Keeping Emails Safe
Introduction
A July news release from the Solicitors Regulation Authority (SRA) reveals that there have been a record number of reports of cyber thefts from law firms. The release states that more than double the number of reports of cyber theft in the first quarter of this year (compared to last year) have been received and triple the amount (£3.2m) stolen. The release cites house moves as being the main target and states that a total of £11m of losses have been reported for the year April 2016 to March 2017.
The news release goes on to reveal that around three-quarters of the cyber thefts involved some form of email hacking fraud with around half of the cases involving money being used for house moves. This is a statistic which is backed up by the National Fraud Intelligence Bureau who have reported increased risks in this area, with an 85 percent increase in theft of property deposits in 2016. Other targets for cybercriminals include inheritance money and law firm’s own money.
As electronic transactions and the use of email continues to increase so must there be an increasing level of vigilance on the part of solicitors to make sure that they do not fall victim to crimes of this nature. The SRA acknowledges that whilst the clear majority of solicitors act properly, many are not taking the steps that they need to in order to protect clients.
The latest Risk Outlook published by the SRA in July highlights yet again the importance that it places upon firms protecting the information which they hold about clients and taking care to safeguard clients’ money and assets. In both cases, they stress the need for firms to be aware of the cyber-related risks which they face and in particular the need for sensitive data to be encrypted and for firms to have adequate systems and controls in place in order to protect client money.
The Vulnerability of Electronic Data
The problem that firms face today when compared with the “old days” (i.e. before the advent of mass electronic systems) is that it is now just too easy for data to be lost, inadvertently shared or stolen in comparison with when files were in paper format and kept (in most cases) in locked filing cabinets.
Whilst the Risk Outlook from the SRA acknowledges that electronic data has some benefits – such as encryption and backups – over written and verbally communicated information (which always suffered from the risk from being lost, damaged or destroyed by fire), nevertheless protecting that electronic data presents firms with new and different challenges. For example, it is easier to send an email to the wrong address than it is a letter and cybercriminals do not need physical access to steal information.
The Outlook states that the SRA receives around 40 reports of confidentiality breaches each month – some of which are due to error or negligence on the part of the solicitor but many of which are due to the intentional, criminal acts of others in the form of cybercrimes such as inducing users to download malware, phishing attacks, identity theft and the impersonation of others within the firm – sometimes referred to as “CEO fraud”.
Of all of the threats facing firms, however, email fraud, as the SRA news release acknowledges, appears to be the most frequent.
Email is too easy
Email has become the most widely used method of communication. In most sectors, it has all but replaced the written and posted letter as the primary method of communication. It is inevitable that this should be the case. Emails are usually far easier to type and send than a physical letter and with the vagaries of the postal service, usually get to their intended recipient far more quickly. From a creation point of view they are also easier. Their content tends to be less formal and more succinct, documents and files can be sent with an email by way of an attachment and in many cases the email can be marked with a request for a delivery receipt.
However, it is this ease of use that can often create many of the problems that users experience when sending emails. They can more easily be sent to the wrong recipient. They can easily have the incorrect attachment sent with them. They can be badly worded and consequently convey the wrong meaning. They can be intercepted by cyber criminals and, unless encrypted, read and used for illegal purposes. They can be created fraudulently. They can have malware and viruses attached to them easily and even unwittingly. They can be copied to multiple recipients.
Thus, for many businesses, especially law firms, they have become both the most effective communication method as well as the primary source/risk of security breach. Indeed, for the law firm, the time could well have come when their very use – or at least the way in which they are used at present – needs to be brought into question.
The problem, of course, is that for many firms there is no alternative. Clients want to use emails and banks and bodies such as the Land Registry and the Courts want to be able to carry out electronic transactions. That leaves the firm being the one blamed when things go wrong. For that reason alone, it is essential that any firm that uses emails and other forms of electronic communication ensures that everyone working within the firm – from the most senior partner to the most junior member of admin staff – understands the risks and knows how to avoid them and that all are required to follow agreed procedures to ensure that those risks do not become reality.
How can email risks be avoided?
The problems associated with the sending of emails have become so great that, were this a new technology seeking adoption for the first time it would probably be dismissed as being inherently unsuitable for use in legal practice. However, because this is a technology which has developed over the years and whose problems and vulnerabilities have arisen incrementally, we do not have the luxury of rejecting it. We simply have to make the most of it.
Whilst it is true that many of the risks which firms face come from cleverly engineered exploits and viruses, it is also true that many arise simply because not enough thought is put into the act of sending, opening or processing an email. Thus, whilst firms must take steps to prevent themselves from being hacked by, for example, putting in place firewalls and anti-virus software, they must also take steps to ensure that the people working there do not become the weakest link in the security chain. This can only really be achieved by means of rigorously applied policies and procedures, training and the provision of information to educate partners and staff in what to do and not to do.
What are the risks?
The risks associated with sending emails seems to grow by the day and more and more new terms are being created to describe the characteristics of attempts at cyber fraud.
