The Problems of Conveyancing Theft
It probably comes as no great surprise to anyone that the Solicitors Regulation Authority (SRA) has identified email hacks of conveyancing transactions as the most common cybercrime in the legal sector, with £7m of client losses reported in the last year. This not particularly startling revelation came in their report “IT Security: Keeping information and money safe“ which was published at the beginning of December 2016.
Fast forward just over a month to the 23 January 2017 and the papers were reporting yet another real-life example of the problem. The Telegraph (as well as many other papers) carried the sad story of first-time buyer Howard Mollett who, its states, was tricked into paying over £74,000 to a fraudster posing as his solicitor over email. In the article Mr Mollett claims that he was never warned about the threat of online criminals by the firm carrying out the transaction for him and that the firm only put a “cybercrime alert” at the bottom of their emails on the day he discovered he had become a victim of conveyancing fraud.
“Solicitors are failing to warn clients about the risks of using email during property transactions,” the Telegraph article stated, “despite explicit guidelines from anti-fraud authorities and their own trade body, the Solicitors’ Regulation Authority.”
The facts of this case are a salutary lesson for all firms of the need to be vigilant at all times and to take especial care to ensure that their systems are not compromised and that clients are aware from the outset of the means by which they will be communicated with, funds transmitted and received and the transaction effected.
The problems faced by Mr Mollett also highlight one of the difficulties of this area – namely who is responsible. Mr Mollett claims that the firm acting for him, Middlesex-based Sethi Partnership, were at fault since the fraudsters used an email address of one of their members of staff whilst the firm claims that there were no flaws in their IT systems and that it was the client’s careless actions that led to the loss.
Wherever the blame lies, clearly there are issues here about which firms and clients alike need to be more careful.
The Growth in Cybercrime
That cybercrime is a growing problem for everyone involved in legal services is not in any doubt. The SRA report in December reveals that not only were there £7m of client losses reported in the last year but that three-quarters of cybercrimes reported to the SRA in previous 12 months involved some form of “Friday afternoon” fraud. This involves criminals modifying emails directly, usually by hacking into the email system of an individual, and altering the emails and bank details so that funds go to the criminal rather than the solicitor’s or client’s account. These scams often take place on a Friday because this is the day upon which most conveyancing transactions are completed and firms are likely to be at their busiest (and therefore potentially less vigilant).
Whilst there can be few firms that are not aware of the problems posed by conveyancing fraud, knowing what to do about the problem and how to protect clients may be something about which they are less sure.
The SRA are quite clear on the point that it is the “job of firms to take steps to protect themselves and their clients”. To assist firms with this they have published guidance on how to manage online security – from cloud computing to the latest cybercrime trends.
However, the SRA also stress that if firms are to protect themselves and their clients from cybercrime threats then they must exercise constant vigilance – on all fronts. The most commonly reported attack against law firms, the SRA state, is email-modification fraud, which not only relies on weaknesses in systems but also on deception. In other words whilst technological systems are important so too is the need to ensure that staff are well trained and aware of the problems and in particular are aware as to how revealing information or responding to suspicious emails can lead easily to the firm’s systems being compromised.
Where does the cybercrime duty lie?
So who is responsible for ensuring that a client is not a victim of cybercrime?
Clearly, the primary duty lies with solicitors to take adequate steps to protect clients. Outcome O (1.2) states that you must “provide services to your clients in a manner which protects their interests in their matter” whilst Outcome O (1.5) states that “the service you provide to clients is competent, delivered in a timely manner and takes account of your clients’ needs and circumstances”
Outcome O (1.12) goes on to provide that you must ensure that “clients are in a position to make informed decisions about the services they need, how their matter will be handled and the options available to them” whilst Outcome O (4.5) requires that “you have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks.”
Thus so far as advising your clients is concerned, there is a clear onus upon you as solicitor to ensure that clients are made aware of the dangers of cybercrime, the steps that they should take, and you will be taking, to mitigate any effect which it might have and what they must not do in terms of making payments and relaying sensitive information.
