You are here:
  1. Home
  2. News
  3. Blog
  4. Beware of the phish – how to stay ahead of the scammers

Beware of the phish – how to stay ahead of the scammers

03 May 2017

UPDATED 10 May 2017 Following great discussion on social media, it is probably helpful to highlight that the risk from using cloud storage systems is in particular from using the free online versions which the original post refers to. Read Peter's update about Dropbox, regulatory compliance and how a law firm was penalised by the ICO for having used a cloud storage system designed for private users for business purposes

Targeted phishing emails and other online scams aimed at law firms are becoming ever more sophisticated. With the imminent arrival of the General Data Protection Regulation in May 2018, spotting the warning signs is more imperative than ever – and non-compliance is simply not an option, says Peter Wright

Phishing emails are fraudulent emails appearing to come from legitimate sources. They often direct you to a facsimilie of a trusted website (like a bank’s) or entice you to open a legitimately-named attachment, or otherwise get you to divulge private information. This is then used by cybercriminals to commit identity theft.

Targeted phishing emails now look ever more genuine. You could receive an email that you think is from a client. It could be sophisticated enough to have an email signature with a contact phone number. The person at the other end will sound plausible. It's only when you do a little investigating that you realise that this isn't the usual contact number for the client. Only trust the verifiable contact information you have for the client on your own system. Don't simply go back to your last email and scroll down to the signature for contact details, as the email and the information could be fraudulent.

Don't assume that because an email is internal it is safe – I have heard of some firms' email account servers being compromised to the point where internal emails have been hijacked. If you receive a request that you were not expecting, it’s worth a walk to someone else’s desk just to double check the request is genuine. Better this than for a six-figure sum to vanish from your client account, which is precisely what has happened to many other law firms recently.

Multi-channel attacks

Criminals are now attempting cyberattacks through many different channels - phone, email, social media. I have heard of an accountancy firm in Europe who received an email from a purported client who said it wanted to buy a company that minute. Within two hours, the firm received a series of emails and phone calls from the 'client' reiterating its instructions. It was only when the actual client returned from holiday that the firm found out that it was a scam and hundreds of thousands of euros had been paid into a fake account and transferred away by the fraudsters.

If you receive instructions in this way, think like a journalist - they won't publish a story without two sources. If you receive major financial instructions by email, get your two stages of authorisation:

  • call the client on your trusted contact number for them
  • confirm their wishes to be sure you are speaking to the real person before going ahead.

Make sure that whatever medium you are using to either store or transmit personal data - in particular, data relating to your clients - is secure and encrypted. Avoid free cloud-based systems like Dropbox or Google Drive to communicate with clients or receive confidential data. They are not secure or encrypted, and you are effectively in legal and regulatory breach by using them for client-related activity as their servers are based in the cloud and most likely in the United States.

Regulation is coming

There is an added imperative to take your data protection obligations seriously with the EU General Data Protection Regulation (GDPR) becoming law in the UK and across Europe in May 2018, which will continue to apply to all businesses exporting goods or services into the European Single Market, regardless of any future legal and regulatory settlement reached by the UK with the EU. 

The GPDR has many major requirements. The biggest risk for law firms is the notification of a breach to the Information Commissioner's Office (ICO) within 72 hours. The ICO will want to know:

  • what systems and information has been compromised
  • that your firm has isolated the cyber attack so that data is no longer being compromised
  • worked out what personal data has been compromised and how
  • what steps you are taking to
  • how you will ensure it doesn't happen again.

I heard of one small, two-partner insolvency practice who had a breach recently. By the time it had spoken to its insurers, and the insurers had instructed their own solicitors and given their views on the notification and their concerns over conceding any issues around liability, almost three weeks had passed before it notified the ICO.

72 hours may seem like a long time, but many firms don't know about a breach for weeks or even months after it has happened. My advice is to carry out a cybersecurity breach simulation, working out the necessary resources and lines of communication including who will be responsible for reporting the breach to your insurers, bank, clients, staff, or the police. A stakeholder delaying your report to the ICO could lead to regulatory action being taken against your firm.

If firms have already not begun work on achieving compliance with the GPDR, they will find it impossible to achieve full compliance by May 2018. At this point, it's a matter of working out how uncompliant you wish to be. You will have to cherry pick what you can and cannot afford to comply with, and put the rest in place as quickly as possible.

UPDATED 10 May 2017: Following great discussion on social media this weekend, it is probably helpful to highlight that the risk from using cloud storage systems is in particular from using the free online versions – which the original post refers to. 

