How to identify a cyber-attack
As well as taking steps to protect your systems against a cyber attack, it’s important to understand the different types of attack you might face.
If your firm is attacked, knowing what has happened can help limit damage and restore your systems quickly.
This guide explains how to recognise and prevent different threats.
The National Cybersecurity Centre (NCSC) has more information on how to reduce the impact of common cyber-attacks.
Malware
‘Malicious software’, known as malware, is designed to cause damage to computer systems.
Ransomware, spyware and viruses are examples of malware.
Malware attacks
Malware attacks trick you into installing malware onto a system. You can download malware by:
- opening an infected email attachment
- connecting an infected device, such as a memory stick, to your computer
- visiting a hacked website where malware can download to your device
- viewing infected advertising
- a hacker installing it on your system
Once malware is on your system, it can:
- record everything that is typed, such as passwords or financial details
- copy, change or delete data
- use the system’s resources to coordinate other attacks
- help hackers get into your firm’s network and other systems
Preventing malware infections
To prevent your system and devices, you should:
- keep firewalls and anti-malware software up to date
- keep your operating system (for example, Windows) up to date
- create anti-malware policies for staff to follow
- train your staff on how to recognise an attack
Ransomware
Ransomware is the most common type of malware. It prevents you from accessing files or data unless you pay a ransom.
Ransomware can:
- encrypt data
- block you from accessing files
- steal information
This could lead to:
- lost files
- paying ransom costs
- reputational damage
- damage to client relationships. For example, you may not be able to meet client deadlines, complete on purchases or pursue court cases
Paying ransom
Paying ransom encourages and funds more ransomware.
Even if you pay the ransom:
- you might not get access to your data
- your computer system will still be infected
- attackers may increase ransom costs
- attackers may think you would pay ransoms in future
- data may have been stolen or encrypted during the attack
If your insurer covers data loss, it may have a policy on ransoms.
What to do after a malware attack
If your firm has been infected by malware, you should follow NCSC’s guidance on what to do if you your organisation has been infected with malware.
The National Crime Agency encourages you to contact Action Fraud.
Learn more about what to do after a cyber-attack.
Limiting the impact of an attack
To limit the impact of a ransomware attack, you can:
- have good access control to limit the extent of the encryption to just the data owned by the affected user
- limit access to your data and file systems to those with a business need
- have a backup of your data
The NCSC has guidance on mitigating malware and ransomware attacks.
Friday afternoon fraud
Criminals often target conveyancing firms with a scam called ‘Friday afternoon fraud’. This is a form of phishing attack.
Criminals hack into emails between you and your client and:
- contact the client pretending to be you, asking them to pay their completion funds into the fraudster’s bank account, or
- contact you pretending to be the client or the client’s bank, to get access to the client’s bank account details
It’s called Friday afternoon fraud because many conveyancing transactions take place on Friday afternoons. But these scams can happen at any time.
Recognising Friday afternoon fraud
You should check communications are genuine if:
- you receive unusual instructions that appear to have come from your client
- you receive instructions that change at short notice, for example you’re sent new bank details
- your client’s bank contacts you to report a security breach and asks for their account details
Protecting your clients
You should:
- tell your client not to email you on public wifi. Public wifi is not password protected so criminals can easily get hold of information
- provide your firm’s client account bank details at the start of any transaction and tell them they’re unlikely to change. You can give this information to your client directly, in a letter or over the phone. You should not do this by email as it is not a secure form of communication
- tell your client not to transfer money to a bank account whose details don't match the ones you gave them
- confirm any change in your bank details using a secure method. This might be in person or over the phone on a trusted number
- call your client before and after they send you money. This allows you to confirm the transaction is genuine and the money has arrived safely
- ask the client to send a small amount first (for example £1) and check that your firm has received the money before they send the larger sum
Protecting your firm
If you’re suspicious of an email:
- call the client on a trusted number to confirm they sent the email
- pay a small amount (for example £1) into the bank account and check it has been received before sending any more
You may want to ask your client to give you a password when you first start working for them.
If you’re suspicious about any communications later, you can ask them for the password to confirm they’re the person contacting you.
You may also want to think about investing in an encrypted email service.
Resources
Read the Conveyancing Association’s Cyberfraud and Fraud Protocol for England and Wales.Phishing
Phishing scams try to trick people into sharing personal or financial information by posing as someone trustworthy such as the police or your bank.
Phishing attacks usually happen through email. They can infect your computer with malware, disguised as an attached document or link.
They can also happen by phone (known as vishing), text message or social media.
Bigger firms are attractive to criminals because of the large amount of client data and money they hold.
Smaller firms are also at risk if they have not taken the necessary cybersecurity measures.