Thus, where once there was only “phishing” (which we will look at shortly) now there is also spear phishing, clone phishing, whaling, email spoofing, phone phishing and tab-napping. For the reasons of brevity we shall merely provide a snapshot of some of the more common problems of which firms need to be aware. Bear in mind, however, that whilst it is the fraud based issues that can lead to firms falling foul of the SRA’s standards for security of client funds and property, there are many other email-based issues which firms need to take into account. Thus, if they are planning to produce an email policy (which it is strongly recommended that they do), they should cover in that policy issues including time management, information overload, discrimination.
Fraud and Cyber Crime
By far the most problematic area for firms is that of fraud and cyber crime. As identified by the SRA, one of the main ways in which malicious or destructive software can get onto networks and devices is through email. Links to viruses and malware download sites and infected attachments are the most common ways in which this is achieved and users need constantly to be alert to the fact that, if they are at all unsure about the source of an email they should not be following any links or opening any attachments.
Another way in which emails can be used as a vehicle for fraud is using phishing emails. These are intended to persuade users to impart personal information by pretending to have come from a reliable sender – for example a business that the user would assume to be trustworthy, an official organization such as a bank or a government departments, a genuine website, or a reputable online service. Those who carry out phishing tend to do it using emails and websites that are made to look like the genuine email or website of the organisation being impersonated. If in doubt do not follow any links, reply with any information or download any attachments.
Email users must be very alert to this as the fraudsters who use this method are getting ever more devious. For example, some phishing emails fool the user into thinking that their bank or online account has been compromised and that they need to act quickly by providing the details set out in the phishing email. Usually that information will include their username and password to an account. All email users need to be vigilant and staff need to be made aware of the fact that they must never respond to these emails.
One easy way to check whether a link or web site is genuine is to hover over the link with a mouse pointer and see whether the address for the link corresponds to the genuine address for the web site. Thus, if the email purports to come from Bloggs & Co Solicitors, whose web address is www.rty-ew.ru/bloggssolicitors then this is likely to be someone passing themselves off as Bloggs Solicitors – no matter how convincing the email looks. The SRA regularly publish details of fraudulent emails and web sites on their own web site at www.sra.org.uk/alerts/ and it is even possible to have them sent to your Facebook page so they can easily be checked on your phone or tablet.
Apart from fraudulent emails intended to trick there remains the old, ubiquitous problem of spam. Spam, or junk mail, is any unwanted email that is sent to your inbox. Often it serves no purpose other than to annoy although it can also be used to advertise a product, service, or event. Although mostly harmless, spam can however be used to introduce malware to your device or be part of a phishing attack.
So, to remain safe, all partners and staff should be advised to ignore and/or delete unsolicited emails, not to click on any attachments or links unless they are absolutely sure of their provenance and to follow these simple rules:
- Always be wary of any email that asks for confidential information – especially if that information is about financial matters, a client, logins and passwords, personal data or information about the firm. Most genuine emails from legitimate senders will not seek sensitive information by email. If in doubt contact the sender USING AN INDEPENDENTLY VERIFIED EMAIL ADDRESS OR TELEPHONE NUMBER and check whether the request is genuine.
- If an email suggests clicking a link to go to a web site, rather than using the link provided open a browser and search for that link or company and follow the browser search suggestion. Again, if there are doubts as to whether a particular company sent an email contact them and check.
- Never let yourself be hurried or pressured into giving away sensitive information. Fraudsters like to scare users into making a rash decision in haste so that the user does not have time to question the validity of the message. Things to watch out for are emails telling you that you are about to have money taken from your account by fraudsters unless you phone your bank and provide them with your bank details, that an account is about to be disabled unless you login and update your personal information or that your “allowance” has been exceeded for things such as email or cloud storage or for the use of a service and that you need to login to an account to deal with it. As ever, contact the genuine version of the alleged sender of the message directly to confirm the authenticity of their request.
- Don’t regularly sign up to web sites and newsletters without first checking their privacy policy to make sure that they will not sell your details as part of a mailing list. A considerable proportion of the spam you receive (including potentially dangerous phishing emails) comes as a result of sites you have signed up that have passed on or sold your details to another company. Most reputable commercial websites will have a privacy policy (a link to which can normally be fund at the foot of their home web page) which will confirm whether or not your details will be made available to others.
- Be aware of emails and requests that are badly worded or contain spelling and grammar errors or use idiomatic phrases and expressions that sound as if they have been translated by someone for whom English is not their first language. Also, be aware that fraudulent emails will often not be personalised to the recipient because they are being sent out to a huge number of potential victims. Fraudsters know that 99% of recipients will not respond – it is enough if 1% do – so they send out many thousands of emails. Thus, an authentic email from someone with whom you have done business is likely to contain a reference or account/customer number and is likely to be addressed to you by name. Many phishing emails, however, will be addressed “Dear Sir/Madam”, and may even come from a bank with which you don’t have an account.
- Under no circumstances send confidential information via a form within an email.
- Make sure any anti-spam/virus software is effective and kept up to date.
- Finally, don’t visit untrustworthy websites or download unevaluated freeware or shareware NO MATTER HOW URGENT THE NEED.
