Phil Limb and Marianne McWilliams from Miller’s Solicitors team recently spent time with Nic Miller of Aedile Consulting to discuss the cyber threat landscape for law firms. In the third of our four-part series, we discuss fund diversion and business email compromise attacks.

Can you explain how fund diversion attacks operate?

Ultimately, a transfer of funds is a transfer between two parties. So the first thing to realise is that a fund diversion could either side. Broadly speaking, a cyber-criminal just needs access to a company's email system. Sadly, that is still mostly obtained through the case of people having weak passwords that you can go on the dark web, look up people's company names, look at their email addresses and find passwords for sale that they might have used on other websites that have been hacked. 

For example, you could buy the password used by a CEO of a target firm, and the chance that it’s the same password used for their company email address is unfortunately quite high. Then if there's no multi-factor authentication on that company email then potentially an attacker has everything it needs to get into that system.

Once in the system, the attacker can create inbox rules that will identify a target email, bury it in a folder within a folder and mark it as read so that the legitimate user never sees it. They will then blind copy (BCC) that email to an external account they control. If the attacker can gain access to technical administration rights, they have the ability to set those rules up on multiple inboxes.

This enables them to reroute payments by communicating with clients or financial teams using the legitimate person’s email address, without that person’s knowledge. This helps bypass verification steps as there’s still too much trust put into the fact that the person who sent that email is the person who's email address it is. 

It can happen the other way too where money is being sent out. The attacker can create email addresses that look very similar to the person you have been emailing, using some simple font changes to make it look almost identical from a visual perspective. And again, they reply from the email address that looks so similar to the one that you literally just emailed that you won't question it, and 99 times out of 100 that money walks out the door and it's takes a long time to spot.

Are there not process improvements happening to prevent fund diversions? 

The banking systems are getting better at recovering some of this in some ways. One thing that's been really helpful is the confirmation of payee (COPs) checks, so when you go to pay someone, it checks the name on that account and says you think you're paying company X, but actually this is a account belonging to person Z. If you've built in COPs verification as part of your processes and if the details don’t match, that should raise a red flag.  

How does a firm recover from this type of cyber-attack? 

Following a breach, a firm needs to sit and forensically find out what happened, and I think there's a real risk in getting that wrong and under diagnosing the extent of the compromise. Fixing the immediate problem and failing to recognise the root cause leaves you vulnerable to future attacks.

Even for what may appear as a simple business email compromise, there can be accompanying technical components where mailboxes are being accessed and rules have been added. Recovery therefore means more than just changing the passwords for people who have had their mailbox accessed, because if you don’t go in and fully remediate any rules that were added, you've left the attacker with full visibility into all of the emails.

If they've already set up redirects for every new email about settlements or payments or invoices, changing the password does not remove that redirection, so you're still feeding the attacker constant information about when your company is about to do high value transactions.

The problem with these attacks is that they typically go beyond the capabilities and knowledge of a traditional IT team. What you want is someone who's been through it before, so it’s critical to get specialists who understand what are the likely things that an attacker will have done and immediately look for those because that's going to speed up your recovery process.

 If you have any further questions about anything discussed in this article, or wish to discuss your cyber insurance arrangements, please email or contact any of the team below.