What is cybercrime?
Cybercrime targets computers, a computer network or networked devices and is a criminal activity designed to obtain financial gain and/or personal information. Cybercrime cases are on the rise in Australia, with criminals exploiting impacts of COVID-19 like remote working.
The Australian Competition and Consumer Commission (ACCC) reported that Australians submitted 353,000 scam reports with losses of more than $634 million in 2019. Business email compromise scams (BECS) accounted for the highest losses at $132 million.
Common types of cybercrime
BECS are the most common type of cybercrime attacks reported to us by lawyers. The hacker gains control of the email account and sends or amends emails to instruct clients or law firms to pay funds into the fraudsters account.
Ransomware: A ransomware attack blocks access to key components such as trust and banking records or client files, crippling the ability to conduct business. A ransom is then demanded to unlock the encrypted data.
Phishing: Phishing is a cyber-attack that disguises itself as a message from a trusted entity. Lawyers have reported falling prey to fraudsters calling and impersonating their bank, internet or IT companies. They can request remote access and seek to gain confidential banking details, ultimately diverting trust and personal funds out of the lawyer’s accounts.
Last financial year we received reports of cyber-attacks on several Law Practices, with the total losses suffered almost $2 million.
What you can do to protect your business
There are several simple things that you can do to protect your business from cybercrime. Following these steps is recommended as a minimum:
- Always verify account details verbally and ensure the number you are calling is legitimate. Many of the reported losses could have been avoided by verbally checking account details before paying.
- Install multi-factor authentication.
- Check your trust accounts regularly and report any suspicious activity to your bank. We have received several reports of near misses. The bank can sometimes reverse the transaction, but you must act quickly.
- Provide training to staff on cybercrime on how to detect and avoid it.
- Use strong passwords.
- Back up your data regularly.
- Be careful about distributing personal information and properly screen any requests you receive.
- Do not share devices between workers if possible, or at least have different profiles.
- Make sure your antivirus and firewall protection is up-to-date and turned on.
- Ensure that all your security systems are updated regularly and that the applications you use are the latest version.
Multi-factor authentication (MFA) can be installed relatively easily and is one of the best ways to protect your business.
MFA creates an additional barrier for hackers to overcome to gain access. This extra layer of authentication, in addition to your password, is usually in the form of:
- Knowledge – ‘Something you know’, e.g. passwords, pins.
- Inheritance – ‘Something you are’, e.g. fingerprints, facial ID.
- Possession – ‘Something you have’, e.g. mobile phones.
Microsoft estimates MFA can block over 99.9 percent of account compromise attacks.
If your law practice operates a trust account we expect that the law practice will have MFA. If you are a principal of a law practice you have an obligation to ensure that your law practice is protected. Breaches of these obligations may have disciplinary consequences.
Will your insurance cover you?
The standard LPLC insurance policy you hold may cover losses suffered by your clients as a result of negligence and/or breach of duty, however, there are many other losses that can be associated with cybercrime. Your standard insurance policy does not cover you for (first party) losses, including:
- Your business shutting while the problem is being fixed.
- Retrieval of electronic data.
- Costs related to IT remediation.
The Legal Practitioners Liability Committee (LPLC) has more information on what is and isn’t covered, as well as, suggestions for extra cover.
What you should do if you experience cybercrime
- Immediately contact your bank to try to recover funds and prevent further attacks.
- Change all passwords.
- Engage IT professionals to stop the threat and make sure your systems are secure.
- Report the matter to the LPLC.
- Report the matter to our office via our lawyer enquiry form (including near misses).
- Report the matter to Victoria Police.
- Report the matter to Australian Cyber Security Centre.