22 March 2019
Cyber Alert: Payment Misdirection
Dear Senior Partner, Managing Partner, Principal

The Law Society of Jersey has been made aware of a recent incident that serves as a reminder of the risks faced by law firms and clients as a target of cyber criminals.

Around the world, law firms and their clients are being targeted by cyber criminals seeking to misdirect payments away from their intended recipients. There are many ways that cyber criminals carry out these attacks, and some examples and what you can do as a firm to protect against the risk are set out in guidance from Europol. Click Protect Your Firm to view/download this guidance.

More recently, we understand that cyber criminals have attempted to gain access to the email accounts of law firms and their clients, in order to intercept payment instructions and misdirect payments. The exact method of attack varies but typically features the following elements and steps:

  • The attacker seeks to gain remote access to either the client’s or firm’s email account. Most personal email platforms (such as gmail, hotmail, or outlook) and office email platforms (such as Office 365 or Mimecast) are accessible via a web browser. Without implementing additional authentication methods (see below), emails can be accessed if the attacker simply knows the email address and associated password.
  • The attacker sends a “phishing email” to either the client or firm, inviting the recipient to enter their password via a URL or webpage that the attacker controls. These emails are much more convincing than they sound, and often place the recipient under pressure to do so. For example, the email might explain that the account has been locked and can only be reactivated if user credentials are entered, or it may offer access to an urgent document that can only be accessed with the account holders username and password.
  • Once the account credentials have been disclosed to the attacker, the attacker will have access to the entire mailbox and may be able to monitor emails undetected.
  • The attacker will then wait until there is a communication relating to a payment. In the case of law firms, this could be a payment of fees, or matter related to payment such as a property deposit or balance.
  • When the attacker sees that a payment instruction has been received, the attacker will take a copy of the email and either delete the email or move it to a folder so that it is not seen by the true account owner. In some cases, the attacker may set up an email “rule” so that any email is automatically forwarded to, or filed in a folder that is only known to, the attacker.
  • The attacker will then register a similar email domain to the sender of the payment instruction: for example if the attacker wanted to impersonate an email address of theresamay@number10.com, the attacker may register number1O.com (utilising an "o" rather than a "zero").
  • Using this domain, the attacker then sends a copy of the email with the payment details altered, to the recipient. This may mean altering the payment details on an attached invoice, or the text of the email if the account details are in the body.
  • From the recipient’s perspective, the altered email will look almost identical save for a slightly different email domain. The email may even include a chain of previous email correspondence which the recipient will recognise.
  • In the belief that the payment instruction is genuine and expected, the recipient then unwittingly makes the payment transfer to an account controlled by the attacker.
  • Unfortunately, these attacks are combined with serious organised criminals who are well versed in utilising the banking system to distribute these stolen payments. Payments may not be recovered in full or in part, even if the bank is notified swiftly.

If you would like to understand more about how phishing attacks can lead to email compromises, there is a useful video summary (accessed via YouTube) provided by a leading publication specialising in cybersecurity available here

What you can do against the risk of this specific attack

If your firm uses a cloud based email service, or an email system that may be accessed remotely, consider additional authentication methods so that it cannot be accessed solely with an email address and password. For example, consider activating multi-factor authentication. If you do not need remote access, consider disabling it entirely.

Contact your email provider for guidance on how to implement these security measures. For example, instructions on how to set up multi-factor authentication for Office 365 are available from Microsoft at https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

Ensure that you adhere to good password hygiene, taking into considering advice from organisations such as the UK National Cyber Security Centre available at https://www.ncsc.gov.uk/collection/passwords?curPage=/collection/passwords/updating-your-approach

Warn your clients and check internal processes:

  • When accepting new clients, include a notice in your engagement letter that you will never use email to communicate a change of banking details during the course of a transaction of matter. Consider also whether your engagement letter should note that requests for payments to new bank accounts will not be made by email alone, but confirmed by phone call or letter. Consider whether you should receive written confirmation that your clients have read and understood this direction. It may also be appropriate to include similar notices on all email communications.
  • When receiving payment instructions via email, ensure that your firm has payment processes in place to authenticate and verify the instruction.

What to do if you or your clients fall victim to an attack

In the event that you discover that this has happened:

  • Contact the payee bank and recipient bank to report the payment and put a hold on any sums. Encourage your client to do so if they have transmitted the funds.
  • Inform the States of Jersey Police / Joint Financial Crimes Unit.
  • Consider whether you need to notify your insurers.
  • Take steps to confirm that your systems and data are secure, and if not, investigate and remediate any potential compromise.
  • Notify the Law Society of Jersey (contact the CEO on 01534 734826 or email ceo@jerseylawsociety.je).

In relation to this final point, we remind you that any material issue impacting the firm and/or its clients should, ordinarily, be advised to the Law Society, whether it is a major data breach, large financial loss or issue, serious staff issue, regulatory investigation or sanction or compromise of systems, including emails, in order that a) appropriate steps can be taken to mitigate the potential for other firms to experience, or be impacted by, similar issues, b) to enable the Law Society to provide guidance and support as necessary and appropriate, and c) to assist in the management of potential negative media or reputational damage for the firm or, more widely, for the legal profession as a whole, arising from the matter.

Yours faithfully

 

Neville Benbow
Chief Executive Officer
The Law Society of Jersey
Email: admin@jerseylawsociety.je