No Images? Click here

Cyber Security

Business email compromise continues to cause issues for law practices across Australia.  With law firms under a duty to replace any lost client funds, the financial burden of email fraud attacks could be crippling. Law Mutual (WA) has previously provided tips to protect against email scams, however the attacks are becoming more sophisticated and law practices need to remain vigilant.

In the most recent attacks, there have been two permutations of the scams reported in December 2017 (click here to view). In the first case, once the hackers had commandeered the email account of the staff, they set about emailing the clients of the practice, informing them that the legal practice had opened an interim trust account whilst the current trust account was being audited. Clients were advised to use the details of the interim trust account until further notice.

In the second case, the hackers amended the bank account details contained in a pdf document attached to an email. As you will be aware, pdf documents can be easily amended with access to the relevant software. However, in this particular case, the bank accounts details were handwritten, and the hacker still managed to change the information.

What can you do to identify the attack, curtail the transaction and prevent the loss? 

Practices should consider implementing policies and protocols that balance security, privacy, and efficiency to mitigate the risk of falling victim to cybercrime, especially on any matters where money will be transferred via the firm’s trust account.

Questions for each legal practice to consider:

  • Before accepting and acting upon a client’s directions for payment that are provided by email, does your firm verify by phone call and using the phone number recorded at the time initial instructions were taken, not a phone number included in the same email as the directions for payment?
     
  • Do you inform your clients in writing that you will never send them an email changing your trust account details or asking for money to be sent to an account other than your trust account?
     
  • Do you advise your clients in writing to contact your firm urgently if they receive an email from the firm purporting to change the payment details?  Do you include this warning on your email communications with the client?
     
  • Are all staff members advised of the requirement to telephone to check payment directions received from other solicitors, when these are received by email?

Steps you can take:

  • Transfer of funds: Adopt the practice of verifying every client and instruction to transfer or payout trust funds (e.g. payee, account, amount) (s226 LPA Offence to cause deficiency). Adopt protocols to protect law practice funds (e.g. verification of certain amounts or types of payments)
     
  • Adopt employment practices that promote security: Set clear expectations about staff commitment, competence and compliance regarding cyber security and consequences for breach. Require users to declare policies have been read and agreed to. Use log on screen reminders to reinforce safe use. Monitor and enforce compliance. Provide adequate training.
     
  • Background checks: Vet staff and contractors for trustworthiness, especially those in accounts and IT.
     
  • Phishing and suspicious emails: Ensure users can recognise the characteristics of suspicious emails (e.g. odd URLs or language, urgency, directions to transfer funds). Use phishing tests to check users can be trusted to report suspicious emails and not click on links or attachments.

Law Mutual (WA) insured practices are reminded that losses as a result of cybercrime may not be covered under the Law Mutual (WA) Professional Indemnity insurance arrangements; cover will depend upon the facts of each individual case

Cyber Resilience Risk Management Training

On 26 September 2019, Law Mutual (WA) is facilitating a webinar - Cyber resilience for small law practices – what you need to know now.  In this webinar we will describe real life accounts of practitioners impacted by cyber events, the different ways in which cyber attacks and email scams work, and discuss strategies for minimising the risk of similar incidents.

Don’t miss this useful and relevant seminar presented by Simone Herbert-Lowe from Law & Cyber.

Book online now
 

Contact Law Mutual (WA)

Level 4, 160 St Georges Terrace, Perth WA 6000
PO Box Z5345, Perth WA 6831
Telephone:  (08) 9481 3111   |   Facsimile:  (08) 9481 3166
Email: info@lawmutualwa.com.au   |   Website: www.lawmutualwa.com.au

 
The Law Society of Western Australia
Level 4, 160 St Georges Terrace, Perth 6000
Phone: (08) 9324 8600   |     Fax: (08) 9324 8699
E: info@lawsocietywa.asn.au  | W: lawsocietywa.asn.au

Disclaimer: Law Mutual (WA) News/Risk Alert is an information service of the Law Society of Western Australia. The information provided does not constitute legal advice and members should consult the Government Gazette, relevant statutes and other source documents as appropriate. Reasonable steps have been taken to protect our mail servers and web pages via the use of anti-virus software but all customers are advised to take all necessary steps to ensure that their own systems are virus protected. The Law Society of Western Australia does not accept responsibility for any loss or damage sustained as a consequence of any virus transmission.

Copyright © 2019 The Law Society of Western Australia. All Rights Reserved.
Preferences  |  Unsubscribe