Multiple legal regulators have warned that impersonation fraud and spoofing using highly detailed and sophisticated social engineering techniques is rife in the legal sector at the moment.
In the past week both the Council for Licensed Conveyancers (CLC) and the Solicitors Regulation Authority (SRA) have sent out scam alerts warning firms to be on the look out for convincing attempted frauds.
The CLC released a scam alert on their website after criminals released a sophisticated text message scam purporting to be from their ‘CLC enforcement team.’
The aggressive message advised members they had an unpaid balance and informed them that the team would attend their premises if the outstanding amount was not paid within seven days.
The CLC has stressed that the message should be ignored and that they will only send text reminders when a license is up for renewal.
This type of fraud has been extremely lucrative for fraudsters in recent years. CEO fraud, where a criminal convincingly portrays an organisation in order to convince a victim to part with their money, cost the UK £14.8 million in 2018 according to UK Finance’s ‘Fraud the Facts: 2019’ report.
When only £4.3 million was returned to the victims, a successful fraud could be financially and reputationally damaging to a law firm.
Unfortunately, the scams are a lot more difficult to detect in 2019 as the latest scam alert from the SRA highlighted this week.
The email scam, falsely claiming to be from Michelle Knight of Bevan Britton LLP, attempted to divert a payment after emails between a client and the solicitor were intercepted.
The genuine email address, ‘michelle.knight@bevanbrittan.com,’ of Michelle Knight of Bevan Brittan LLP was impersonated with the lower case ‘i’ in ‘Britton’ being replaced with a lower case ‘L’.
The SRA highlighted that Michelle Knight is regulated by the SRA as is the firm Bevan Britton LLP suggesting that the fraud was sophisticated and could easily have succeeded unless both client and solicitor due diligence measures are not thorough or robust enough.
Scam text messaging alert from the CLC warned regulated firms:
“Fake text messages are being sent out claiming to be from the “CLC enforcement team” reporting an unpaid balance. The texts further advise that the CLC will be attending their property address within the next 7 days if the balance remains unpaid.
“If you receive such a text claiming to be from us please ignore it.
“We have no such department and currently only ever send reminder text messages to individuals we regulates as part of our license renewal process.”
The SRA Scam alert commented:
“The genuine firm have confirmed that neither the firm or the genuine Michelle Knight have any connection to the email address referred to in the above alert.
When a firm’s or individual’s identity has been copied exactly (or cloned), due diligence is necessary.
“If you receive correspondence claiming to be from the above firm(s) or individual(s), or information of a similar nature to that described, you should conduct your own due diligence by checking the authenticity of the correspondence by contacting the law firm directly by reliable and established means.
“You can contact the SRA to find out if individuals or firms are regulated and authorised by the SRA and verify an individual’s or firm’s practising details. Other verification methods, such as checking public records (e.g. telephone directories and company records) may be required in other circumstances.”
Has your law firm implemented a robust and secure cyber security policy? Is your cyber due diligence thorough enough to detect subtle nuances in an email?
