This involves identifying the target, whether at random or specifically, and to “qualify” whether they will be “an easy win with a quick payout or a larger play to extract greater amounts, either over a long term or in a single strike, with false invoicing for example,” according to Mr Gallo.

“Once on the hook, the target is groomed using a raft of approaches to provide misinformation whilst making the target feel comfortable. These can include regular personalised contact, official-looking documentation, a sense of urgency, high-pressure techniques and appeals to people’s emotions – or a mixture of these,” he added.

However, the ultimate goal is to monetise the transaction, either through direct extraction of cash in one-off or ongoing payments, identity theft, sale of personal information, invoice redirections or ransoms.

“In addition to the ‘tried and true’ traditional scams, such as phishing, there has been a significant increase in direct contact phone and text-based scams.  These tend to be in the form of calls or text messages and usually related to payments, deliveries or some type of imminent enforcement action. The onset of COVID over the last two years has seen an exponential rise in related scams with timing tied to news announcements. An audience working and living online in lockdown and craving information in uncertain times is a ripe target,” Mr Gallo explained.

“From a broader business perspective, incidents of Business Email Compromises attacks resulting in theft through payment redirections remains very high. Compromises usually start with harvesting of user ID’s and passwords and can jump from business to business.”

Boutique firms have become increasingly common targets as new scamming techniques and technology is developed, added Mr Gallo.

“Boutique law firms, specifically trust accounts and sensitive information, have been specifically targeted due to weaker security postures of IT systems in these entities. Enhancing protection will require a combination of beefing up hardware and software security (outsource if need be) and education,” he said.  

VIEW ALL

“People are simultaneously an organisation’s strongest assets and weakest link – a human firewall. Ongoing education supported by proper processes regarding financial transactions and data privacy are critical. Staff should question and double-check everything before actioning anything. Personalising proactive security awareness not only enhances effectiveness by assisting employees at work but also protects them and their families at home.”

Mr Gallo said that whilst there were a number of other elements in this space that firms need to be aware of, there are also resources to support them.

“Trust accounts are recognised as a lucrative source of funds, as they are generally considered by attackers as high in value and low in security protocols. Additionally, boutique firms often underestimate the nature and volume of sensitive information their systems hold, thus marking them a significant target for compromise and data theft. There is a solid market on the dark web for personal information,” he explained.

“A few basic strategies (such the federal government’s essential eight) can prevent the large majority of common scams. Coupled with education and awareness, these form a cost-effective and efficient security framework for boutique firms.”