Cybercrime and fraud: Ongoing vigilance requiredPrint publication
Cyber security and fraud are increasingly key risks, not least for the financial services industry or indeed any business dealing with personal or sensitive data; confidential information; conveyancing or the transfer of money or other assets. Andrew Beck offers some practical risk management advice and explains what can be done in the event of a cyber attack.
The scale of the problem
In recent weeks both the Financial Conduct Authority (FCA) and the Law Society have published their concerns about the risks posed by cybercrime and fraud to businesses today, particularly to those within the financial and legal sectors . Information security breaches can cause devastating harm to customers’ interests, financial loss and serious reputational damage – and they are on the rise.
- Two thirds of large businesses detected and reported a cyber security attack in the 2015/16 financial year. With attacks not reported, the true figure is likely to be much higher.
- Identity theft (much of which occurs via cyber attacks) now accounts for some 41% of fraud.
- The total value of fraud in the UK increased by 110% to £1.5 billion from 2014 to 2015, with mortgage fraud tripling in the same period to £151 million .
- The National Security Council and Serious and Organised Crime authorities are aware of some 39,000 cybercriminals and some 6,000 cybercrime groups operating within the UK today. Although the authorities’ knowledge is improving all the time, there are still gaps, so the reality is even worse .
- Apart from organised crime, businesses face information security risks from ‘hacktivists’, IT-savvy teenagers, competitors and even simple human error.
- The number of cyber attacks reported to the FCA has increased significantly, from just 5 in 2014 to 75 in 2016, so far.
- Cybercrime and fraud reports to the Law Society are also on the rise. There were 726 reports of bogus law firms (54% of which related to the identity theft of a genuine firm or individual) made in 2015. That represents a 101% increase on 2012.
- The FCA is also concerned that, in some cases, current business continuity plans do not work. For example, mirrored backup solutions, which rely on backup tapes which may be a few days old, are insufficient. If an attack happened tomorrow, what would be lost and what would be the effect on your business and your customers if your backup tapes were a week old?
What are the risks to watch out for?
There is no doubt that cybercrime is a real, live risk. Financial and legal services businesses, in particular, are a target because of their handling of sensitive personal and financial data, their involvement in conveyancing and other money/asset transfer transactions and the fact that their identity can lend credibility to a fraud.
There are, however, some increasingly common scams and indicators of fraud which, if they are detected in time, may enable a business to intervene to prevent any loss. Responsible businesses should ensure that their staff are trained to recognise and watch out for the following frauds and warning signs.
- Phishing is where fraudsters acquire sensitive information, such as bank account details, by posing as a known or trustworthy entity in an electronic communication.
- Identity theft can also be perpetrated when a fraudster impersonates a genuine individual or firm using details that may have been obtained via the internet, social media or other personal data sources.
- CEO fraud is a particular form of identity theft, where a fraudster impersonates a senior figure at a firm to impose authority and order money/asset transfers that might otherwise be prevented by fraud prevention policies or practices.
- E-mail hacking. This is where a fraudster hacks into the e-mail accounts of a financial services or law firm and intercepts confidential information and communications. The fraudster then poses as one of the professionals or the customer/client and redirects monies or assets to itself before disappearing with the spoils.
- Friday afternoon fraud is the name often given to a scam perpetrated on a bank or law firm late in the day in a conveyancing or similar transaction. The fraudster takes advantage of peak time pressure to complete (when information and data security lapses may be more likely to occur) to impersonate one of the parties.
- Bogus firms are created by criminals and deceive individuals or genuine firms to steal money or information.
- Social engineering is where a criminal gains confidential information through building a personal relationship with a member of staff.
- Malware is software which attacks a business’ data and information security. Viruses and other programs can infiltrate a business’ IT systems, causing damage and allowing access to data.
- Ransomware, an increasingly common and sophisticated form of malware, encrypts files and enables cybercriminals to demand a ransom for a decryption key. The FCA has reported that it now often sees not just isolated ransomware infections, but even self-replicating ransomware and other malicious software, which spreads rapidly through entire networks.
Warning signs or indicators of fraud
- Errors or inconsistencies in the spelling, grammar and terminology of firm names; slogans; logos; e-mail addresses, formats or account providers; other brand identifiers (such as company numbers, SRA/FCA registrations); and/or in communications generally.
- Newly registered or non-registered websites or domain names which may have been set up solely for the purpose of the fraud.
- Unexpected or unsolicited electronic communications – especially e-mails with attachments – which can contain and release malware.
- Absent, unclear or inconsistent background information, personal or trading history or other supporting documentation. These may indicate a fake or stolen identity.
- Last minute changes to key information, such as bank details or correspondence addresses.
- Overseas accounts or addresses.
