Why email account takeovers are now a major threat to law firms
What is the biggest cybersecurity issue law firms are facing at the moment?
We are seeing really concerning levels of email account takeovers. It is particularly prevalent in law firms which have moved to cloud-based email facilities (e.g. Office 365).
An email account takeover is where a criminal has been able to sign into your email account using your own log-in details. Typically, the criminal will try and stay hidden, looking at email traffic, searching for an opportunity to commit a crime. Most often, they are looking for movements of money / payments. They will attempt to divert the money into their own bank account, which is moved quickly and rarely retrievable.
So, they are literally are reading each of my emails?
Often, they will start by looking at your most recent emails or drafts, identifying any immediate opportunities. Then, we see two different approaches.
In one, they set up an automatic mail forward to their own email account, auto-deleting the evidence. The emails are then filtered for potential money movements. The second approach is a little more hands-on: they find ‘senders’ of incoming emails of interest (e.g. ones discussing investments or payments of fees) and then divert everything that comes from this ‘sender’ to the RSS folder, which is a default folder in every inbox. They log in frequently to find things of interest and reply to emails as if they are you: remember, you have never seen the original incoming email.
Are there any other consequences besides financial loss?
Yes. Law firms that are breached in this way will need to look at what the criminal has had access to and consider their reporting obligations to the SRA, the ICO and individual clients. Loss of client trust may be the greatest damage. Regulatory fines and reputational damage can be significant, and criminals may even attempt ransom once the ‘takeover’ is discovered, if they think they have uncovered something sensitive. There’s also the wasted hours of senior partners in trying to resolve the problems.
Who should worry about this? How do the criminals choose their victims?
The first thing to understand is that the cybercriminal does not discriminate; they gather all the credentials they can get their hands on, and attack everyone on that list. They buy log-in credentials from the dark web, attempt to break weak passwords, or harvest sign-in details from email phishing campaigns. At that point, they load the information into an automated tool that systematically works through the list, seeing what doors they can open (and rotate though different login pages, e.g. Office 365). So, everyone is a target if you have email, but you only become a victim if your ‘door’ isn’t locked properly.
Is it as simple as don’t lose your password?
Not really. You should understand how easy it is to end up on the target list, for example by:
- A data breach – companies lose data when their systems are hacked. This happens surprisingly often. Millions of personal details and passwords are stolen every year.
- Using a weak or common password, or one that relates to names associated with you.
- Reusing an identical or similar password on multiple accounts and subscriptions.
- Phishing attacks – large-scale blanket emails are sent to thousands of people. They look very credible and ask you to ‘log in’ on a fake web page or pop-up, where they record your password.
How do we protect ourselves?
We recommend five immediate steps, whether you have spotted suspicious activity or not.
- Change your password to something completely unique, strong (with numbers, symbols and capitals) and unrelated to anything that can be discovered about you on your social media accounts.
- Switch on strong authentication (e.g. multi-factor authentication for Office 365, or two-step authentication for G Suite).
- Get your email administrator to look at your historic ‘sign in’ logs and check for malicious behaviour (e.g. strange locations). You will be amazed how many times we do this and find a client has already been breached.
- Review email alerts and forwarding rules. Be careful: these rules may need to be checked on your mail application and webmail.
- Configure your email systems to become more defensive, including alert set-ups, switching audit logs on and reducing the number of administrators.
It is important to recognise that you cannot defend yourself by technology alone against email account takeover attacks or other types of cyber attack. You should also appreciate that IT support is not the same as cybersecurity.
You must undertake a proper risk assessment of your data, systems, and the way you operate, and then put in place a risk management framework. It should cover your technology, people and governance. It is estimated that over 60% of cyber-attacks are caused by staff error. So, you must ensure that everyone in your firm has access to ongoing cybersecurity awareness training and test that it has been understood. You must put in place the right governance regime, with the right policies, that fit the way your firm operates, to keep the whole organisation safe. You should also regularly review and update your security arrangements to ensure continued safety and operational resilience.