What to do when you discover you've been hacked or defrauded
There are some nasty criminals out there, just waiting to infiltrate your IT system and steal all your money or that of your client. They’re well hidden under rocks somewhere on this globe and are rarely brought to justice. Which means if you’re involved in a New Zealand law firm of any size, you’re going to have to try to protect your IT assets and, if you don’t, to take action as soon as you notice a problem.
We’re bombarded with messages about cybersecurity. The Law Society regularly issues warnings. CERT NZ and Netsafe run cybersecurity events and weeks, and the media is full of stories of the havoc caused by hacking or email fraudsters. The commonly-used description “scam” also sounds friendlier and less threatening than “crime”. This all tends to dampen the message of maintaining IT security, which becomes just one of many dangers in running a business in 2018 rather than a very real risk.
Until you find you’ve been hacked. Suddenly, you find that law firms and clients all over New Zealand have received an email from you (personally) inviting them to click on a suspicious link or attachment. Or you discover that the payment instructions you sent the other party in a property transaction were mysteriously altered so that the money went to an unknown bank account and by the time you discovered it, had gone offshore. Or you may even fall for one of the old Nigerian scams in which you help a friendly person from outside New Zealand recover a debt due from an equally obliging debtor. Let’s not worry about the last one: email crime these days is far more sinister and difficult to combat than something which most lawyers are now able to spot quickly.
So, what should you do when you’re the victim of a cybercrime where money is involved?
Ring the bank immediately
“If someone realises they have been conned, the first calls I’d recommend they make are to the banks,” IT advisor Damian Funnell advises. “The quicker they ring the banks, the more chance they have of minimising the damage. Then I’d ring the Police, then CERT NZ. I think CERT are great for advice, but I don’t think they’d be much use after the fact.”
Hackers are pretty keen to get “their” money offshore as quickly as possible. The bank has to be the first call you make if you discover someone has got you to misdirect money to the wrong account.
Ring your insurer
The criminals don’t do all their hard work for peanuts. Big sums of money are usually involved. Whether you have special cyber cover or not, this is a very tangible threat to your business. You need to advise your PI insurer of what has happened, how, and what you’re doing about it.
Ring the other side
If another party is involved, let their lawyers know. You may need to work together quickly to protect all parties.
Ring the Police
This is a crime and it is the job of the Police to try to solve crime. The Police advice on electronic crime is to report criminal matters to your local police station. Don’t ring 111 therefore unless someone is delivering an immediate and believeable threat. And if you ring your local police station you’ll be invited to trot down there some time and fill in a form. This is therefore not something you need to bother about immediately – more for insurance paper trails if you have lost money. “If you are reporting an e-crime, it is important to keep any electronic evidence,” the Police advice on reporting electronic crime says. “For information on preserving electronic evidence consult your IT system’s administrator or security specialist or visit the Netsafe – Gathering Electronic ‘Evidence’ web page.”
Keep a copy of emails
Netsafe has information on how to copy headers and other details from emails.
Talk to your IT people
If your firm has been hacked, someone needs to thoroughly investigate your IT system to see what has been compromised. This could include installing a backup from before the time the hacking occurred.
Advise organisations such as CERT and the Law Society
The more that is known and shared, the more aware people will be of the threats. CERT NZ has built up a big repository of resources and guidance. Contact them via their website. Netsafe has an online form which can be used to report a problem.
The New Zealand Law Society’s inspectorate team can also provide advice and assistance (04 472 7837) and if you email firstname.lastname@example.org with details of what has happened we can include them on the Law Society website section on email scams or in articles such as this.
What about the situation where lots of people suddenly receive emails purporting to come from you – your name, your firm, your signature?
Get hold of your IT people urgently
You’ve been hacked. Someone has got into your system and stolen information. You need urgent assistance from an IT expert to assess the magnitude of the problem and to fix it.
Put a message on your phone system
People will probably start ringing you to let you know they have received a weird email from you. Some may ask if it’s OK to click on the link. You need to be fixing things rather than answering the phone. Tell people it’s a malicious email, it was not sent by you and they should delete it immediately.
Put a message on the home page of your website
People will also come to your website to see if they can work out what’s going on. Place an advisory message on your home page.
Let your clients know
Because your IT system has been penetrated, information on your clients may have been compromised. You need to advise them of this and (after your IT people have checked out your system) reassure them that their information is secure. An appropriately worded email may suffice if you can’t ring every client personally.
Advise the Law Society
We cannot send a message out to all lawyers in New Zealand advising of what has happened. Unfortunately, this is not uncommon. However, we often get inquiries and notifications from other lawyers and firms when someone is publicly hacked, so it is a good idea to advise the manager of your Law Society branch.
Some safety measures
Check, check, and … check
Damian Funnell says technology solutions to safeguard IT systems are often not available, as the attacks usually rely on social engineering – getting into a victim’s system with their (unwitting) assistance.
“My experience is that the strongest defence lies in education and process. All of the good law firms who I’m dealing with will insist on a deposit slip or screenshot showing account details, even if they’re being provided with the account details in person by the client. I think this is a really essential practice,” he says.
“Others even go so far as to ring the bank they are about to transfer money to, to double check that the funds are going to the desired entity.”
Where a deposit to a bank is involved, double check the number of the destination account – a phone call to your client is a good idea.
Don’t do it alone
In all the movies, two people are usually needed to arm the nuclear warhead. Everyone seems to accept that this is necessary to remove the risk of a mad person destroying us all. So why don’t we do it for our own businesses?
“Everyone should use a process by which at least two parties have to approve any transaction over a certain size,” says Mr Funnell. “This significantly reduces the risk of mistakes or fraud, as the second party should check all the details before approving the transaction.”
Extreme care when transferring funds overseas
Never transfer funds to an overseas account without doing significant due diligence.
“I for one would refuse to work with clients or firms who can’t supply local account numbers – there’s just too much risk when wiring money overseas,” Damian Funnell says.
Make sure every person in your workplace follows secure procedures
A law firm got into hacker trouble recently because a temporary employee – there for just a week – didn’t know that the firm prohibited everyone from clicking on attachments sent without any explanations. Cybersecurity is more than just a notion to pay lipservice to. It could stop your business losing a lot of money.
Rule 11.4 of the Rules of Conduct and Client Care specifically provides that a lawyer must take all reasonable steps to prevent any person perpetrating a crime or fraud through the lawyer’s practice. This includes taking reasonable steps to ensure the security of and access to electronic systems and passwords.
Last updated on the 31st August 2018