Professional services firms are being urged to train their staff on email security procedures after two Queensland law firms have reportedly lost “millions” to hackers in a complex scheme tricking them into paying funds to scammers.
The Brisbane Times reports the Queensland Law Society has issued a warning to firms in the region after at least two firms lost “several millions” when scammers hacked email accounts and directed settlements and payments into their own accounts.
The email scam involves cyber criminals approaching firms via email, posing as prospective clients and asking details about their services. The scammer eventually agrees to sign on as a client, then sending through personal documents to the law firm. These documents prompt the employee on the other end to enter the login details of their work email address, which the scammer harvests.
The next step of the scheme involves the scammer watching the inboxes of firms until they see details of a settlement or payment that needs to be made from the firm to another party. The cyber criminal sends a reminder email to the firm about the payment, prompting them to pay this into their bank accounts instead of to the legitimate recipient, The Brisbane Times reports.
Managing partner of Queensland law firm Robbins Watson Solicitors, Andrew Smyth, tells SmartCompany while he believes his firm has not been financially hit by these types of scams, the business has seen an explosion in the number of emails he believes are trying to harvest his team’s login details.
“It’s a new style that is just starting to spring up, and it’s always a specific person who writes to the firm, asking questions,” he says.
Smyth says he has trained staff to never input their workplace login details into any email attachment, but observes that the large volume of emails he suspects are actually scams are playing on the concerns staff already have about security.
This is because the request to input details comes when the prospective client has sent across their personal identification and details, and most firms have a policy of checking the ID of a client before bringing them on board.
“We require identification of our clients as part of our onboarding, but the risk is the time in between, when they have not yet given this. They [the scammers] are using concerns already there about security to get it [the logins],” Smyth says.
While his firm spends a good deal of time tracking new scams, Smyth says the key messages to staff is to be wary of email links, and to pick up the phone to check on a client wherever possible.
“One of the warning signs with these emails is that there are no telephone details attached,” he says.
SmartCompany contacted Queensland Law Society for further comment on the trend but it did not respond prior to publication.
Two-step authentication is a must
Practice manager at digital security consulting company HackLabs, Michael McKinnon, says reports of scams like these show the importance of setting systems up with two-step authentication procedures.
“It comes down to being vigilant, and with it [two-step] procedures, even if a staff member accidentally gave their passwords to someone, they can’t get in,” he says.
“What’s interesting about this kind of common attack is that you’ve got businesses trying to go about their everyday business, dealing with documents that people send you which are usually an everyday activity.”
This makes staff vulnerable to taking a chance and inputting their details when they shouldn’t have, McKinnon says. It’s also possible these scammers are not looking for big payouts each time they compromise an inbox, with McKinnon reflecting it’s likely such scammers will get in contact with firms, looking to cash in on settlements of just a few thousand dollars.
“Scammers aren’t always going for the big ticket item, they could get a few thousand here and there, and it adds up. You have to keep super vigilant.”