The research, by cloud data intelligence firm OnDmarc, follows reports that UK law firms saw an unprecedented 45 cases of cyber theft in the first quarter of 2017. With law firms under a duty to replace any lost client funds and data, OnDmarc claims a serious attack could see firms go under.
With the threat of phishing attacks increasing by 65% in 2016, the company said the study’s findings are a stark warning to law firms in the possession of the strictest of confidential client information.
“With over 10,000 law firms operating in the UK, handling sensitive and hugely confidential commercial and private data, there is a real opportunity for scammers to target the legal sector,” said Rois Ni Thuama, head of cyber security governance partnerships and legal at OnDmarc.
“Many law firms either don’t understand the risk or assume that their existing email systems will do the job of protecting them, even though our study very quickly demonstrated that it’s all too easy for a criminal to exploit these firms’ email domains in order to impersonate the company and send out fraudulent messages to external clients and stakeholders,” she said.
Most of the law firms polled incorrectly assumed that their existing IT security systems would cover their organisation against sender fraud.
According to OnDmarc, this is because these systems to not use defences such as the Dmarc (domain-based message authentication, reporting and conformance) protocol which helps authenticate an organisation’s communications as genuine.
Dmarc has been endorsed by the UK’s National Cyber Security Centre (NCSC), with a 2016 pilot by HM Revenue & Customs blocking more than 300 million malicious or fraudulent emails. The NCSC is helping to implement Dmarc across all government departments as part of its Active Cyber Defence (ACD) programme.
“We’re usually quick to blame human users as the most insecure element of the cyber security chain, but in the case of email spoofing, it’s the basic email systems that are being duped, which is a big reason why legal firms have experienced losses, mainly via phishing, of over £3m in just three months,” said Ni Thuama.
“Implementing Dmarc will enable the 99% of firms currently susceptible to email impersonation to combat this type of email fraud and thus help to prevent them from suffering reputational or financial damage with their client base further down the line."