Dr You v The Cyber Men
I have recently been re-reading the Ensuring Excellence risk management booklet issued by the Law Society of Scotland as long ago as May 1998. It was warning of the dangers of direct bank transfers. Twenty-two years later, legal firms are still coming to grief in this respect. I think that the profession is sometimes rather slow to change its methods of doing things.
If you are trying to tell someone how to do their job in a more efficient manner, people can be very offended by this if they take it the wrong way. They can gain the impression that you are trivialising their line of work and that what you are saying in effect is, “This is such an obvious thing to do, you must be stupid if you are not already doing it.” Personally, I am always willing to learn by the example of other people. To quote the Scottish entertainer Sydney Devine, “I am the biggest thief in the business. I will steal anybody’s material.”
The Society has engaged the services of a professional IT company to assist with cybersecurity, and I am hesitant about suggesting anything on the subject for fear of being labelled an armchair strategist, but after the eyewatering £900,000 cyber fraud earlier this year, there is nothing to be lost by making one or two simple suggestions.
The modern technology which solicitors have is wonderful, but in some cases it is also optional and if there is another safer method available for doing certain things, we should be using it. (As a whimsical thought, maybe the Society should actually have engaged the services of Dr Who, bearing in mind the Doctor’s 100% success record in encounters with these cyber people.)
High, low or no tech?
My answer to high tech fraud is low tech, or more to the point, no tech at all. There are three elements to this:
- The Royal Mail.
- The DX Exchange.
- Legible handwriting.
All of these exist completely independently of any solicitor’s IT system, and if the fraudsters can hack into any of them, they are welcome to try. Incidentally, if I was an internet fraudster I would currently be working full time on how to crack an encrypted email. I would be going onto the “dark web” and offering a substantial reward to anyone who could show me how to do this. These fraudsters have all day long to work these things out, while the rest of us are fully occupied trying to make an honest living.
Bank details – where?
1. Our firm’s bank details should be in bold print as paragraph 1 on the very first page of our terms of business, and the terms of business should never be issued by email. Paragraph 1 should begin: “Under no circumstances whatsoever will alternative bank details be issued to you by email.” As the terms of business have to be kept on our IT system and could be subject to interference, every time a copy is printed off for issuing to clients the solicitor should check that the bank details are correct.
2. At the very outset of every file the following questions should be asked:
- Do we need the clients’ bank details?
- Do the clients need our bank details?
- Do we need the other solicitor’s bank details?
- Does the other solicitor need our bank details?
If the answer to any of these questions is yes, bank details should be issued or requested by Royal Mail or DX and not by any electronic means at all. This should be done right at the start rather than just a day or two prior to any settlement date. Clients in particular should be asked to submit bank details in legible handwriting. Your letter of enquiry should contain a stamped addressed envelope for a reply. Inform the clients that we cannot take bank details by phone or email. You can certainly phone them up to check the details once you receive their letter, but to cover your own position you need something generated by the client to lodge in the file rather than your note of their incoming telephone call. Do not scan the incoming letter into your IT system. Bank details should not be showing anywhere in your IT system.
My employers have conventional paper files, and in this respect there is something to be said for being old fashioned. Paperless offices would need to have some additional security methods in place to avoid having bank details showing in incoming correspondence. My suggestion here is that a photocopy of the relevant letter is given to the cashier to hold in a special folder and the bank details are then blanked out of the letter before it is scanned into the system.
Pen and paper
3. If it is the case that the fraudsters can alter a fax message, then bank details in a faxed redemption statement for a mortgage are suspect to say the least.
Ask a trainee or an intern to trawl through all of the firm’s house sale files for the past few years looking for redemption statements from lenders, and prepare a handwritten note to give to the cashier of the various lending institutions and their bank details. None of this information should be put on to the firm’s IT system. It should be kept in handwritten form only. Unless you have a dishonest staff member, this handwritten record is incorruptible. If the cashier has to set up a direct transfer to repay Andy Pandy’s mortgage, they check the bank details on the faxed redemption statement received from the Bank of Toytown against the details on the handwritten list and if everything matches up the transfer can proceed.
4. Any bank details passing from one part of the office to another should be handwritten or typewritten on a good old fashioned typewriter. Do not send an email or print off a memorandum to the cashier on your computer. Just do not put bank details anywhere near your IT system.
If all mention of bank details is removed from emails, how can the fraudsters ply their trade? Even if they can hack into emails they will be grabbing at fresh air, because the bank details will simply not be there in the first place in any shape or form.
The low-cost option
What we should be aiming for is a situation whereby even if our entire IT system is compromised, even if the fraudster was sitting at a desk in our office with full access to the IT system, they could not find bank details anywhere.
These security methods are an “Aberdeen” type system where the cost of implementing them is zero. There would be no consultant’s fees to pay or expensive program to purchase to add an extra level of security to your IT system. As the late Margaret Thatcher said, “Not every problem can be solved by throwing money at it.”
Solicitors are supposed to be intelligent and clever people. If there are 12,000 solicitors in Scotland, we should be able to make some worthwhile contribution ourselves to tightening up security. If anyone has any positive suggestions in this respect, would they care to share them with the rest of the profession through the pages of the Journal?
Everyone directly involved in the £900,000 cyber fraud will probably remember it for the rest of their lives. In addition to the Society’s initiative, the legal profession should be putting their heads together to come up with methods to minimise the risk involved in these matters. The expenditure required here is of time and imagination, not money.
Ladies and gentlemen of the Scottish legal profession, over to you.