JRB - Fotolia

Almost all UK law firms vulnerable to email fraud, study shows

Robust defence of law firms’ email systems is critical to the £26bn industry in the face of increased impersonation attacks aimed at stealing money and data, claims security firm OnDmarc

Only 1 of the UK’s top 100 law firms has sufficient measures in place to protect against basic forms of email fraud, a study has revealed.

The research by cloud data intelligence firm OnDmarc follows reports that UK law firms saw an unprecedented 45 cases of cyber theft in the first quarter of 2017. With law firms under a duty to replace any lost client funds, OnDmarc warns that the financial burden of future email fraud attacks could be crippling.

With the threat of phishing attacks increasing by 65% in 2016, the company said the study’s findings are a stark warning to law firms in the possession of the strictest of confidential client information.

The use of fake or compromised email accounts to steal information increased by 39% in the last three months of 2016, according to a report published in March 2017 by email security firm Mimecast. By using spoofed emails, attackers typically pretend to be someone in authority, such as the CEO, to trick email recipients into sending them confidential data.

The practice, known as business email compromise, CEO fraud or whaling, is also commonly used to trick people into making money transfers to accounts controlled by cyber criminals.

“With over 10,000 law firms operating in the UK, handling sensitive and hugely confidential commercial and private data, there is a real opportunity for scammers to target the legal sector,” said Rois Ni Thuama, head of cyber security governance partnerships and legal at OnDmarc.

“Many law firms either don’t understand the risk or assume that their existing email systems will do the job of protecting them, even though our study very quickly demonstrated that it’s all too easy for a criminal to exploit these firms’ email domains in order to impersonate the company and send out fraudulent messages to external clients and stakeholders,” she said.

Read more about business email compromise

Most of the law firms polled incorrectly assumed that their existing IT security systems would cover their organisation against sender fraud.

According to OnDmarc, this is because these systems to not use defences such as the Dmarc (domain-based message authentication, reporting and conformance) protocol which helps authenticate an organisation’s communications as genuine.

Dmarc has been approved and endorsed by the UK’s National Cyber Security Centre (NCSC) as an effective way of tackling email spoofing, with a 2016 pilot by HM Revenue & Customs blocking more than 300 million malicious or fraudulent emails.

Attackers sending fake emails purporting to be from the government has been one of the biggest problems in UK cyber security, but much of it is preventable by the adoption of the Dmarc, according to the NCSC.

Automated cyber defence

The NCSC is helping to implement Dmarc across all government departments as part of its Active Cyber Defence (ACD) programme, which is intended to tackle – in a relatively automated way – a significant proportion of the cyber attacks that hit the UK.

“We’re usually quick to blame human users as the most insecure element of the cyber security chain, but in the case of email spoofing, it’s the basic email systems that are being duped, which is a big reason why legal firms have experienced losses, mainly via phishing, of over £3m in just three months,” said Ni Thuama.

“Implementing Dmarc will enable the 99% of firms currently susceptible to email impersonation to combat this type of email fraud and thus help to prevent them from suffering reputational or financial damage with their client base further down the line.

“Legal firms such as Walker Morris should be applauded for implementing the necessary measures to thwart the risks of data theft,” she said.

Preventing email impersonation

In light of the compliance deadline of 25 May 2018 for the EU’s General Data Protection Regulation (GDPR), which is set to transform data protection, Ni Thuama said organisations in every sector should be encouraged to configure their domains to prevent email impersonation.

Business email compromise is rising rapidly in the UK, Mike Hulett, head of operations for the NCA’s National Cyber Crime Unit (NCCU) told Cybercon 2017 in Plymouth.

“These attacks have become increasingly sophisticated,” he said. “They have moved beyond simple phishing emails to sophisticated social engineering, with cyber criminals monitoring potential victims for months to work out their level of authority, when the chief of finance goes on holiday and who does what.”

Read more on Hackers and cybercrime prevention