Legal update - Law firms’ cyber fraud losses grow – up 40% in a year

Published: Wednesday 20 July 2016

  • Email hacking and phishing on the rise – firms warned over rising losses
  • Firms expected to repay lost client funds immediately

UK law firms’ losses to cyber fraud have jumped by 40% in the last year alone as the costs of email hacking continue to rise, says Hazlewoods, Chartered Accountants and Business Advisers who specialise in the legal profession.

Hazlewoods says that the value of funds lost to cyber frauds at law firms in the six months from November 2015 to April 2016 totalled £2.53 million, up 40% from £1.81 million in the same period a year earlier.

Hazlewoods explains that there has been a sharp rise in the number of attempts by fraudsters to trick law firms into transferring funds to them by hacking the email accounts of the firms’ employees, or more commonly, their clients.

After gaining access to an individual’s email account – generally through a ‘phishing’ email – the fraudsters then email an employee at the law firm asking them to transfer funds to a bank account. If the employee transfers this money, it is generally withdrawn from the fraudulent account almost immediately, making it virtually impossible to trace or recover.

Hazlewoods adds that this type of fraud is a particular risk for firms dealing frequently with large transfers of funds, such as those handling probate cases and conveyancing.

The firm says that while losses to cyber fraud are still relatively modest, they can still amount to more than enough to force the closure of some of the smaller law firms that have fallen victim.

Hazlewoods warns that the Solicitors Regulation Authority (SRA) is duty-bound to take a hard line on firms that lose client funds to cyber frauds. In these cases the SRA expects firms to immediately replace the money lost from its own funds, without waiting for its insurance to cover the loss. If this is not possible, the firm and its owners risk serious reprimands from the regulator.

Andy Harris, Director at Hazlewoods, says: “Cyber fraud is now a clear and present danger for every law firm. The consequences of losing client funds to email hacking can threaten a firm’s existence.”

“For smaller law firms, replacing what can be hundreds of thousands of pounds of client funds from their own accounts might be impossible, and that would bring the risk of sanctions from the SRA into play.”

“Every law firm needs to ensure that all its staff are trained to be vigilant, and treat with suspicion any request for a transfer of funds. If a client requests via email that money be transferred, it’s critical that the firm verify the request over the phone or in person.”

“Some of these frauds involved the firms’ own email accounts being hacked, so all employees need to follow some basic data security rules – don’t use easily-guessed passwords, update your antivirus software on a regular basis, and don’t log into your email account when you’re on public wifi. All staff should also be given training on identifying suspected phishing emails.”

This article was first seen in The Brief on 18 July 2016.