Growing ‘CEO fraud’ cybercrime “presents risk to law firms”


Cybercrime: accounts employees warned to be vigilant

Cybercrime: accounts employees warned to be vigilant

Law firms need to guard against the type of cybercrime called ‘CEO fraud’, which has netted criminals millions of pounds, according to the Solicitors Regulation Authority (SRA).

The fraud, also known as ‘business e-mail compromise’, involves spoof e-mails apparently sent in the name of a managing director or senior partner to accounts department staff authorising urgent cash transfers.

The SRA said it had highlighted CEO fraud in cybercrime presentations and planned to flag it in its next written risk update.

Action Fraud, the fraud reporting centre run by City of London Police, warned in February there had been a serious rise in the incidence of CEO fraud. While the average sum lost was £35,000, one global company was said to have lost £18.5m. The organisation reported a “marked increase” in the fraud in the second half of last year, with almost 1,000 reports received.

In the US, the Federal Bureau of Investigation has estimated more than $2bn (£1.38bn) losses from CEO fraud in the past three years by nearly 18,000 victims.

The growth in CEO fraud is said to have been fuelled by competition among domain name brokers, some of which give away domains and associated e-mail addresses for free, or at very low cost, as loss leaders. After supplying a stolen credit card number, the scammers can rapidly obtain ready-to-use domain addresses.

Accounts staff typically receive emails seemingly from a senior manager, with a sender’s address only slightly different from the firm’s proper domain. For example, the address senior.partner@afirmofsolicitors.co.uk can appear as senior.partner@afirmofsolicitrs.co.uk.

The message might instruct the urgent settlement of an invoice and include bank transfer details. The fraudster will quickly redistribute the money into other ‘mule’ accounts and close the receiving bank account.

Insurance policies covering cyber liabilities may not pay out for CEO fraud because no IT resources are hacked.

An SRA spokesman said: “We are aware of this form of cybercrime. We have highlighted these type of risks on a regular basis. It is important that law firms make sure they have appropriate processes and systems to protect themselves – and their client’s money and information – from these sort of crimes.”

Tags:




Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog


Keeping the conversation going beyond Pride Month

As I reflect on all the celebrations of Pride Month 2024, I ask myself why there remains hesitancy amongst LGBTQ+ staff members about when it comes to being open about their identity in the workplace.


Third-party managed accounts: Your key questions answered

The Solicitors Regulation Authority has given strong indications that it is headed towards greater restrictions on law firms when it comes to handling client money.


Understanding vicarious trauma in the legal workplace

Vicarious trauma can happen to anyone who works with clients who have experienced trauma such as domestic or other violence, child abuse, sexual assault, torture or being a refugee.


Loading animation