Protecting your practice from cybercrime
12/12/2021 15:00:00The Law Society is aware of increased cybercrime in recent years, and our members have not been immune to attacks.
Dear colleague,
The Law Society is aware of increased cybercrime in recent years, and our members have not been immune to attacks.
The insurance market – and society in general - is only coming to grips with cybercrime and its damaging impact. In this context, the Society is currently assessing the policy terms and conditions offered by the insurance market in the last professional indemnity insurance renewal. The Society is particularly concerned about the degree to which top-up PII cover above €1.5m - purchased by some firms, particularly medium and larger firms - incorporates cybersecurity incidents, and any alternative insurance products that may help those firms to manage that risk.
As solicitors, the security of client and other funds we hold in our client accounts is vital. Firms and individuals must continually monitor and improve software, devices and practices to mitigate risks and to remain vigilant at all times, including for the potential that their clients’ or their own systems may become infiltrated. This is everyone’s responsibility.
Your client account and conveyancing transactions
Reducing the amount of money held in a client account, and the number of transactions involving it, is an obvious way to reduce the risk. I am aware of some challenges in this area, especially in conveyancing transactions where the client account is an established depository to facilitate transactions. The Conveyancing Committee is giving consideration to this.
In the meantime, with insight from colleagues and the cybersecurity team, here are some important ‘best practice’ tips for managing the funds in your client account safely.
-
Given the general principle that solicitors are responsible for client funds for so long as they are held, the client account should only be used as and when required and then for only so long as required.
-
Members should try to avoid sharing client account details with a third party unless it has been agreed in advance:
(a) the purpose for which the information is furnished;
(b) that it is furnished on a confidential basis; and
(c) that client account details will not change during the lifetime of matter.
-
Members should consider removing client account details from any draft contract, agreement or other document issued to clients and counterparties.
-
A client account is only available for use with the consent of the holding firm of solicitors. Nobody should send money into a solicitor’s account without permission. In particular, solicitors should only receive money from payors they have approved. For example, it will be generally acceptable to receive funds from other regulated entities such as other solicitors firms. By contrast, it is not acceptable that a purchaser in a property transaction would pay the balance purchase price directly to the vendor’s solicitor’s client account. This would create a range of issues for the receiving solicitor, including AML and potential responsibility in terms of managing the funds or sending the funds back.
-
Generally speaking, solicitors should seek to avoid receiving or holding third party funds (non-client funds). A practical example where it is acceptable to hold third party funds is a vendor’s solicitor holding a purchaser’s deposit monies as stakeholder pending completion, where funds are routed through that party’s solicitor (these funds are treated as “client moneys” under the Solicitors Accounts Regulations).
-
I encourage you to reinforce to clients and third parties that all payments should include a payment reference so they can efficiently be tagged to a client matter. It is a regulatory duty to record the receipt of these funds to the client ledger expeditiously. It is also important, however, because you must act urgently if you receive funds that should not have been received.
-
You should deploy robust multi-method checking mechanisms to verify the accounts to which you make payments out. These methods should include internal as well as external controls. Scammers have been known to intercept internal emails between solicitors and their own staff to alter account details before payment is executed.
-
I am aware of many firms routinely making several payments on each matter on behalf of clients to discharge client liabilities (for example, to pay estate agent’s fees on a property sale). I would encourage you to reduce, if not avoid entirely, disbursing funds on behalf of clients where possible.
-
While each member will always be obliged to comply with their regulatory and legal obligations, consider your terms of business and the degree to which they are clear about the responsibility you take or do not take with regard to the client account.
-
Similarly, consider the terms of your commitments to third parties (such as undertakings) with regard to the transmission of funds so that you can be as clear as possible about the responsibility you take or do not take with regard to receipts and payments.
Increased risk of phishing attacks
The Law Society continues to be informed by members of the profession of the receipt of spam emails from trusted sources such as Junior and Senior Counsel.
In recent times, members have reported receiving emails from Counsel that included two attachments. One of these purported to be a draft set of proceedings, while the other contained instructions on how to open that document with a code. Opening the ‘draft set of proceedings’ file results in malware being installed on the recipient's computer.
The email appears to come from Counsel’s genuine email address, adding an appearance of authenticity to the email. What is unusual is that the Counsel’s telephone number is amended and also that the recipients were not expecting a set of proceedings from Counsel at that time.
Opening the attachment and the resultant installation of malware often allows the fraudster to gain access to the recipient solicitor’s email system. This method has then been used to send emails to the recipient solicitor’s clients requesting that funds be sent to fraudulent bank accounts. Other malware allows a ransomware attack to be perpetrated on the practice.
If you receive an email that you were not expecting or that appears unusual, requesting you to open an attachment, contact the sender by a secure means to ensure its veracity before opening the attachment - for example, using a known phone number (not that contained in the email), or by post. Please also ensure that all members of staff are aware of the possibility of fraudulent attachments or links contained in emails, regardless of the sender.
If you have already opened an attachment of which you are now suspicious, contact your IT providers immediately and ensure they interrogate your system to ensure any malware installed is removed and the system cleaned. Also, ensure that no emails have been sent from your email address to others without your knowledge. If you are a victim of a cyberattack, please contact the Law Society Cybersecurity team and a member of staff will contact you to provide any assistance possible.
Be aware of impersonation
Many colleagues use social media as a marketing tool, or to build their own personal networks. Some of our most active colleagues on social media have reported seeing fraudulent accounts impersonating them online.
Whatever the impersonator’s intent, there are obvious risks posed when an unauthorised person (or even a potentially malicious stranger) assumes your identity online. I encourage you to be vigilant about this – search your firm’s name and your own name periodically for potential impersonators. You can even quickly scan for unauthorised use of your own image or your firm’s logo: Google has published a useful article on how to do this.
If you find an impersonator, no matter how trivial the content, you should act. Social media networks have established quick procedures to report impersonation, while several legal tools are available for protecting your intellectual property and taking down imposter websites.
As we near the Christmas break, I encourage you to be especially vigilant – online criminals will be only too keen to exploit people who are outside their employers’ cybersecurity ‘safety net’. Keep the above points in mind, and always think before exposing yourself, or your clients’ funds, to cybercrime. Finally, I want to wish you a happy, peaceful, and restful Christmas.
With kind regards,
Michelle Ní Longáin,
President