- Absent or inconsistent telephone numbers, in particular absent or inconsistent landlines, and telephone numbers which divert to call-back services.
- Pressured instructions for unusually quick completions.
- High value/cash transactions or transactions with other unusual elements (such as back-to-back transactions).
- Inconsistent search results.
- A ‘gut feeling’ that something is not right.
What can be done?
Whilst there is no doubt that fraudsters, and in particular cybercriminals, are prolific and often professional and highly skilled, there are some simple, practical steps that all businesses can take, both to help manage the risks and to mitigate damage caused in the event of an attack.
- Customers and clients should be advised of the risks – if they are alive to the risks they can help, especially in relation to the protection of their own data and communications.
- Staff training is vital. All staff should be trained to recognise and react appropriately to the risks and indicators of cybercrime and fraud. In particular, all staff should be made aware of the existence and terms of businesses’ policies, procedures and reporting requirements where fraud is suspected.
- Businesses should share, internally, information and data relating to any attempted attacks. The benefit of this is that all areas of the business become alive to suspected attacks as soon as they occur.
- Policies, procedures and reporting requirements should be reviewed and updated, and training should be repeated, regularly. Cybercrime is a sophisticated and fast-moving phenomenon. Fraudsters today are very adept at harnessing technological advances for criminal purposes.
- Undertake regular online checks to ensure that your own firm/brand is not being impersonated.
- Adopt and foster a security culture, which includes good cyber security governance; the identification and protection of key assets; fit-for-purpose IT security/detection capabilities and business continuity plans; and a comprehensive understanding of how data is stored and protected. (In many cases, this will involve a detailed understanding and adoption of any third party/cloud data storage provider’s threat profile.)
- Where possible, firms should facilitate home and mobile working for their staff. This can help to ensure business continuity in the event of an attack.
- Where possible, meet and speak, rather than always communicating by e-mail. This can be particularly valuable when it comes to undertaking initial ID/anti-money laundering checks and providing or exchanging sensitive personal or financial information, documents and bank account details. Be extremely cautious of giving any sensitive information electronically.
- Where time allows, corresponding via letters and faxes might be more secure than using e-mail.
- Where electronic communication is essential, encrypted e-mails and password protected portals offer a much greater level of data security.
- All IT and communication devices should be properly protected with adequate security software, which is updated regularly.
- Firms should also ensure that they recruit individuals talented in cyber skills.
- Search the Financial Services Register to ascertain whether a firm, individual or other body is regulated by the FCA and/or The Prudential Regulation Authority.
- The Law Society’s Find A Solicitor website can be used to check the identity of qualified solicitors in England and Wales and Lawyer Checker can be used to verify solicitors’ accounts.
- Parties can be asked to provide, at the outset of a conveyancing transaction, copies of bank statements for the destination accounts into which completion monies will be paid. Dormant or otherwise unusual-looking accounts should be treated with caution.
- Buyers and sellers should specifically advise at the outset that they will not be changing their bank account during the transaction or prior to completion.
- Bank account details should be confirmed in person or on the telephone. This should include asking security questions to which only the genuine party or solicitor would know the answer.
- Any instructions that are given to change bank account or payment details should be treated with the utmost caution, investigated thoroughly and ideally confirmed in person.
- If you do find yourself a victim of this type of fraud, as well as following any internal incident management regime, you should immediately notify the police. They may be able to recover some of the stolen monies and potentially take action against the fraudsters.
- You should also notify any lender and/or insurer, any other parties to the transaction, the customer or client and the FCA or Law Society as appropriate.
- In addition, you should seek immediate specialist legal advice. Walker Morris’ Banking Litigation team has significant expertise in fraud claims and would be able to urgently initiate a freezing injunction to try to preserve stolen monies in the fraudsters’ bank account(s). If the whereabouts of monies is unknown, Walker Morris also has extensive experience in tracing and recovery.
- There are also a number of civil remedies that we would be able to pursue on your behalf. Depending on the circumstances of the cyber attack and/or fraud, we may be able to pursue breach of contract; negligence, breach of trust; unjust enrichment and/or tracing claims to recover lost funds.
As the financial and legal regulators have made clear, cybercrime and fraud are business risks that are on the rise – but so too are the knowledge, technological means and legal expertise required to effectively respond to and combat them. The best means of protection for your business and your customers is to be proactive in your data protection and crime prevention practices, and to have expert assistance in your corner just in case anything does go wrong. Walker Morris fraud, litigation and regulatory experts can help you with both the pre-emptive and reactive stages of your cyber security strategy. If you would like an initial consultation, or if you would like to discuss the content of this article in more detail, please do not hesitate to get in touch.
 FCA’s approach to cyber security in financial services firms; Law Society’s Risk Outlook
 Source: BDO Fraud Track Report, Feb 2016
 Source: Agenda Screening Services