UK law firms count the cost as cyber fraud booms

UK law firms’ losses to cyber fraud jumped 40% in the last year, and the costs of email hacking continue to rise, according to Hazlewoods Chartered Accountants and Business Advisers. who specialise in the legal profession.

Hazlewoods, who specialise in the legal profession, say that £2.53m was lost to cyber fraud at law firms in the period from November 2015 to April 2016, up 40% from £1.81m in the same period a year earlier.

Hazlewoods explains that there has been a sharp rise in attempts by fraudsters to trick law firms into transferring funds by hacking email accounts of the firms’ employees, or more commonly, their clients.

After gaining access to an individual’s email account – typically through a ‘phishing’ email – the fraudsters then email an employee at the law firm asking them to transfer funds to a bank account. If the employee transfers this money, it is generally withdrawn from the fraudulent account almost immediately, making it virtually impossible to trace or recover.

This type of fraud is a particular risk for firms dealing frequently with large transfers of funds, such as those handling probate cases and conveyancing.

While losses to cyber fraud are still relatively modest, they can still amount to more than enough to force the closure of some of the smaller law firms that have fallen victim.

Hazlewoods warns that the Solicitors Regulation Authority (SRA) is duty-bound to take a hard line on firms that lose client funds to cyber fraud. In these cases the SRA expects firms to immediately replace the money lost from its own funds, without waiting for its insurance to cover the loss. If this is impossible, the firm and its owners risk serious reprimands from the regulator.

Andy Harris, Director at Hazlewoods, says: “Cyber fraud is now a clear and present danger for every law firm. The consequences of losing client funds to email hacking can threaten a firm’s existence.”

“For smaller law firms, replacing what can be hundreds of thousands of pounds of client funds from their own accounts might be impossible, and that would bring the risk of sanctions from the SRA into play.”

“Some of these frauds involved the firms’ own email accounts being hacked, so all employees need to follow some basic data security rules – don’t use easily-guessed passwords, update your antivirus software on a regular basis, and don’t log into your email account when you’re on public wifi. All staff should also be given training on identifying suspected phishing emails.”

“Every law firm needs to ensure that all its staff are trained to be vigilant, and treat with suspicion any request for a transfer of funds. If a client requests via email that money be transferred, it’s critical that the firm verify the request over the phone or in person.”