Types of phishing
There are two main types of phishing:
- mass emails sent out to thousands of people
- targeted emails sent to individuals where a criminal impersonates a client or someone the person knows at their firm. This is known as ‘spear phishing’
Spear phishing
These emails target a particular individual or firm. They can appear to be from a client, supplier or someone in your firm with their email signature and phone number. For example:
- a senior partner or director asking for payment of an attached invoice, which could contain false bank details or even a virus
- a security alert appearing to come from within your firm, asking you to change your password
If you’re unsure about an email, you should:
- consider the sender and their request carefully
- call the person and check the email is genuine
Recognising a phishing email
Be wary of emails:
- with poor grammar and spelling
- asking for personal or financial information
- with links to a website you don’t recognise
- requesting urgent action
- encouraging you to open any attachments
- where the sender’s email address may look unusual or unfamiliar
Preventing a phishing attack
You should:
- treat emails containing links or attachments with caution
- only open attachments from trusted sources. If in doubt, contact the sender to check if they actually sent the email
- check that links match the text that contains them by hovering your cursor over it – the web address should appear
- contact your IT department if you’re concerned
Protecting your firm
Cyber-attacks usually succeed because of human error. Make sure your staff:
- understand phishing emails and their risks
- create strong passwords and change them regularly
- get extra support and training if they handle financial or sensitive information
- know to report a suspicious email to your firm’s compliance officer for legal practice or financial affairs. They are responsible for informing the Solicitors Regulation Authority (SRA)
You must make sure that you have appropriate cybersecurity in your firm. You should have:
- email filters to scan and approve or block emails
- up-to-date malware and virus software
- an incident response plan in case of attack
Learn more about cybersecurity for solicitors.
Reporting a phishing attack
You must tell the SRA immediately if you lose client money or information through a phishing attack. The SRA will expect you to:
- tell the client
- repay any client money you lost
- take steps to reduce risks of a further attack
It is usually difficult to get your money back after a phishing attack. But you must tell the SRA about the attack even if you manage to recover the money.
If you lose clients’ personal data you must report the breach to the Information Commissioner’s Office (ICO).
You must report the breach to the ICO within 72 hours of discovering the breach.
If you receive a suspected phishing email, you can report it to:
Resources
The NCSC has guidance on how to defend your organisation from phishing attacks.
Vishing
Vishing is a phone-based phishing scam. A criminal will pretend to be from an official organisation, for example a bank, and ask you for personal or financial information.
This may be used to steal money or commit identity fraud.
Recognising vishing calls
The most common vishing call is a recorded message in a computer-generated voice.
It says there has been suspicious activity on a credit card or bank account and tells you to call a number to sort things out.
Calling this number takes you to another recorded message which asks you to enter your card number and other details.
Once criminals have your information, they’re free to use it as they want.
You may get a vishing call from a real person. They’ll often pose as someone from your bank and ask you to confirm details about your identity, including your account number. They may rush you to give them the information.
Criminals may also pretend to be from an IT support company to get remote access to your computer system.
Preventing a vishing attack
You should:
- never give out personal or financial information. Real banks will not ask you for this
- train your staff to recognise vishing calls
Reporting an attack
Your firm’s compliance officer for legal practice or financial affairs must tell the Solicitors Regulatory Authority (SRA) immediately if you lose client money or information through a vishing attack.
The SRA will expect you to:
- tell the client
- repay any client money you lost
- take steps to reduce risks of a further attack
It’s usually difficult to get your money back after a vishing attack. You must tell the SRA about the attack even if you manage to recover the money.
If you receive a suspected vishing call, you can report it to:
Data breach
A data breach is the release of private information to unauthorised people or into uncontrolled environments, for example the internet.
This can happen on purpose or accidentally.
It’s likely that your firm will suffer a data breach at some point. There are steps you can take to prevent a data breach.
Causes of a data breach
Law firms hold personal and financial data that make them attractive targets to cyber criminals. Breaches can also be caused by staff.
The main causes of a data breach in law firms include:
- loss or theft of paperwork
- data sent to the wrong person
- loss or theft of an unencrypted device
Reporting
Your reporting duties will depend on the kind of data that is released.
The General Data Protection Regulation (GDPR) defines personal data and limits its scope to such data.
If a personal data breach is likely to result in a risk to the rights and freedoms of individuals, you must report the breach to the ICO.
Data controllers can be fined more than £10m for failing to report a breach.
Learn more about cybersecurity and GDPR.
You can report all breaches to:
This will raise awareness of current risks and allow others to learn from the event.
You may need to notify the data subject if the breach is likely to result in a high risk to their rights or freedoms under the EU Charter of Fundamental Rights and other protections.
You may not need to do this if you can prove the data was protected with encryption or a similar security measure.
Resources
Learn how to protect your firm from a cyber-attack.
Read the ICO’s guidance on reporting a data breach.
Supply chain attacks
A supply chain attack targets less secure parts of your supply network.
Supply chain attacks are common. They often happen when third party suppliers do not protect the systems that hold your sensitive data.
Through your suppliers, cyber criminals may:
- watch the process of a transaction and attack when money is about to change hands
- access corporate clients’ information
If an attack happens, firms and clients could lose:
- funds
- control over sensitive data
- their reputation
Software
External software and hardware should be:
- vetted before you use it
- monitored for potential security risks
- patched regularly
Choosing and monitoring your suppliers
You may want to:
- review who is accessing your firm’s data
- use IT tools to prevent unauthorised applications running on your system and to flag up suspicious activity
- have a response plan in place if an attack does happen
- make sure you have cyber insurance