Spear phishing – the latest threat
‘Spear phishing’ is a criminal hacking enterprise to send an email or emails that appear to be from individuals or businesses that you know, in an attempt to obtain your credit card or bank account numbers or passwords and, ultimately, your money or your clients’ money.
Technology 02/09/2016‘Spear phishing’ is a criminal hacking enterprise to send an email or emails that appear to be from individuals or businesses that you know, in an attempt to obtain your credit card or bank account numbers or passwords and, ultimately, your money or your clients’ money.
It is a more sophisticated scam than regular ‘phishing’, as law firms are particularly targeted due to the potential high-value funds held. In addition, the scam is tailored to each targeted firm. Firms that practice in conveyancing are at particular risk.
Everyone should be particularly wary when bank account details change.
Frighteningly, there have been instances in Ireland where the criminals intercept an email, change the IBAN and BIC details to very similar IBANs and BICs for fraudulent accounts (in some instances, in the same bank branch) and then send onward the email to the originally intended recipient.
The person in receipt of the email sees the fraudulent IBAN and BIC, but otherwise the email may appear unchanged. In addition, criminals may forge an internal email within the company or firm to say that a bank account has changed (for example, an email instruction from a partner to his or her secretary to change payment details).
Accordingly, the top ten tips for dealing with spear phishing are, as follows:
- Only send IBANs and BICs for your accounts or other accounts by letter or fax.
- Clients should be asked for their bank details by way of a copy statement at the start of a transaction.
- If a client does not give you copy bank documentation, then you should ask the client to write out the IBAN and BIC in full for you in their own handwriting and sign it.
- If another solicitor is sending you their account details, then they should do it by fax or letter, and you should still verify same with them. It is common for the fraud to involve only changing one digit or letter.
- If you have to write down bank account details yourself (for example, because you are getting them over the phone), then you must read the details back to the client for verification and you must memo this on your file. This is important, because if the other person gives you an incorrect number by accident, it may cause the money to go astray.
- If you get an IBAN and BIC by email, including in an attachment, then you must ring the person to verify the details, and you also should memo that on your file.
- If somebody tells you that their account details have changed, this is an instant red flag. You should immediately raise a query and verify the account details through an alternative medium, such as by phone, fax or letter. In addition, let your clients know that your firm does not change its bank account details (if this is the case). Clients should be advised not to send any money to new account details without confirming the change by talking to someone in the firm.
- We cannot rely on the banks to verify the account name against the account number. If you put in a wrong number, then the money will go astray and may not be recoverable. Typographical errors must be avoided.
- Any internal mail asking you to request or effect the transfer of moneys must be verified by a phone call to the sender of the mail.
- The obligation on the client to provide accurate bank details and the risk of fraud should be mentioned in the section 68 letter and letter of engagement.