Law firms across Queensland should be on high alert following a series of highly sophisticated email scams carried out by hackers that has cost at least two firms millions of dollars.
This scam has been such a big problem that the Queensland Law Society (QLS) issued urgent warnings to firms about this treat.
But law firms aren’t the only ones at risk. Any business who relies on email for payments in return for services should sit up and pay attention.
How Did This Hack Occur?
While most of us are pretty clued on about cyberattacks these days, hackers are getting smarter, and their techniques are becoming more sophisticated, resulting in almost anyone falling victim – including lawyers.
The type of scam used on this occasion is known as a social engineering hack.
In this scenario, hackers pose as potential clients and strike up conversations over the phone with lawyers and conveyancers – showing a general interest in their services. The phone calls seem legitimate, and following the call, the “prospective client” sends the lawyer an email which contains ‘important documents related to their case’. The lawyer is then required to enter their email login and password to gain access to the files.
Once these credentials are obtained, the hacker gains unlimited access to the lawyer’s email account and uses it to make fraudulent transactions. To do this, the hacker monitors email addresses and waits for emails relating to settlements and payments to come through. The hacker then responds to these emails as the law firm, requesting payment – swapping out the firm’s payment details with their own.
This scheme has resulted in both legal practitioners and clients losing money.
According to Queensland Law Society president Christine Smyth, a scam such as this one is difficult to detect because trust has been gained from the source after speaking with them over the phone. It has also been reported that these scammers speak good English and answer questions in a convincing way – making it seem like they are genuine prospective clients.
How to Protect Yourself from Such Attacks?
When cybersecurity attacks like this hit close to home, it reminds us all to never take IT security for granted and always have precautions in place so that you and your business can be prepared for anything.
The first step is to be aware that this is happening in the first place. Everyone at every level of your organisation should be made aware of this scenario to futureproof your organisation from such attacks.
It the responsibility of all practitioners to ensure their email accounts are secure and remain secure. It should be common knowledge amongst everyone at your organisation that any legitimate sites or contacts do not request your email credentials.
Queensland Law Society president Christine Smyth further confirms this notion – “It’s something we talk about with staff on a daily basis, as soon as you are asked for email credentials then pull back,”
Always maintain regular contact with your cybersecurity and IT providers regarding best practice in this scenario. There are always experts in this field you can reach out to for help if you’re unsure how to handle these situations.
Extra measures can also be put in place to help prevent this. When it comes to the transferral of large sums of money, extra security precautions requiring additional verification for the banking details provided may be necessary. A simple follow up phone call to confirm these details is all that should be needed in most cases.
Key Points to Take Away from This
This recent threat shows that many businesses here in Queensland have a long way to go when it comes to preparing for and preventing cybersecurity attacks. Essentially, security infrastructure will only take you so far. In the end, user awareness is vital, and education is key.
Businesses can no longer afford to put off making cybersecurity a priority.
This incident also emphasises that cybersecurity education is not simply about end-user awareness training, where a box is ticked to say ‘yep, we’ve done it’. So much more needs to be done here. We need to change our mindset towards awareness training and ensure its part of the culture within every level of the organisation.
Without ingrained awareness and knowledge about cyber security at all levels, every business is at risk of falling victim to one of these hackers.
At Cymax, we have a great strategic partner in this space who can help with your cybersecurity needs. If you would like an introduction to an organisation that goes beyond simple end-user awareness training and focuses on end-user IT security culture training, please contact us.