For years, law firms have been told that their technology is the target of unscrupulous hackers. The FBI has gone so far as to describe law firms lack of security as “the soft underbelly of our economy.” Mandiant, a cybersecurity firm, says at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011. Lawyers need to be ever vigilant to threats to their technology that may cause inadvertent disclosure of confidential client information.
But lawyers may need to worry about a new technology threat, their clients.
Recently, a law firm in the United Kingdom worked with a family to sell a condominium in London. As the sale was closing, a solicitor in the firm emailed the family for bank routing information, to be used to deposit the proceeds from the real estate sale. The clients sent back their sensitive banking information in a reply email. The details of their bank account passed through the internet in plain text; like flying plane across town with their banking details on banner for all to read.
The email reply was intercepted by online fraud agents. They posed as the client and gave new banking details to the law firm. £333,000 ($510,000) was wired to the criminals’ account. Only after the client called asking when the disbursement was supposed to arrive was the fraud discovered. The criminals’ account was frozen and £271,000 was returned to the clients, leaving them missing £62,000 ($95,000).
The clients want their money back. The bank is claiming no responsibility, as it processed the transaction based on the information provided by the law firm. The Solicitors Regulation Authority (SRA), the group responsible for regulating solicitors and law firms in the UK, held that the firm was at fault. It held that law firms were responsible for safeguarding client funds, and must replace any money that was “improperly withheld or withdrawn from a client account”.
This law firm now owes $95,000 for following what they believed were the wishes of their clients. They’re not the only firm that has to worry about fraudulent emails. Bold Legal Group, a UK network of 350 law firms, said email scams and other financial fraud aimed at legal firms had increased significantly in the past six to 12 months. In the U.S., massive email spoofing schemes have been plaguing firms like Baker & McKenzie, Reed Smith, and Hogan Lovells.
How can a law firm protect themselves against hackers posing as their clients? There are three steps lawyers can take to minimize email risks, and protect their clients.
1. Don’t use email
When sending sensitive information back and forth, email may not be the most secure. In the U.K., the Bold Legal Group recommends that both firms and their clients use encrypted emails for confidential or financially sensitive information. This means emails cannot be opened without a secure password. Clio’s client portal provides an easy way for law firms to implement encrypted messaging without clients and lawyers having to learn new tools and techniques before communicating.
2. Train your clients
Clients don’t know their actions are not secure. Yet, law firms are the ones bearing the risk for a client exposing details, like banking information, to scam artists. To prevent this risk from blowing up into trust account errors and payment disputes, Lawyers need to train their clients, from their initial conversation, on what methods of communication are most secure and how to use them.
A client should, as part of retention, learn the following:
- whom to expect will be contacting them,
- what methods of communication will be used between lawyer and client,
- what steps clients are expected to take to help preserve confidentiality, and
- how to report anything that deviates from this discussed training.
This means that a law firm should show their client how their client portal functions, and walk them through logging in and creating a password before they leave your office. Set yourself and your clients up for secure communications from the start.
(Such training will also help law firms meet their ethical duty to consider which methods of communication are best for clients. You can read more about this duty here: “Why Lawyers Shouldn’t Email Their Clients.”)
3. Trust but verify
Clients will continue to use unsecure messaging services like email and text messages. They’re ubiquitous and convenient. That’s a hard combination to overcome in the name of security.
Therefore, when situations arise—like the changed banking details described above—a best practice is to verify changes with your clients. The solicitors owing $95,000 could have prevented the whole fraud by picking up the phone. One quick call confirming the changed banking details with their clients would have spotted the fraud before it occurred. Not only would the firm not owe this huge sum of lost funds, but they could have also billed for time while protecting everyone involved in the transaction. Good security makes financial sense for law firms.
As law firms become better equipped to handle direct cyber-attacks, hackers are taking different routes to get at lawyers’ funds. Your clients may now be setting your firm up for email fraud. Minimize the risk to yourself and your clients by dropping email for sensitive information, and equipping and training your clients to protect themselves and you.