ICAEW.com works better with JavaScript enabled.

COFAs - Stay alert and take a stand against cybercrime

The term "stay alert" is something we have all become accustomed to in recent months as we continue through the implications of the current pandemic.

For law firms it is a topical matter, not only in dealing with the current COVID-19 situation and government guidelines but also from the fraudsters who have looked to take advantage of the current situation and further attempt to exploit weaknesses that may arise, to defraud the practice.

As this topical issue is heightened at this time, COFAs play an important role within the firm and are responsible for implementing and maintaining suitable accounting systems and procedures to safeguard client money and the firm’s own financial stability.

COFAs need to keep in mind that for teams who are continuing to work remotely there may be operational issues that introduce weaknesses into systems which, albeit robust in normal working times, may not work as effectively as a result of remote working.

It is not only the immediate financial impact that is a risk to a practice. Law firms also hold sensitive information and any breach of data not only presents an issue under GDPR but can have a reputational risk to the practice.

A reminder of how firms are being targeted?

For a COFA to assist in implementing the necessary systems to prevent and detect cybercrime activity they need to understand how their firms are being targeted.

The two specific areas which continue to be prevalent as tools of cybercrime are malicious emails and telephone calls.

Untargeted attacks such as general, phishing emails pretending to be from a bank etc., requesting the recipient to send across their bank details, have been around for some time. With just a little common sense these types of emails are quite easy to spot as they are typically badly written, have formatting issues, are from suspicious email addresses, etc.

However, what if that email appeared to be received directly from the client or colleague in the firm, containing very specific and accurate details of the underlying legal transaction such as final funds being returned to the client, payment of an office expense or partners drawings, with specific amounts involved, names of parties involved, etc. with details of where to send the payment.

These types of emails can be very convincing and you can understand why such an email could be classed as being genuine.

The attack could also be a telephone call received into the firm supposedly from the client along the same lines with very specific information.

More prevalent in recent times from cyber criminals is the implementation of ransomware encrypting the data held on the firm’s servers and then issuing a ransom demand to remove the encryption of the data. There have been an increased number of these successful attacks where businesses are left with no option but to pay the ransom or look to reinstate data prior to when the malicious software was installed, which may be before the time the actual encryption process was initiated.

In normal circumstances the legal sector has become more robust to such attacks but in the current remote working environment the risks are arguably increased 

So how do the criminals implement such a targeted attack?

It is generally a case of obtaining access through the background hacking of database systems, emails and even obtaining general information from social media websites.

Typically malicious but innocent looking emails may contain apparent direct links to a known webpage or contain attachments. They may seem initially harmless but when accessed a process of installing malicious software to the user’s PC or the firm’s servers may have already begun in the background which gives the cybercriminals access to a firm’s data.

A targeted attack is generally not actioned overnight and may involve building a long term picture of the legal practice and its underlying legal transactions by either manipulating the firm’s email / accounting systems, that of their clients’ or another legal firm who are acting for other parties in the underlying legal transaction.

They build a picture of when law firms are vulnerable, such as at time pressured periods, knowing that employees are working remotely under pressure, noting when key individuals acting on behalf of the clients are away from the office either on holiday, furloughed or working part time.

Controls and systems to consider

There are clearly the normal IT infrastructure policies to help safeguard access to the accounting systems, etc. such as firewalls, malware software, having strong passwords which are updated frequently and having two factor authentication login methods - particularly when accessing systems remotely. It’s not uncommon for many legal firms to outsource these IT requirements to specialist IT providers to help safeguard client information and funds, etc.

There should also be firm policies to restrict the use of data sticks, websites visited, and home / out of office working practices.

One of the main areas that the COFA can assist with cybercrime prevention is by educating all individuals in the legal practice and having a set framework of procedures regarding the management of client and office monies. These procedures should be reviewed in light of the current situation to identify any increased weaknesses or new weaknesses which arise in a remote working environment.

The COFA can assist, particularly at this time, in ensuring and reminding all individuals in the law firm to remain vigilant and apply professional scepticism on any instructions / requests which involves the withdrawals of client money from the practice or for email with attachments and links.

There are also a number of cybercrime system specialists for the sector and given the risks and importance it could be worthwhile seeking professional support.

Some examples of other safeguards can include:

  • Inclusion within the client terms of business that any funds will only be paid to them through a nominated bank account at the outset and any request to pay funds to an alternative account will only be made under exceptional circumstances after all the necessary checks have been made.
  • Any requests to send funds to an alternative bank account should be strictly checked with the appropriate person, in particular the client and where applicable others in the practice should be contacted by telephone using their contact number on record to ensure the instructions did in fact come from them. Emails should not be the only form of reliance.
  • If any telephone calls are received which require follow up action such as contacting the client or bank, it’s wise not to attempt to make the call immediately and / or to use a different line. Quite often fraudsters can remain on the line leading you to believe you have called your client / bank to confirm the instructions.
  • Only those individuals in the firm that require the information should hold the specific office and client bank account details.
  • Consider placing a hold on using chequebooks at the current time and only use direct payment methods such as BACs / TTs.
  • Ensure that robust authorisation of payments controls remain in place with segregation duties and if required the policy and written policy should be updated. During periods of remote working it may be appropriate for more than one senior authorised individual to review and action the release of payments at the bank.
  • Ensure backups are taken regularly and stored on and off site.

Procedures should also be in place to deal with a suspected cybercrime attack on the practice including immediately notifying the relevant authorities, such as the bank, SRA, police, insurers, etc.
Hopefully these notifications will never be required but clearly firms need to be well prepared and vigilant throughout, even more so at this current time.


Jason Mitchell MAAT ACA
PKF Francis Clark

The views expressed are those of the author and are not intended to constitute professional advice. Specific professional advice should be obtained before acting on any of the information contained herein, no duty of care is assumed to any direct or indirect recipient of this publication and no liability is accepted for any omission or inaccuracy