Cyber Security : Key Terms and Jargon

Following our National Conference and in support of our ongoing cyber awareness campaign, we’ve compiled a list of cyber security key terms and jargon for reference.

Bogus Law Firm

The term ‘bogus law firm’ refers to an individual or small group of people posing as a genuine law firm to form part of a legitimate property chain.

However, once the money changes hands, they do not fulfil their commitment to close the deal and instead disappear with the funds that have just arrived in their bank account.

Risk Management Services such as Lawyer Checker are available to assure conveyancing solicitors that they are dealing with genuine law firms before progressing a transaction.

Chief Executive Fraud (or President Fraud)

‘Chief Executive Fraud’ (also referred to as ‘President Fraud’) is a targeted phishing attack, where an individual in the firm is sent a fake email which looks as though it has come from a Managing Partner.

For example: “Did you send £20,000 to Michael J Hart? I thought I asked you to do this last week, but Michael has just phoned to say he hasn’t received the money?”

The success of this type of fraud relies heavily on social engineering to create a stressful situation where the target feels under pressure to respond quickly to an email from one of their superiors – without questioning the validity of the message.

More information : Click here for more information on Chief Executive Fraud (or President Fraud)

Cyber Incident Response Plan

A ‘cyber incident response plan’ is a dedicated (printed) document containing all of the information your team might need in the event of a cyber-attack.

This will include agreed responses to “worst case scenarios”, alongside named individuals responsible for executing them. It will also feature a detailed list of contact details for the people whose advice, support and technical services will be required to get your operation back up and running.

More information : Click here for more information on How to Prepare to Defend Your Law Firm’s Reputation in the Event of a Cyber-Attack

Friday Afternoon Fraud

‘Friday Afternoon Fraud’ is a term used in the media to describe a cyber-attack where clients are targeted with phishing emails imitating their solicitor and asking them to transfer their deposit to an alternative bank account.

When successful, victims are left with no funds to finalise their property transaction, and a dilemma as to how to proceed with their purchase. 

High profile example : Howard Mollett incident

General Data Protection Regulations (GDPR)

A new, more consistent global legal framework for all organisations that deal with EU citizens’ data, set to replace the existing Data Protection Directive (DPD) in May 2018.

To avoid fines of up to €20 million, or 4% of annual turnover (whichever is higher), law firms will need to review their data usage, storing and cleaning methods to ensure they are compliant with the new regulations.

Good to know : Despite Article 50 being triggered in March 2017, the UK will still be part of the EU until at least 2019; and will need to comply with the General Data Protection Regulations (GDPR) when they are introduced in May 2018.

More information : Click here to find out more information about the forthcoming General Data Protection Regulations (GDPR).

Phishing email

A phishing email is an email which impersonates a legitimate organisation.

Such emails are typically ‘blanket emails’ sent to multiple recipients pretending to be from a bank or building society, in attempt to obtain sensitive information such as usernames, passwords, and credit card details.

However, these can very quickly be identified as spam by the receiver, especially if they are pretending to be from Halifax, and the receiver only banks with Lloyds Bank (for example).

People Risk

People Risk refers to the risks posed to a law firm by human error or naivety.

Clients and colleagues can impact this in equal measure, and criminals are highly aware of this.

A successful attack or accidental data leak can bypass any technology-based security measures in place and make them redundant.

More information : Click here to read more about the people risks in your law firm and how your colleagues could pose an even greater risk than your clients.

President Fraud

See : Chief Executive Fraud

Ransomware attack

A ransomware attack is when a cyber-criminal infects a computer system with a piece of malware, which places a digital blocker on the system so that the victim firm can’t raise an invoice or continue business as usual.

This can happen as a result of just one member of staff clicking a link in a rogue email, or plugging in an infected USB stick.

The cyber-criminal will then hold the firm to ransom, with a message appearing on their computer screen asking them to pay them money for the digital release key.

More information : Click here for more information about ransomware attacks

Secure online portal

A secure online portal provides a safer and more efficient alternative to email communication, enabling law firms and their clients to exchange sensitive information online.

As all the information is encrypted, law firms can be confident that bank details and contracts are being delivered securely to their clients, removing any concerns about post or emails being lost or intercepted by criminals.

More information : Click here for more information about secure online portals and how they can improve security and business efficiency in your law firm.

Shadow IT

The term ‘Shadow IT’ refers to IT activity that goes on around a law firm under the radar of the official IT department.

For example, employees plugging in USB sticks they’ve picked up at events, or sharing files across popular file-sharing websites; both of which can act as a gateway for cyber criminals.

HR and IT departments need to work together to help promote positive messages across their law firm to raise awareness of these risks, and curb ‘Shadow IT’ behaviours.

Spear-phishing email

Spear-phishing is similar to phishing [see: phishing email], but operates under a more targeted approach.

Instead of sending a ‘blanket email’ to multiple recipients, spear-phishing emails will be based on information the sender has already obtained about the recipient.

For example, their name, email address, and whether they are a Lloyds Bank customer (for example). This can contribute to the confusion, and the success of the attack.

Take Five

Take Five is the name of a cyber-security awareness campaign led by FFA UK and its members, with partners Cifas and City of London Police.

It advises people to question the validity of any communications they receive, and contains useful advice and resources which can be shared with clients and colleagues alike to help to better protect a law firm from the risks of cyber crime.

More information : Click here to find out more information about Take Five and how it can help to keep your colleagues and clients safe from cyber criminals.

Technology Risk

Technology Risk refers to all the risks associated with IT and technology that can be mitigated through best practice and innovation.

There are a broad range of technology risks IT departments need to stay abreast of to maintain the security of their law firm, from password management and email security, through to continuous user activity monitoring and ensuring all employees are running the latest versions of anti-virus software. 

Third Party Risk

The term ‘third party risk’ refers to any business partner, PR agency, contractor or customer who has access to a law firm’s IT systems, and could (intentionally or unintentionally) act as a bridge for hackers.

Understanding and limiting the information these third parties have access to can help law firms to avoid cyber security incidents.

Two Factor Authentication

Two Factor Authentication is an additional layer of security that requires someone to have more than just a username and password to log into an account.
 
For example, inserting a physical bank card into a card holder when accessing online banking, or generating a unique code to be texted to a mobile phone to add in as part of a computer log in process.

Vishing

Vishing refers to a phishing-style attack over the phone in which a criminal claims to be from the victim’s bank and tells them their account has been compromised. They then ask the victim to transfer their money to a “safe” account to address the problem.

This approach can be used to target both individuals, and employees in the Finance Department with access to company accounts.

Similar to spear-fishing [see : spear-fishing email], the fraudster may have already gained access to some of the victim’s banking details, and may quote genuine transactions to back up their story. 

‘Zero Day’ Vulnerabilities

‘Zero Day’ vulnerabilities are vulnerabilities in IT systems and processes that nobody knows are there – apart from hackers.

They have been given this name because a law firm will have ‘zero days’ to respond and fix them when (and if) they are found.

More information : You can find out more about ‘Zero Day’ vulnerabilities and how you can prepare for them by watching this video from BeCyberSure

If there are any words you feel are missing from our Cyber Security : Key Terms and Jargon reference guide, please email our Marketing Communications Executive on megan.jones@tmgroup.co.uk