In addition, Outcome O(7.2) requires that “you have effective systems and controls in place to achieve and comply with all the Principles, rules and outcomes and other requirements of the Handbook, where applicable” and Outcome O (7.4) requires that “you maintain systems and controls for monitoring the financial stability of your firm and risks to money and assets entrusted to you by clients and others, and you take steps to address issues identified”. Thus, taking these two Outcomes together Outcome O (4.5) it can be seen that the primary onus is upon you to ensure that the methods by which any transactions are undertaken are as safe and secure as it is possible for them to be.
That said, however, falling victim to cybercrime is not necessarily a failure to meet the SRA’s regulatory requirements. The SRA accept that no defence is perfect but that they do “expect firms to take proportionate steps to protect themselves and their clients’ money and information from cybercrime attacks while retaining the advantages of advanced IT.” Thus, if a law firm loses client money or information to cybercrime then the SRA will “consider whether there has been a breach of our Code of Conduct. Firms should report these cases to us even where, in the case of stolen money, that money has been replaced.”
In addition to the responsibilities that firms owe to the client, there is also a duty to the SRA. Outcome O(10.3) states that you must “notify the SRA promptly of any material changes to relevant information about you including serious financial difficulty, action taken against you by another regulator and serious failure to comply with or achieve the Principles, rules, outcomes and other requirements of the Handbook.” Thus, firms must inform the SRA if they lose client money or information – even where, in the case of stolen money, that money has been replaced.
Firms should also let the SRA know about failed attacks (as this will put the SRA in a better position to advise firms on how to protect themselves) and about instances of where the client has been affected by cybercrime without the solicitor being involved – for example where the client has been tricked into sending money to criminals rather than to the solicitor.
The Steps Firms Should Take
There are no simple, step-by-step processes that firms can take to entirely prevent themselves, or their clients, from becoming the victims of cybercrime. As soon as one solution emerges, the criminals find ways to circumvent them.
However, there are a number of things that firms can do in order to reduce the chances of such an event occurring, several of which are referred to in the SRA’s December report. Everyone in practice should read this report – which can be found on the SRA website at www.sra.org.uk/risk/resources/information-security-report.page – as it is an excellent summary of many of the issues that firms face and makes it clear that cybercrime is not just something that happens to someone else.
The SRA suggests that a reasonable aim is for firms simply to become a harder target for criminals since a good defence – including well-trained staff – will deter most attackers. There are, however, a number of areas that firms should consider, including:
- Business culture – look at the firm’s procedures, policies and structures in their broadest sense. Look at whether the firm has efficient processes for handling money (as opposed to ad hoc methods that may vary according to which staff member is dealing with it) with clear reporting lines. Check that everyone involved acknowledges that cybercrime is a problem – there are still a large number of “flat-earth” believers who take the view that cybercrime is overstated and unlikely to affect them. Make sure that all staff are trained in recognising cybercrime methods (such as phishing, identity theft and hacking) and that they know not to open suspicious emails and attachments.
- Friday Afternoon Fraud – if your firm undertakes conveyancing work, be very aware of the issue of Friday afternoon and similar email modification scams. Look objectively at how you process conveyancing transactions – especially at times when the office is very busy – and try and identify potential gaps in your processes and procedures which could allow cybercriminals into your system. Bear in mind that cybercriminals are likely to know which conveyancers and others are likely to hold and deal with large sums of client money and which of them are likely to be the softest targets. Be particularly aware of attempts to divert funds either to or from clients.
- Systems for handling money – think about your systems for handling money – including how it is done and by whom. Set up known safe accounts in advance of completion day and make sure that clients are aware that these will not be changed by you at the last minute. Confirm client and third party accounts by making a small deposit (as little as £1) and getting the client or third party to confirm receipt. In particular, be suspicious of any request to change payment details and make sure that clients are similarly wary. If you don’t know the lawyer or third party to whom money is to be sent take steps to verify them and their details (including bank details) well before you need to send money.In addition, have policies in place within the firm to ensure that only approved staff can transfer money, consider the use of certification schemes such as Cyber Essentials and, if you think the firm is particularly at risk, get expert advice – possibly from a source approved by your insurer.
