You probably won’t know you’re a victim of the fastest-growing cybercrime until it’s too late.
Email hijacking, where a cyber criminal takes control of your email account, might sound like something out of a spy novel, but it’s a very real threat, especially for law firms who deal with valuable client data and money.
It works by the criminal having the ability to receive, intercept and even send emails using your account. The sender and the recipient are none the wiser. We explain email hijacking and other cyber risks in our free cyber risks guide.
Email hijackings currently account for more than half of the caseload of ReSecure, RPC’s cyber breach response service, says Richard Breavington its co-leader. “It’s happening again and again to SMEs,” he says.
It’s so popular because it’s so lucrative: it’s estimated to have earned cyber criminals billions of dollars around the world. Often, you won’t know you’ve been a victim until a client or a contractor contacts you to find out whether you really sent a suspicious email they received from your account.
"It's happening again and again to SMEs"
What happens next?
Once the attackers are in your system, you won’t notice any problem at first, as they will monitor your company’s emails until they find the right opportunity to strike. “A classic example would be if your firm sends a client an invoice,” says Breavington. “Once the hackers see that they would send a follow-up email from the same account telling the client that your banking details have changed and give them a different account into which they should pay.”
The damage caused by a hijacking may be considerable. You won’t know if your contacts will have been sent emails from your account as the hackers will alter the preferences in your email account so you won’t see the fake emails in your ‘sent’ folder or returned messages in your inbox.
But the hijackers won’t just be looking to con money out of your clients or business partners. Hijackers will riffle through your emails and might even upload your entire mailbox. “Your working assumption will generally be that all your emails have been compromised,” says Breavington.
Depending on the content of the mailbox, it’s almost certain that your law firm would need to notify the Information Commissioner's Office (ICO) of the breach, says Breavington, and probably also the Solicitors Regulation Authority (SRA). The ICO demands an initial report within 72 hours of the breach being uncovered.
Working out how much of your data has been compromised and who is affected can be a complex and time-consuming task. Depending on the level of risk to those individuals, you might need to notify some or all of them as well as liaise with the regulators. A cyber policy is a godsend in such a situation, as your insurer will be able to help you deal with the fallout from the breach. Otherwise, you’ll need to do it for yourself, in addition to your client work. We explain the different levels of cover available to you in our free cyber risks guide.
Tips for limiting the damage
First, decide what is your sensitive data and protect it properly. Smaller firms, especially sole practitioners, might store important information in various subfolders in their email inboxes. But that’s dangerous, says Breavington, as this data would be vulnerable to an email hijacker.
Second, is to do the basics. Patching your systems regularly, making sure your staff know your security protocols and aren’t taking shortcuts – busy solicitors will often bend the rules to save time – sounds obvious, but many practices don’t do them.
Most companies fall victim because an employee is taken in by a phishing email. Using multi-factor authentication – in which an authorisation code is sent to the user's phone if there is an attempt to log on from a new machine – would stop most cases of mailbox hijacking. Educating yourself and your employees on the risks from cyber criminals is the first line of defence.
Finally, have a Plan B. “Shutting down all your systems because of an attack would be hugely disruptive, so be sure to have a disaster recovery plan,” says Breavington.