Confidentiality
A major risk for any law firm comes from inadvertent or intentional breach of confidentiality in an email or electronic message. The need to protect client, personal and other confidential information is vital to ensure that the firm complies with regulations and legislation and it is essential that partners and staff be made aware that using ordinary, open emails can have the same lack of confidentiality as sending a postcard through the post. It should always be assumed that an email can, and will, be read by anyone and any attachments downloaded by anyone.
Given the ubiquitousness of emails already referred to this is not always easy and firms need to consider how they are to maintain confidentiality. It is absolutely essential, therefore, that EVERYONE in the firm does NOT send confidential information through the ordinary email unless it is securely encrypted and in particular that commercial email services such as Hotmail, Gmail and Icloud are not used for business purposes.
A further point of which to be aware is not to use email inboxes (which are inherently insecure) for the storage of confidential information. Email is intended to be a method of communication, not storage, and therefore important emails should be filed in the same way that important letters or documents would be – in the client file – rather than being kept in the email system.
Not that all breaches of confidentiality come about as a result of intentional fraud or criminal activity. Inadvertent breach can occur and the most common way for this to happen is from information being sent to the wrong person or the wrong attachment being added to an email to the right person. Be particularly wary of “Reply to All” as the sender can never be sure as to whom the original email was sent. Far better to do a reply and then add any additional recipients one at a time.
Among the steps that users can take to ensure that confidentiality is not breached are:
- Do not redirect or forward emails from an office email account (which might be a secure account) to an external or personal email account such as Hotmail or Gmail. These accounts are not only more likely not to be secure but may also store data outside the EU and place the firm in breach of Data Protection legislation.
- Always double-check that the correct email address has been used before sending an email.
- Never reply to an email immediately as a ‘knee-jerk’ reaction. Wait and reply in a considered manner which will provide the opportunity to correct the email or have second thoughts as to the security of the recipient.
- Never put confidential information in the body of an email or in an attachment unless it is encrypted and the encryption pass-phrase has been communicated to the recipient BY MEANS OF A DIFFERENT COMMUNICATION METHOD. That means using a text or phone method – not just another email which could also be intercepted. Remember confidential client information belongs to the client, not the firm and the firm does not have the client’s permission to take risks with their data.
- If you don’t have bespoke secure email facilities in your firm, consider using a secure email service such as ProtonMail, Tutanota or Mailfence and suggest to clients that for the purposes of a confidential transaction they do likewise
- Warn the recipient beforehand if you are sending an email which contains confidential information so that they only open it, or any document attached to it, in a secure environment. Include the word “CONFIDENTIAL” either in the email header or the attachment’s file name.
- Avoid the use at all times of the auto-complete function. Not only can address lists become corrupt or out of date – resulting in the email being sent to someone unexpected – but there may be autocomplete data that you did not wish to transmit.
- Beware of keylogging software that might have got onto your computer as this could breach confidentiality. Key-loggers capture what you type right from your keyboard – before any secure email encryption software can protect it.
- Be aware of your surroundings when accessing emails – especially on a mobile device. Someone could be reading over your shoulder. The best policy is not to access confidential or sensitive information in a public place.
- Don’t leave mobile devices and computers unguarded. If you leave your desk log out and make sure messages are not left on screen.
- Never write down or share any passwords.
To summarise the dangers of emails, it is probably safest if all users assume that anything which can be done to intercept information or fraudulently gain access to accounts will be done, or at least attempted, at some point during the year. Then, if it doesn’t you can be pleasantly surprised.
Other Email Risks
The preceding highlights two of the risks that exist with the use of emails. We will look at other risks including risks to time management, information overload, discrimination and cyber bullying, misunderstandings, tone of voice and lazy practices in a future article.
What should firms be doing to protect themselves?
We have covered a number of steps that firms can take in the article so far, including using secure email and educating users on what to do and not to do. However, one of the most positive steps that a firm can take is to implement and enforce a safe email policy and to ensure that ALL staff are trained on its terms.
Clearly formulated policies help firms to make sure that the decisions that are made within the firm and which affect partners and staff are well thought out by management, understood by those whom they affect, are consistent and fairly applied and take full account of their effect on all areas of activity. What is more, the effort which goes into devising them will help ensure that they satisfy legal requirements and go some way towards contributing to a productive relationship between the firm, partners and staff.
Before introducing a new email policy, the firm needs to find out what partners and staff are currently doing, and in particular:
- how emails are currently sent and handled – in other words a brief fact-find needs to be undertaken to learn what are the current processes, practices, and procedures which staff employ when creating, sending, retaining, retrieving and deleting emails.
- the types of devices are being used for handling email
- the types of content being sent or received by email – including that which is within the body of the message and that which forms attachments.
- the types of practices that are encouraged or tolerated for individual email accounts
- how partners and staff archive emails and how often they are used
- for how long are emails kept</li
- if there is an existing policy, who is responsible for it, does it – or any element of it – work well and how long it has been in place
There also needs to be an audit of the level of understanding of the risks of emails amongst partners and staff.
Having established a baseline for current understanding and practical application, the firm can set about introducing a new policy which should, where possible, incorporate any good parts of any existing policy.