- Training – it is impossible to overstate the importance of training within the firm. The vast majority of cybercriminals focus on the weakest link – which is your people – and only by training them and making them aware of the problems will you stand any chance of staying safe. In particular:
- make sure that staff are aware of the more common scams and that they avoid, at all times, opening unsolicited mail and attachments – even if they think that they have come from a reputable source;
- ensure that staff do not use unapproved devices on your systems such as memory sticks, SD cards or hard drives;
- instil in staff the vital importance that passwords play in keeping the firm secure and that the passwords used are secure, strong and changed regularly. In particular, make sure that staff do not share passwords with each other;
- make sure that staff are aware of the importance of keeping information secure at all times – including when travelling between home and the office and on business journeys. Laptops and storage devices should be password protected and sensitive information should not be opened where others can view it;
- make staff aware of the need to be suspicious about any requests to change details about a person – especially email addresses and payment details such as bank accounts;
- ensure that staff are aware of the dangers posed by social media and have in place, and enforce, a strict social media/internet/email usage policy
- Monitoring – bogus firms and identity theft are two common ways in which cybercriminals can defraud clients; either by setting up totally fictitious transactions into which clients are drawn or by diverting information, assets or funds from legitimate transactions. It is essential that firms monitor their online presence and ensure that others are not seeking to use their identity for criminal purposes. This applies as much to websites as it does to other forms of online presence such as social media and email addresses.
- IT systems – none of these more procedural and people-based steps will make a difference if your IT system is not secure and robust. Steps must be taken by you to ensure that viruses, Trojans, malware, spyware and ransomware are kept at bay at all times. These include:
- ensuring that all software and applications are kept up to date;
- limiting the software and applications that are loaded onto your system to those that are known and trusted – in particular staff should be prohibited from installing any programme on your system or on any device that they use which connects to your system such as personal laptops;
- making sure that antivirus systems, firewalls, adware blockers and all other similar security programmes are kept up to date;
- ensuring that encryption is used wherever possible – especially on mobile devices, and laptops;
- backing up files on a regular basis and ensuring that such backups can easily be accessed in the event that they are needed to restore the system. At least one backup that is not connected to the system should be kept in the event that others are compromised;
- limit access to files and data to those who need access and ensure that all staff are aware of the dangers of emailing sensitive data – even as an attachment;
- set up secure remote access to data so that staff do not have to carry files around on hard drives and memory sticks – check out the security of any cloud-based system before committing sensitive data to it and where necessary take expert advice as to this;
- look at the practicalities of using digital signatures or using an encrypted mail service such as ProtonMail, TutaNota or Mailfence
For further information on cybercrime issues see:
- A number of reports produced by the SRA, including:
- IT Security – keeping information and money safe – www.sra.org.uk/risk/resources/information-security-report.page
- In the shadows: Risks associated with bogus firms – www.sra.org.uk/risk/resources/risks-associated-bogus-firms.page
- Spiders in the Web – the risks of online crime to legal business – www.sra.org.uk/risk/resources/online-crime-legal-business.page
- Silver Linings – cloud computing, law firms and risk – www.sra.org.uk/risk/resources/cloud-computing-law-firms-risk.page
- Several Practice notes and reports published by the Law Society, including:
- Protecting your firm if you fall victim to a scam – www.lawsociety.org.uk/support-services/advice/practice-notes/protecting-your-firm-if-you-fall-victim-to-a-scam/
- Protecting your firm against scams – www.lawsociety.org.uk/support-services/practice-management/scam-prevention/
- Information Security – www.lawsociety.org.uk/support-services/advice/practice-notes/information-security/
- 10 Steps to Cyber Security – published by the National Cyber Security Centre – www.ncsc.gov.uk/guidance/10-steps-cyber-security
- The various cyber security resources to be found on the GOV.UK web site – www.gov.uk/government/policies/cyber-security
- The government’s “Cyber Essentials” scheme – www.gov.uk/government/publications/cyber-essentials-scheme-overview
- Action Fraud – www.actionfraud.police.uk/