (SRA) immediately if you lose client money or information through a vishing attack.
It will expect you to:
- tell the client
- repay any client money you lost
- take steps to reduce risks of a further attack
It’s usually difficult to get your money back after a vishing attack. You must tell the SRA about the attack even if you manage to recover the money.
If you receive a suspected vishing call, you can report it to:
A data breach is the release of private information to unauthorised people or into uncontrolled environments, for example the internet. This can happen on purpose or accidentally.
It’s likely that your firm will suffer a data breach at some point. There are steps you can take to defend against this.
Causes of a data breach
Law firms hold personal and financial data that make them attractive targets to cyber criminals. Breaches can also be caused by staff.
The main causes of a data breach in law firms include:
- loss or theft of paperwork
- data sent to the wrong person
- loss or theft of an unencrypted device
Your reporting duties will depend on the kind of data that is released.
The General Data Protection Regulation (GDPR) defines personal data and limits its scope to such data.
If a breach of personal data is likely to result in a risk to the rights and freedoms of individuals, it must be reported to the ICO. Data controllers can be fined more than £10m for failing to report a breach.
You can report all breaches to:
This will raise awareness of current risks and allow others to learn from the event.
You may need to notify the data subject if the breach is likely to result in a high risk to their rights or freedoms under the EU Charter of Fundamental Rights and other protections.
You may not need to do this if you can prove the data was protected with encryption or a similar security measure.
A supply chain attack targets less secure parts of your supply network.
Supply chain attacks are common. They often happen when third party suppliers do not protect the systems that hold your sensitive data.
Through your suppliers, cyber criminals may:
- watch the process of a transaction, striking when money is about to change hands
- access corporate clients’ information
If an attack happens, firms and clients could lose:
- control over sensitive data
- their reputation
Managing the risk
External software and hardware should be:
- vetted before use
- monitored for potential security risks
- patched regularly
Choosing and monitoring your suppliers
You should check that your suppliers have appropriate cybersecurity controls in place.
Partnering with large, established companies can reduce risk because they are more likely to use appropriate cybersecurity controls.
You should consider:
- evaluating your suppliers’ security and privacy policies
- including security in service agreements with suppliers
- assessing your suppliers, for example through a customer visit or audit
- asking to see details of any previous audits carried out on the supplier
Actions for firms
You may want to:
- review who is accessing your firm’s data
- use IT tools to prevent unauthorised applications running on your system and to flag up suspicious activity
- have a response plan in place if an attack does happen
- make sure you have cyber insurance
Supply chain security guidance – National Cybersecurity Centre advice on controlling your supply chain