Corporate companies are by no means immune to cybercrime, the latest report by McAfee indicates that it cost the global economy as much as $600 billion in 2017. According to Christopher Appanah, Claims Team Leader (PI and Liability) at SHA Specialist Underwriters, cybercrime is also evolving rapidly with attacks becoming more elaborate.
He says that proof of this is the growing number of attorney firms being targeted by one particular type of sophisticated email scam in recent years. “We have noted a trend in the number of local attorney firms falling prey to this type of fraud. It places the firm in a vulnerable position as these circumstances do not fall within the ambit of a general Professional Indemnity (PI) insurance policy.
“The approach is simple; the attorney firm is instructed by a client to register the sale of a property. Once the property is registered at the Deeds Office, the proceeds of the sale are due to the Seller. It is at this point that cybercriminals make their move. The attorney is sent a last-minute email alleging to be from the Seller, requesting that the Seller’s banking details be amended. The proceeds of the sale are then diverted to the hacker’s account.”
Appanah adds that these emails are usually accompanied by a forged letter from the bank confirming the Seller’s “new” bank details. “In the spirit of honouring their client’s wishes, attorneys often amend the details as instructed. It is usually too late to act by the time that such a scam is uncovered, since the money would have been transferred out of the cybercriminal’s bank account almost immediately after it is received.”
He says that the scenario outlined above describes a typical situation that has become more and more recurrent, and puts attorney firms at serious risk should the correct type of cover not be in place. “Since 2016 the Attorneys Indemnity Insurance Fund has declined to cover policyholders for losses arising from cybercrime. PI cover is not designed to cover cybercrime-related acts unless there is evidence of employee involvement.
“This type of scam is of course not limited to the legal sector, and professionals from a host of other industries have also reported being targeted by similar methods.”
In light of this, Appanah outlines various measures that attorneys and other professionals need to have in place in order to reduce their risks in this regard:
Focus proactively on risk management. Professionals and firms should make a point of becoming more knowledgeable on cybercrime and scamming trends and regularly assess the weaknesses that reside in their processes and procedures.
Call the client to confirm whether they have indeed changed their banking details. Some firms have adopted the rule that bank details can only be amended in person, rather than through emails or even telephonically. It may be wisest to incorporate a combination of innovative and proactive steps to mitigate some of these risks.
As a safety net, firms should consider appropriate insurance cover which is designed to come to the professionals’ aid if money stolen by means of email scam. With the cybercrime risks continually increasing, professionals and their firms should consider an extension to their Misappropriation of Trust Funds Cover policies. The extension is designed to provide indemnity to an insured attorney in the event that the attorney falls victim to an email scam.
“The message is clear; attorneys should take proactive steps to protect themselves and their clients from such incidents that may cause huge reputational damage to the firm and financial losses to clients which may not be recoverable. Equally, professionals in other industries should review their own PI policies and determine which cover products would help to better manage their cyber risks,” concludes Appanah.