Securing your site against fraudsters (first published on Law Society Gazette website)
28th July 2015
Given the importance of the internet to businesses, including law firms, care must be taken to ensure that websites do not act as a signal to fraudsters of potential vulnerability. This means more than just managing your email security.
In this article, first published on the Law Society Gazette website, Sue Bramall explains why managing your online presence will give you a better chance of avoiding potential attacks – from having a protected domain name to keeping your website content up to date.
Firms that actively manage their online presence will stand a better chance of spotting malicious attacks.
The recent headline-grabbing case of £330,000 being stolen from conveyancing clients of Perry Hay & Co via an email fraud has emphasised how attractive the legal sector is to fraudsters.
Aside from managing their email security, law firms should also take care to ensure that their website does not act as a signal to fraudsters of potential vulnerability. Given the importance of the internet to most businesses, including law firms, a distinctly dated website can send out a signal that the web may be pretty low on the agenda of the firm’s management or that IT skills and awareness are weak.
Law firms should also take care to ensure it is not easy for fraudsters to create a dummy law firm, by posing as part of their firm online.
Domain names are not always protected adequately. It is not uncommon to find a firm has protected only one variation of their domain .co.uk, but not .com or an obvious alternative such as XYZ Law, XYZ Legal as well as XYZ solicitors. Failure to do this makes it easy for a fraudster to obtain a domain name that appears authentic.
Website appearance – it is amazing how often we still see firms with websites where the latest news is a number of years out of date. Most partners would notice if the newspaper in reception was months old, the windows needed cleaning and the flowers were dead. I doubt they would come into work in their oldest clothes, but it seems to be acceptable for the firm’s other window to the world to appear out of date and old-fashioned.
But management teams that pay little attention to their websites should be aware that this is exactly the sort of website that will be attractive to a fraudster. The fact that it is out of date gives a signal that it is not regularly maintained or closely monitored.
Just as a vacant property might attract squatters, a basic and out-of-date website will be easier for fraudsters to clone than one which is more complex and populated with regular updates.
Firms that actively manage their website tend to check their performance online regularly, and so will stand a greater chance of spotting another website which appears with a similar brand name.
Checking the issue with compliance consultant Gemma Garen, I was advised that the Lexcel Standard version 6 has been tightened with this in mind: ‘Lexcel v6 requires that firms operate a robust website management policy that protects its security because a firm’s website is a critical information asset.
‘To demonstrate compliance, firms must have a resilient procedure that includes regular documented review of its website contents including content approval and/or removal and management of user accounts.
‘Lexcel assessors will closely scrutinise a firm’s website and security procedures to test whether they are effective in defending the firm’s public information assets and whether they are able to ward off fraudsters.’
Back to Blog