There are many different ways cyber criminals can target law firms using social engineering techniques. One of the recent “favoured” methods of cyberattacks on Australian law firms is via email scams.
Two recently reported cyberattacks against Australian law firms showed strikingly similar methods of utilising social engineering techniques to perpetrate email scams and steal millions of dollars.
The cyber criminals gained access to the law firms email accounts in order to misdirect incoming trust fund monies and outgoing settlements amounts.
Although each individual case is different, the common method of attack goes along the following lines:
The law firm will be approached by a potential new client (usually wanting to give the firm instructions in relation to either a conveyance or personal injury litigation or similar matters where a large sum of money changes hands at the conclusion of the matter).
The perpetrators either send an email asking for assistance or telephone the law firm requesting a conversation with either a particular solicitor or an individual specialising in those areas.
Once contact is made, a discussion is held with the individual solicitor (either by email or by telephone) outlining the types of services required and determining if the solicitor is appropriate. Once the solicitor has been sufficiently “buttered up” the cyber criminals will indicate an intention to retain the solicitor to act for them.
Sophisticated cyber threat actors can keep these discussion going for some time and use appropriate terminology and sound legitimate.
Once they have confirmed their intention to retain the law firm/individual solicitor, they confirmed that they will send an email outlining specific instructions and attaching all relevant documents. For the sake of safety, they often advise that the attachments will be password protected and will require the solicitors email and password to download the confidential documents.
The cyber criminals will then send a highly targeted and specific email to the solicitor they are retaining with the link. This is password protected and personalised to that solicitor individually. To access the linked documents the solicitor has to enter his/her work email address and password. Once this log in information has been entered, the scanners have what they came for (and often cancel the instructions or say they are not ready to proceed and may come back to the firm later.)
At some later time, even months later – the hackers become active again.
They may have been monitoring the individual solicitor’s emails and watching for information about payments of large amounts of money into the law firms trust account.
When the deadline comes for money to be paid to the firm from the client, the scammer emails the client, posing as the law firm, and reminds them.
However, they change the bank account details outlining where the money needs to be paid. . The hackers give their own desired account instead of the firm’s trust account.
Once the transaction is done, the firm and client are left trying to figure out where the money has gone.
In other instances, the hackers will send an email posing as the law firm confirming settlement payments to be made and altering the bank details of the recipient of settlement funds. Relying on this email, the funds are wrongly paid into the hackers account and within minutes have been transferred off shore into untraceable accounts.
Substantial amounts of money can be lost in seconds if this occurs.
What steps can every firm take to minimise these types of scams and avoid the same pitfalls?
1. Do due diligence into clients new to the firm and check the validity of their details and instructions. Ask for a contact number, ring back and question the instructions to ensure legitimacy.
2. All lawyers need to ensure that their email account is secure and stays secure. Recognise that legitimate sites do not request your email credentials and personal password.
3. Verify the validity of payment instructions. Funds transfers to bank accounts are the target of these scams. Always call and check bank account details and payment instructions.
4. When the sums involved are large, some extra security precautions are warranted to not only verify the banking details you have been provided but also to confirm the actual requirement pf payment and recipient of funds.
5. It is also smart to encourage your clients to ring you and verify trust account details before making any payments into them. Remind clients that you will not be sending them new or different bank account details immediately before settlement.”
It is imperative that ALL law firms are aware of these scams and exercise prudence and caution in the making and receiving of any payments.
Continued vigilance is required at all times.