Solicitor’s clients sent cash to fraudster’s account after cyberattack

Law Society calls on solicitors to ensure safeguards are in place to deter hackers

The Law Society has urged solicitors to ensure protective measures are in place to combat cybercrime after a successful cyberattack led to some clients of a solicitor making financial transfers to a fraudster's bank account.

“No business is immune from a cyberattack but protective measures can and should be taken to protect IT systems,” said the society in a response to the attack.

Solicitors have been specifically targeted by cybercriminals because they often hold large sums of money in their client bank accounts as well as sensitive personal data.

The Law Society said on Monday it had recently become aware of an attack which began by a solicitor clicking on a link in an unexpected email that was received from a fraudster.

Similar to previous attacks, the solicitor was unaware they were hacked, said the society on its website. That meant the hacker was able to stalk the inbox and create rules to automatically divert emails from particular clients. The hacker also created a new email address very similar to the solicitor’s own email address, which enabled the hacker to contact the client directly.

From reviewing the emails, the fraudster was able to identify several transactions that were about to occur and emailed the relevant clients seeking a transfer of monies to a bank account outside the State.

The clients then made the transfers to the hacker’s bank account.

Responding to the attack, the society told The Irish Times: “We know that our members are vigilant about the importance of cybersecurity measures and engage with our training and guidance on this matter regularly.”

As ways of working continue to evolve, many law firms are investing and upgrading their IT systems to ensure continued service to clients, it added.

Account details

The society has recommended that solicitors and their support staff be suspicious of any unsolicited or unexpected emails and should treat any attachment in such emails with suspicion and confirm its validity with the sender prior to opening.

It also recommends that solicitors make their clients aware that bank account details will never be provided by email and, if they are, it is to be assumed they are fraudulent.

Clients should be informed that a solicitor is prohibited from holding a client bank account outside the State and any request to send money abroad should be immediately reported to the solicitor and not acted upon, it said.

According to the annual survey of Irish law firms published last November by professional services and wealth management firm Smith & Williamson, most of the top 20 law firms here reported cyberattacks on their systems in 2021.

Some 62 per cent of smaller firms in Dublin, and 74 per cent of regional firms, did not report any such activity.

Of those surveyed, 27 per cent regarded cyberrisk as one of the biggest challenges facing them over the next three years.

According to a recent report by Grant Thornton, the economic cost of cybercrime in Ireland in 2020 was some €9.6 billion.