By Alex Haslam and Tony Reynolds -
Snapshot
- Cyber crime targeting lawyers is increasingly sophisticated.
- Practical steps a law firm can take to manage cyber risk include payment and instructions verification processes and staff awareness training.
- Law firms should have a plan in place for the steps to be taken if a cyber crime is attempted or effected.
Law firms hold and regularly transfer substantial funds and sensitive information, making them a target of cyber fraudsters or ‘threat actors’. Over the past 12 months or so, there has been an explosion in successful social engineering and ‘man-in-the-middle’-style cyber crime targeting lawyers and their clients, resulting in an increase in cyber-related claims against law firms, even when the firm’s systems have not been compromised.
A change in the threat landscape
Cyber crime is now big business, costing the world over $1 trillion in 2020, and threat actors and the associated criminal enterprises that underpin cyber crime are rapidly developing their operations to make even greater profits.
Threat actors are becoming more targeted, sophisticated and efficient with their attacks. They now regularly engage in strategic reconnaissance once they have unauthorised access to a compromised system to identify the best clients and transactions to target. The timing of their involvement in transactions to redirect funds and the quality of their communications has improved. This has made their attacks more effective and more difficult to identify if proper steps and procedures to mitigate cyber risk have not been implemented.
