InView Autumn/Winter 2015
Welcome to the second issue of InView where we focus on the highly topical and hugely important issues surrounding technology, including cyber risks.
Welcome to the second issue of InView where we focus on the highly topical and hugely important issues surrounding technology, including cyber risks.
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Issue 2 | <strong>Autumn</strong>/<strong>Winter</strong> <strong>2015</strong><br />
11<br />
Professional service firms are a key target for cyber criminals<br />
owing to the type of data they hold, the type of transactions they<br />
do, the access they can provide to other organisations and, in the<br />
case of some law firms, the large sums of money they hold on<br />
client account.<br />
No professional firm considers itself bomb-proof against cyber<br />
attacks but there are still a large number who view cyber fraud<br />
as an IT problem and tackle it with an IT solution. That attitude<br />
is outdated. Fraudsters rely on human fallacy and our desire to<br />
be helpful. Weightmans have been instructed to deal with cases<br />
involving two distinctive types of cyber scam that demonstrate<br />
the lengths the fraudsters are prepared to go to, the lucrative<br />
nature of cyber crime and just how helpful staff members can be.<br />
The delayed transaction scam<br />
Phishing is the practice of sending emails attaching PDFs or links<br />
that when opened release a virus (malware) into the system that<br />
will, unbeknown to the recipient, sit there gathering information<br />
for the fraudster – in this particular instance, confidential details<br />
about a client transaction.<br />
Armed with the necessary information the fraudster was able to<br />
manipulate the communications between lawyer and client to<br />
redirect the proceeds from the transaction in his direction.<br />
The scam went along the following lines:<br />
The fraudster sent an email to the solicitor purporting to be<br />
from their client, notifying the solicitor of new bank account<br />
details into which the monies due to the client on completion<br />
of the transaction were to be paid. At the same time an email<br />
was sent by the fraudster (purporting to be the solicitor) to the<br />
client in terms that completion of the transaction will be<br />
delayed for seven days.<br />
The solicitor, acting on what it believed to be the client’s<br />
instructions, paid the completion monies to the new account,<br />
an account connected to the fraudster. The client did not miss<br />
the money until the seven day period had expired, by which time<br />
the fraudster had moved the monies, or a considerable part of<br />
them, beyond the jurisdiction.<br />
The leak of confidential information and the loss of money<br />
exposed the firm to the risk of legal action by the client. There<br />
can be severe regulatory implications too; implications that<br />
could, in the above example, have been avoided through the<br />
implementation of a simple financial governance procedure<br />
concerning the release of client funds.<br />
The online banking scam<br />
Vishing is phishing conducted over the telephone, a form of social<br />
engineering where the fraudster uses information they have found<br />
out about the firm or the particular individual to gain that person’s<br />
trust and to trick them into giving up confidential information. In the<br />
cases in which we acted this included the passcodes to the firms’<br />
client accounts.<br />
Targeting firms holding significant sums on client account, the<br />
fraudsters struck on a Friday afternoon when, typically, the accounts<br />
teams are very busy. The fraudsters, using information about the<br />
firm obtained from public sources and about the client account itself<br />
(probably obtained using phishing email and malware) to gain their<br />
confidence, duped staff into assisting them transfer large sums of<br />
money into bank accounts that they controlled.<br />
The key to the fraudster’s success was persuading the unsuspecting<br />
member of the account’s team that they were calling from the fraud<br />
team of the firm’s bank because suspicious activity had been noted<br />
on the firm’s account. This was done by referring to legitimate<br />
transfers that had been actioned, transfers the fraudster could detail<br />
because they had accessed the firm’s online bank account. They<br />
then asked the individual if the firm was attempting to send a large<br />
amount of money to a named third party – a transfer they claimed to<br />
be able to see someone attempting to do. This was entirely fictitious<br />
but had the desired effect of creating panic in the individual’s mind<br />
so when the fraudster asked the individual to help him stop the<br />
transaction he obliged by providing passcodes that allowed the<br />
fraudster to withdraw significant sums from the firm’s client account.<br />
This money was then quickly transferred out of the jurisdiction so it<br />
could not be traced.<br />
Tips for better protection from cyber crime<br />
1. Raise awareness – staff need to be alive to the risk that the firm<br />
could be attacked through them and of the need to be vigilant<br />
at all times.<br />
2. Keep pin numbers and security records safe and ensure that<br />
work stations are locked when not in use.<br />
3. Monitor password and information security policies and<br />
ensure they are adhered to.<br />
4. Record incidents of attacks, learn from them and make<br />
staff aware of them.<br />
5. Ensure antivirus software is up to date and firewalls<br />
are installed.<br />
Mickaela Fox, Partner<br />
0151 242 7963<br />
mickaela.fox@weightmans.com
Change language