"Only amateurs attack machines; professionals target people"

Yet another article on fraud? We realise it was only last May when our article on fraud and cybercrime featured in this section of the Journal, and July when the Law Society of Scotland launched its Cybersecurity Guide. Equally, it was only last month that we saw no fewer than four fraud alerts on the topics of email phishing scams, fake law firms and fake redemption statements. So what more is there to say on this subject? Well, this is a topic which needs to maintain a high profile, so I make no apologies for revisiting it again because it is an ever-present threat in today’s business world. 

Why lawyers are such a target 

The legal profession is a favourite target for fraudsters. As a solicitor you are the trusted recipient of all sorts of highly confidential data – on things like mergers and acquisitions, IP/patents, property transactions etc. Moreover, your client account is likely to hold large sums, with significant sums transferring at regular intervals. All in all, a perfect storm if you’re a fraudster. You’re in the firing line and you need to be aware of that every day and do all you can to protect against a fraudulent attack. 

Beware the human element

Be aware that the key to many of the recent fraud attempts is people. Individuals, their knowledge, their awareness and their response to these fraudulent attacks are critical to their success or failure. 

The quotation in the heading of this article was by Bruce Shneier, the American author, cryptographer and computer security professional, back in 2003. I don’t imagine that 15 years ago he could have imagined how prophetic it would be. Targeting people is at the heart of how we see the fraudsters operating today. 

Increasingly the frauds we are seeing are targeting individuals, exploiting people’s social instincts such as being helpful and efficient. These are traits which make people good at their jobs, but they also make people vulnerable to being duped by fraudsters. 

Yes, there may be some system breaches involved in some scams, but on the whole this is about social engineering. Whether it’s phishing (mostly email), vishing (over the phone), smishing (over text message) or the most recent frauds, fake redemption statements and bogus law firms, it is people they are relying on to help them succeed with their scams. This is social engineering at a very sophisticated level, well planned and resourced, and the red flags we are taught to look out for, like bad grammar in emails or a sense of urgency in the transaction, may not always be in evidence. You’ll see, in some of the examples below, the extent fraudsters will go to in order to appear genuine. And that ever increasing sophistication can only mean one thing – it will become more and more difficult to detect when you’ve been targeted.

Individuals can make the fraudsters’ job easy, but equally, they can be the greatest weapon against this continued onslaught. What role they fulfil will depend on their level of awareness of scams in general, the extent of their training and the level of comfort they have to challenge or report on an issue. 

Recent activity 

In some recent examples we can see how individuals can help to beat the fraudsters, and what to look out for. 

At Lockton we took a call from one firm that had managed to avoid falling for a phishing scam. Their robust processes and alert staff thwarted the fraudsters. The firm told me that they hoped their staff now saw the validity of those processes they had so often complained about. While they receive phishing emails quite regularly, this example stood out because of its level of sophistication. The layout of the email was identical to the template they would normally use to request such a payment, and the name at the bottom of the email was that of a real accounts assistant, even down to using the nickname she uses to sign off her emails. It didn’t have any of the red flags they tell you about in the training modules. 

In another phishing attack a firm received an email from a person advising that they were “in the process of buying a property” and were seeking legal services. The wording of the email and a reference to having found the firm’s name from an online legal directory raised some initial suspicions from the person who received it. Further enquiries elicited a second email which came with a Dropbox link supposedly containing details of properties to be purchased. This raised further concerns in the mind of the solicitor and it turned out to be a fake enquiry. There were a couple of red flags in this example – the fraudster claimed to be in the process of buying a property, and normally in Scotland you would expect to enter negotiations to start the purchase of a property using a solicitor. The second was the Dropbox link – beware embedded links in emails from people you don’t know. 

Now it would have been easy in either of the above cases to have fallen victim to the fraudsters’ plan – the emails were quite convincing – but the vigilance of the individuals involved meant they were both called out as fake. 

Vishing, i.e. scams carried out over the telephone or “voice phishing”, are currently very much in evidence. These are the classic bank frauds that we have heard about for many years, calls alleging to be from your bank reporting some irregularities with your own account and persuading you to switch to another account. 

Police Scotland are investigating 19 significant crimes of vishing fraud committed since July 2017, with just over £7 million stolen from both businesses and individuals collectively. Frauds of this nature are generally orchestrated by organised criminal gangs operating in the UK, Europe and further afield, and they are known to list law firms amongst their targets. 

In one of the fake redemption statement scams that we’ve come across, it was eagle-eyed staff who spotted that the bank details of the lender on the fake statement were not those they would normally expect, prompting them to check back on other recent transactions, and finding further examples of fraud. 

There have been two fake law firms reported in February alone. We can only imagine what frauds the individuals responsible for these have in mind when they’ve gone to the elaborate ruse of setting up extensive websites, business profiles, biographies of partners etc! It could well be scams we’ve not even seen yet.

What should you do?

Law firms, of all shapes and sizes, need to take data protection, fraud and cybersecurity very seriously and it is of course critical to have strong physical controls within your systems. However, it is also important to realise that individuals have a strong role to play in your defence. Here are some points to think about: 

• Firms that do not prepare now will be at much higher risk of a significant loss in the future.
• Conduct regular training to help people identify these frauds – don’t do it annually; keep it at the front of people’s minds. Little and often is best.
• Make sure everyone understands all your processes so they can spot unusual requests.
• Make processes more robust by having a second level of verification, e.g. a phone call to follow up email requests.
• If you suspect a vishing scam, never call back on the same phone and always call the number you use regularly, not the one they’re calling from.
• Create a culture where people feel comfortable to seek guidance when something feels suspicious and have the confidence to challenge and report issues.
• Emphasise that fraud attacks can be difficult, so they won’t always get it right.
• Make the process for reporting issues clear to everyone.
• Provide feedback on the action flowing from reported issues.

Whatever you do, don’t put your head in the sand – this issue isn’t going away. Just because you have not been targeted yet doesn’t mean you should be complacent. These criminals are systematic – they are not targeting the whole profession at once. 

Don’t rely entirely on your processes, however strong they may be. Good, regularly briefed, alert staff are crucial in this fight against the fraudsters.