Dropbox in particular is an interesting example. It is true that they are one of the more secure free cloud storage solutions available, with some security features and encryption in place, the following should be considered from a regulatory compliance perspective:

  • The free version of dropbox does not allow for a choice of jurisdiction as to where user data is stored. This choice is available but is for paying business customers only

  • The differentiation between the free version of Dropbox and the business version is an important one. The Terms and conditions of Use for the freely available versions of Dropbox state that:
    The UK is not a jurisdiction that makes this type of limitation of liability unlawful. And it makes it quite clear that they will not be held liable for losses from failing to keep your data secure. This will fall squarely on the user if the user is a business, like a law firm.

  • The leading case of a law firm facing action from the UK Information Commissioner remains ACS Law, where a law firm was penalised by the ICO for having used a cloud storage system designed for private users for business purposes. The ICO made it clear in issuing a monetary penalty notice that a law firm was held to a higher standard compared to other data controllers as it should have understood its responsibilities as a data controller, and as a result the amount of the fine was commensurately higher. Consequently where a law firm depends on a free or very low cost cloud service that is not intended for business use they could face regulatory action for any data protection breach from both the ICO and the SRA along with civil liabilities to any of the data subjects affected.

It should be emphasised that there is no issue with businesses that are paying a premium for the Dropbox business service and again, the original post stated only the free version. Any business users should consider looking at Dropbox’s subscription services which allows for users to specify that data should remain in the European Economic Area, as well as requiring two-factor identification on all accounts. 

Furthermore the issue here is not the use of the Dropbox or other free cloud software in and of itself. It is more the use of such products in organisations without any internal governance, policies or procedures, such as where business related files and data are being uploaded to the cloud by members of staff because it is convenient, without any awareness of the risks, such as cryptolocker, the most common form of ransomware. I know of one law firm where a Partner was using a free version Dropbox to take instructions from a client and inadvertently found their system locked down with ransomware, requiring a full re-set from their backup. Once they were back up and running, the same partner went back into Dropbox and compromised the system once again through not being aware of both the risks and indeed his own firms data protection and cyber security policies which would have required data to be scanned before uploading on to the system. A free version of Dropbox did not require downloaded documents to pass through the firm’s normal communication channels that had been set up to scan and detect viruses and other malware. 

In order to ensure compliance, firms need to ensure that their data is kept securely and inside the EEA, preferably inside the UK for added post – Brexit certainty. One highly recommended option is having a private encrypted cloud for a firm on its own servers so that staff can enjoy all of the benefits of agile remote working without having onerous security measures getting in the way of flexibility is one solution, while still maintaining a secure off-site backup that fits in with any disaster recovery plan is an ideal solution.

More: The Law Society’s cybersecurity support: we are developing partnerships with cybersecurity companies to help law firms to prevent cyber attacks, and handle them if they do occur. Explore our cybersecurity pages for products and services to help you with your firm's cybersecurity concerns.

Tags: cyber security

About the author

Peter Wright is a solicitor and managing director of Digital LawUK. He is chair of the Law Society Technology & Law Reference Group. Follow Peter on Twitter

  • Share this page:

Abigail Bright | Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alan East | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andrew McWhir | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | anonymous female solicitor | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Bridget Garrood | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | Coral Hill | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Elijah Granet | Elizabeth Rimmer | Eloise Skinner | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Greg Treverton-Jones | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | June Venters | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Law Gazette Jobs | Leah Glover and Julie Ashdown | Leanne Yendell | Lee Moore | LHS Solicitors | Linden Thomas | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Mary Doyle | Matt O'Brien | Matt Oliver | Matthew Still | Max Rossiter | Melinda Giles | Melissa Hardee | Michael Henson-Webb | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nigel West | Nikki Alderson | Oz Alashe | Paris Theodorou | Patrick Wolfe | Paul Bennett | Paul Rogerson | Paul Wilson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Rebecca Atkinson | Remy Mohamed | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Mabey | Richard Messingham | Richard Miller | Richard Roberts | Rita Gupta | Rob Cope | Robert Bourns | Robert Forman | Robin Charrot | Rosa Coleman | Rosy Rourke | Sachin Nair | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Siddique Patel | Simon Day | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Sue James | Susa | Susan Acland-Hood | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Chapman | Tom Ellen | Tony Roe | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li | William McSweeney | Zoë Paton-Crockett