According to the Solicitors Regulation Authority (SRA), cyber criminals have caused “substantial losses” to 50 law firms this year, ranging from £50,000 to £2m, and a further 20 firms had fallen victim to e-mail redirection scams, involving “very substantial” amounts of money. All businesses must take email security much more seriously as this is expected to become a much bigger issue of focus in 2016 as scammers become increasingly more sophisticated.
Law firms and their customers are being targeted by scammers to gain access to funds. IT can only ever be one step behind scammers, but businesses can take steps to minimise the chances of being targeted.
All organisations should make staff aware of what to look out for, what to be suspicious of and what to be cautious about.
I’m aware of one business where an employee transferred £45,000 out of their company account after receiving a request that was made to look like it came directly from their bank. We’ve also heard about conveyancers being targeted so that Hotmail/gmail emails are sent saying the corporate email system is down so please transfer house purchase transaction monies through a link. And yes, these are scams.
Scammers are becoming ever more sophisticated. They can copy your corporate image and email templates and, as a result, can send emails that are made to look as though they are coming from legitimate sources.
Scam emails will usually include a link to direct you to input details which enable access to your bank account. Or a link may lead you to install a Trojan (spyware) onto your computer, which then sits and ‘watches’ activity on your machine, indicating to the remote scammer when and how is the best time to approach you.
Simple as it sounds, staff training is key to securing your email, system and data. If the user above had been more aware of what to look out for, potentially the scam wouldn’t have been successful.
I recommend the following courses of action to tighten up email security:
• Tighten up internal processes – have strict authorisation processes, only allow certain people to have access to the company bank account, and limit the number of people authorised to transfer money.
• Ensure a daily ‘clean out process’, which can search and remove trojan software and other spy programmes.
• Conduct regular penetration tests of your system and include servers and data. These can also include having people ring up and pretend to be the bank but should also test physical access into buildings.
• Train your staff to detect email scams. This can be done in small bite-sized online training modules.
• Empower staff to challenge people and ask the right information before imparting information.
• Install a centrally managed IT system and secure it to ensure better control of business technology systems.
• Move to thin client technology so that staff do not physically carry programmes and information on their pcs, laptops and smart devices.