Friday afternoon fraud, the practice by which law firms are tricked into giving bank details to fraudsters, usually as conveyancing transactions are being completed, is now the biggest cybercrime afflicting the legal sector.
Using a real-life case study, Oz Alashe, CEO and founder of Cybsafe, illustrates the real risks, both financial and reputational, that Friday afternoon fraud can wreak on your firm, and how you can protect yourself and your clients.
In October 2016, the legal practice John Doe & Sons (not its real name) added a warning to the bottom of its email signature.
‘Please note that this firm’s bank account details will not change during the course of a transaction and we will not change our bank account details via email,’ the warning read, after identifying a ‘significant risk posed by cyber fraud, specifically affecting email accounts and bank account details’.
The warning was issued to combat the rising threat from Friday afternoon fraud; the most prominent cybercrime in the legal sector today. It takes its name from the fact the scam is typically launched on Fridays, when conveyancing transactions are completed. In fact, it was responsible for 75 per cent of all cybercrimes reported to the Solicitors Regulation Authority (SRA) in 2016.
Although this fraud tends to happen on Friday afternoons, this isn’t always the case. Criminals may target you any time of the day or week, so ensure you maintain constant vigilance.
The underlying mechanics of Friday afternoon frauds vary, but frequently involve some form of email interception. The scam usually sees legal practices mistakenly emailing fraudsters and not the client, and/or clients mistakenly emailing fraudsters posing as the law firm. The latter is what John Doe & Sons’ new warning message was attempting to combat.
The trouble is, the message appeared too late.
Days before John Doe’s new warning appeared, Mr X was in the final stages of buying a flat in south London. Mr X had appointed John Doe & Sons as his conveyancing solicitors and was now preparing to complete.
When any employee can jeopardise your firm’s security with a single careless mouse-click, it should be clear that mitigating information security risks is about far more than implementing processes, and installing antivirus and anti-malware programs. A more proactive approach is needed.
On Thursday 29 September 2016, Mr X transferred £45,000 over to John Doe’s account. The money was the first tranche of a total of £119,837 he’d eventually need to transfer.
Mr X had expected the transfer to be swift, but was promptly informed the £45,000 could take up to three days to clear. Knowing the total needed to be with the solicitors before completion, Mr X emailed the practice asking how he could get the rest of the money – a total of £74,837 – to them before deadline day. Unfortunately, the conversation was hijacked.
Conversing with fraudsters
Mr X’s email triggered a seemingly legitimate reply stating the firm’s usual bank account could not receive CHAPS or BACS payments. The email advised him to pay the money into a different account. Mr X duly transferred £67,000 to the new account, and then a final £7,837 into a third account.
Two days later, John Doe contacted Mr X requesting the outstanding funds – most of which had already been withdrawn by the fraudsters.
The dangers of public wifi
It’s still unclear how the communication loop between Mr X and his solicitors was hijacked, but such cases often involve insecure, non-password-protected public wifi networks.
Data transmitted and received on insecure networks are readily available to hackers. Mr X was travelling when he attempted to communicate with his solicitors, which makes it entirely possible (though not guaranteed – Mr X believes the fault to lie with the legal practice) the email chain was hijacked through insecure public wifi. If that was indeed the case, all the hackers had to do was say the right things at the right time. This they duly did, eventually convincing Mr X to wire them £74,837 (some of which has since been recovered).
If public wifi scams are easy to fall for, they’re equally simple to counter. Step one is, quite simply, ensuring that people do not connect to public wifi when communicating with legal practices. Should clients need a wifi connection in a public place, tethering a connection through a smartphone is a much safer bet. If they absolutely must connect to public wifi, using a secure VPN keeps outgoing and incoming data safe from interception.
The threat to legal firms
While it was the client and not the law firm that was left out of pocket here, you may wonder how much cause for concern Friday afternoon fraud really warrants. The answer is: a great deal.
For a start, legal practices arguably have a duty to protect their clients – who may have no knowledge of such scams whatsoever.
The case also triggered a whole host of negative media attention for John Doe. Solicitors asserted in the mainstream media that it was in fact [Mr X’s] ‘own careless actions that led to his loss’. That may be, but it’s far from an advert for future custom for John Doe.
It’s just as easy for fraudsters to impersonate clients as it is for them to impersonate legal firms. In April 2015, Attwells Solicitors transferred £400,000 of a client’s money over to fraudsters. Just two months earlier, Perry Hay & Co was conned out of £333,500.
Finally, let’s not forget Friday afternoon fraud accounted for 75 per cent of all cybercrimes reported to the SRA in 2016. It is a very real threat that all legal practices must take proactive steps to defend themselves against.
What can firms do?
By taking simple steps, your firm can ensure it does not fall victim to Friday afternoon fraud.
Advising clients of the dangers early on – as we’d advise all law firms to do – is essential. John Doe had the right idea, albeit executed it too late.
Verify anyone requesting funds is indeed who they say they are via an independent communication channel. Checking an identity via an outbound call to a number you know to be uncompromised is usually enough. A video call is even better.
As the LSE cyberlaw lecturer Mark Leiser put it earlier this year, in today’s climate, ‘a law firm that relies on passive defences is doomed’.
Follow Cybsafe on Twitter and LinkedIn