Call our quote line to speak to a qualified solicitor

0800 987 8156*
Send a message

*Call this mobile friendly number or your local branch

The legal sector is at significant risk of cyber crime, cyber attacks and scams, partly because of the sensitive data and significant monies held by law firms.

As part of our cyber security policy the firm has in place security software, including antivirus, anti-spam, and firewall software, which is sufficient and regularly reviewed and updated to identify and remove malware. We also ensure that software installed on all company devices is kept up to date and regularly ‘patched’.

We are however unable to protect you against phishing scams. Phishing is untargeted, mass emails sent to many people to try to obtain financial or other confidential information (including user names and passwords). This is usually done by sending an email that looks as though it has been sent by a legitimate organisation. The email usually contains a link to a fake website that looks authentic. The email may also ask you to respond to an account which looks like it has been sent from a Kew Law domain (kewlaw.co.uk) but has in fact not originated from our servers and any response to the spoofed email is actually directed to the fraudster who is using for example a gmail account. See more about spoofing below.

We are also unable to protect you against spoofing attacks. A spoofing attack is a situation in which a person successfully masquerades as another by falsifying data, to gain an illegitimate advantage. The sender information shown in e-mails (the “From” field) can be spoofed easily. This technique is commonly used by spammers to hide the origin of their e-mails.

An example email is below…

From: Patrick Smith <Patricksmith@kewlaw.com>
Date: Tue, Sep 25, 2018 at 4:57 PM
Subject: Hello Mr James Example
To: <Mr-Example@gmail.com>
Hi James,

I was counsel to my late client Mr. Thomas Example who left behind an
estate of Nine million British pounds under my retainer-ship. He has no
known relative and you have a legal entitlement to his estate because my
late client shared the same last name with you. I found you via LinkedIn
search and would like you to have the privilege to apply for claims of
the funds from the bank. Please get in touch via my private email (typically an address @gmail or @legislator) for more information.

Best regards,
Patrick Smith
36 High Street,Burnham-on-Crouch,
Essex, CM0 8AA

What is suspicious here?

  1. We have a .co.uk domain not .com
  2. The correct email for our Patrick Smith is patrick.smith@kewlaw.co.uk
  3. Our address is 34 High Street, Burnham-on-Crouch, not no. 36.
  4. We would never invite you to respond to an email address not registered @kewlaw.co.uk

 

It is important to note that in this example the sender hasn’t actually used the email Patricksmith@kewlaw.com to send the email. The cyber criminal has simply changed the display header so it appears to have been sent from that address. See our top tips below for further explanation.

Why is this important? The cyber criminal may use any fake display header it likes. So it could also look like the email has come from @kewlaw.co.uk.

examples…

  1. psmith@kewlaw.co.uk
  2. patricksmith@kewlaw.co.uk
  3. patrick_smith@kewlaw.co.uk

 

These email addresses do not exist and an email actually sent to these accounts would be returned to sender. This is why the cyber criminal will ask you to respond to a separate email address, or the Reply to will automatically input an alternative email address.

Ten Tips on How to Identify a Phishing or Spoofing Email.

Tip 1: Don’t trust the display name

A favorite phishing tactic among cyber criminals is to spoof the display name of an email. A recent study found that out of more than 760,000 email threats targeting 40 of the world’s largest brands nearly half of all email threats spoofed the brand in the display name. The fraudulent emails, once delivered, appear legitimate because most user inboxes only present the display name. Don’t trust the display name. Check the email address in the header from—if looks suspicious, don’t open the email. Your email service provider is likely to publish guidance online on how to display the email header.

Tip 2: Look but don’t click
Hover your mouse over any links embedded in the body of the email. If the link address looks weird, don’t click on it. If you want to test the link, open a new window and type in website address directly rather than clicking on the link from unsolicited emails.

Tip 3: Check for spelling mistakes
Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.

Tip 4: Analyse the salutation
Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name. You should also consider each tip in conjunction with others. If your email information has been obtained through a security breach at some time in the past, the fraudster may have your personal information to hand and seek to take advantage of this.

Tip 5: Don’t give up personal information
Solicitors will never ask for personal details via email. Don’t give them up.

Tip 6: Beware of urgent or threatening language in the subject line
Invoking a sense of urgency or fear is a common phishing tactic.

Tip 7: Review the signature
Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details. You should cross reference the contact details if displayed on our website or if an existing client, against the information previously provided to you.

Tip 8: Don’t click on attachments
Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.

Tip 9: Don’t trust the header from email address
Fraudsters not only spoof brands in the display name, but also spoof brands in the header from email address. Notwithstanding the advice a Tip 1, it is also possible to spoof in the header from email address

Tip 10: Don’t believe everything you see
Phishers are extremely good at what they do. Just because an email has convincing brand logos, language, and a seemingly valid email address, does not mean that it’s legitimate. Be skeptical when it comes to your email messages—if it looks even remotely suspicious, don’t open it.

Other matters to note:-

  1. Email is not a secure method of transmitting sensitive or personal data
  2. You should report any incident so that the police and government can put resources in place. You can do this online at https://www.actionfraud.police.uk/ or by telephoning the Cyber Crime Reporting Centre on 0300 123 2040,
  3. Never rely on any banking details provided to you unless they are supplied in a secure manner.
  4. The firm shall not be changing its bank account details during the course of a transaction.
  5. If you any communications suggesting that the firm’s bank account details have changed, you should contact the firm via the number on the firm’s website or headed notepaper.
  6. More information about avoiding and reporting internet scams and phishing can be found at https://www.gov.uk/report-suspicious-emails-websites-phishing

Please contact me

  • This field is for validation purposes and should be left unchanged.

Ask us a Question

Send us a message and we'll get back to you as soon as we can.

Ask Us A Question

Attention! Have you been targeted by spam?

Cyber criminals are increasingly targeting victims by masquerading as law firms and financial institutions. Such activity is commonly known as phishing or spoofing. Click here for an example. If you are unsure as to the legitimacy of any unusual or suspicious emails received, please report to us on 0800 987 8156.