What Can We Learn From the Phishing Attack on the SRA?

On 9th November 2022, the SRA issued a warning on its website entitled, “Warning: Malicious email purporting to be from the SRA”. What made this warning particularly concerning was that it related to a spurious email which purported to be from the SRA’s Chair, Anna Bradley. In this article, we will look at what is known about the phishing attack, the possible implications of this cyber attack, and what law firms (and the SRA) can do to meet the SRA’s own rules on preventing such attacks.

What Do We Know About The Phishing Attack On The SRA?

All that is formally known is what is on the SRA’s website. This states that a malicious email was sent at 10:36 on 9th November 2022, purporting to be from the SRA. It advises any recipients of the email to delete it, and if they followed any links within the email and provided their username and password, to reset their password immediately.

According to the Law Society Gazette, “Law Society Gazette journalists were among those who received a message from ‘anna.bradley@sra.org.uk’ inviting recipients to view a document”.

What Can Be Done To Stop This Type Of Attack?

Phishing attacks such as this are typically very simplistic in nature due to the ease by which a sender’s email can be “spoofed”. Email spoofing occurs when an email message is sent with a forged sender address. Unfortunately, this is still all too common, and there is no universal solution to prevent this from happening. Email protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) are now being increasingly used as an effective defence against email spoofing.

Email filters can also be extremely effective in detecting and blocking phishing emails as they look for certain tell-tail signs, such as the sender’s reputation, certain trigger words, and IP addresses.

We recommend speaking to your IT department or IT service provider to understand the extent of your law firm’s vulnerability to such an attack and, where necessary, ask them to recommend a plan of action to put in place the necessary protective measures.

Beyond any technical solutions, law firms can achieve a great deal with regular training. By understanding what is meant by phishing (and other types of cyber attacks), what happens when you fall prey to a phishing email, what they look like when to exercise caution, and what to do when a suspicious email is received, the impact of a phishing attack can be avoided or reduced.

What Does The SRA Say About Avoiding Cyber-Attacks?

In November 2020, the SRA published guidance on how law firms should deal with information and cyber security. The report highlighted:

  • Staff who have not received cybercrime training are at the highest risk.
  • Most cybercrimes target people, usually by ‘phishing’
  • Staff who work from home might be at increased risk of cyberattacks and confidentiality breaches.
  • SRA members are obliged to:
    o Have procedures for dealing with cyber risks.
    o Know when they need to report incidents to the SRA, to the Information Commissioner’s Office (ICO), and law enforcement.
  • SRA members are advised, amongst other things, to:
    o regularly review and update their cyber risk assessment
    o have an independent assessment and certification of their cyber risks, such as Cyber Essentials Plus
    o put in place insurance to cover the costs associated with a cyber attack
    o provide staff training on cybercrime and information security, particularly on how to recognise phishing attempts
    o have a “no blame culture”
    o ensure “cloud-based” systems are secure

The SRA issued a further News release dated 1 June 2022.

In general, it is to be hoped that where a law firm is the victim of a phishing attack, the SRA may not take any disciplinary action if they are satisfied that a) no harm was caused, b) they were informed, c) the law firm has taken responsibility for what happened, and d) the law firm took any action necessary to prevent harm and further attacks.

Final Words

The phishing attack in the SRA highlights that no one is immune from cyber attacks. The SRA ultimately took its own advice and notified those concerned, and provided them with clear instructions. Whether the SRA will now review why this happened and put in place measures to prevent a reoccurrence remains to be seen.

We have been helping solicitors and other legal professionals with disciplinary and regulatory advice for 25 years. If you have any questions relating to an SRA investigation or an SDT appearance, please call us on 0151 909 2380 or complete our Free Online Enquiry.