Posts

Evidence of increased threat of email intrusion

Online fraud and theft have become widespread in recent years. Email in particular presents a growing risk as criminals identify ever more devious methods of persuading individuals and businesses to expose their confidential information.

The risk is highlighted in an article on the VaultConnect website, please click here for details. VaultConnect are partners of Safe4, and are working to reduce the risk of email intrusion for professional practitioners and other businesses across the United Kingdom. This article refers to 5 scams, of which number 3 is the particular case in point. Safe4 have stressed the importance of avoiding the use of email for some years, although in many sectors it is still used routinely to transfer confidential information in spite of the potential consequences of a breach under the terms of the Data Protection Act.

For more information on how the use of Safe4 can help your organisation to reduce cost and improve regulatory compliance and governance whilst enhancing customer service, please contact us.

Cyber crime is still soaring – and insecure email remains the weakest link

The scourge of email scams and phishing continues to rise relentlessly. Whilst some organisations have taken steps to protect themselves, many still use email to transfer confidential information to recipients both within and beyond their own domain. A recently-published article highlights this, and the risks to corporate governance that are involved.

Professional practitioners are among the worst offenders. Much of the information that they generate on behalf of their clients is highly confidential and is sent by email as an attachment. Not only does this expose their clients to the loss or theft of the data, it is inefficient and can ultimately lead to serious difficulties for the practitioners themselves. In the UK it is estimated that more than 70% of law firms, for example, still use open email to carry confidential client information.

Sometimes the clients themselves are a problem …

Accounting firms, for example, provide services for a wide range of different clients, everything from global corporates to the local butcher, baker and candlestick-maker. At the smaller end of this scale many clients are resistant to using secure information sharing services as they find it easier to simply receive financial information as an attachment to an email. Sometimes it is securely stored away, but often it is not, leading to repeated requests for the information to be re-sent by the accountant, multiplying the scale of the risk.

VaultConnect, partners of Safe4 Information Management, have expressed the consequences of these “can you just …” requests for information. Typically they result in an interruption of approximately 23 minutes to stop a current task, go and find the requested information, respond to the client, and then try to resume the task that has been interrupted. And the result of this is to expose both the client and the accountant to increased risk.

There are better and safer options

The Safe4 service has been designed explicitly to protect any organisation that needs to share confidential information with external or internal parties, whether it be in unstructured form (such as documents), or structured (data held in columnar format, similar to spreadsheets and simple databases). Manningtons, an accounting firm in Sussex, have recently chosen to significantly expand their use of Safe4 in order to protect themselves and their clients from loss or theft of sensitive information. Read about their experiences here. The result of this approach has enabled Manningtons to enhance their compliance with both the Data Protection Act (which now embodies the recently-enacted European General Data Protection Regulation), and with the guidance issued by the Institute of Chartered Accountants of England and Wales. This strongly advises accounting firms not to send confidential information to clients by email, even if the client has actually requested that they do so.

Safe4 utilises a highly secure vault to hold information relating to each client. This can be shared with the clients themselves, allowing two-way transfer of confidential documents and data. The very granular permissions provided by Safe4, as well as comprehensive audit trails and reporting functions, add further levels of protection to the professional practitioners as well as their clients.

Contact Safe4

For more information on how Safe4 can help your organisation to achieve enhanced levels of security and compliance with regulatory frameworks, please get in touch. We will be delighted to assist you.

Insecure email communication still causing huge losses through fraud

Recent news has highlighted once again the risks caused by using insecure email communication to transfer confidential information, as this article shows.

The effect of online theft is clearly devastating for those that have had their money stolen – in many cases these losses represent life savings and cannot be recovered. Criminals posing as conveyancing solicitors, or alternatively hacking into private email accounts and falsifying bank account details so that the conveyancer transfers the proceeds from the sale of a property into a criminal’s account have become much more frequent in recent years.

To allow conveyancers to be confident that they are transferring funds into the correct account, Safe4 are offering the use of their highly secure information transfer service, into which clients or indeed any other party can enter bank details directly into designated fields. This completely eliminates the risks posed by using insecure email communication to transfer this information. It is not only email that is insecure – hard copy post and voice communication also carry risks of their own.

Safe4 are also working with other organisations that have to transfer funds into a client account at the completion of a transaction. These include art galleries, auction houses, and others who may be selling assets on a client’s behalf.

In addition to the storage of all data in UK-only data centres accredited to ISO 27001, Safe4 have just completed another penetration test carried by an independent UK Government accredited agency. Again this has confirmed the high levels of security offered by using Safe4 as the means of transferring confidential information between parties that are involved in high-value transactions. Compliance with the SRA guidelines for cloud computing gives conveyancers additional confidence that information is being transferred between parties with minimum risk.

For more information on how Safe4 can help your organisation to improve the protection of clients’ money, please contact us.

Safe4 Use-Case Paper: Secure Property Conveyancing

The Safe4 secure information delivery and storage service has been in use by law firms since 2010, but hitherto primarily in support of corporate and commercial property transactions. The introduction of the Safe4 Asset Register in May 2017 has brought new levels of functionality to the system, some of which can be applied to the process of secure property conveyancing.

How can law firms offer their clients better protection of their confidential information?

It is estimated that at least 70% of law firms in the UK use open email systems to transfer confidential information between external parties. This covers a very large number of information types in a variety of departmental activities. Residential property conveyancing, however, is one area where the use of insecure methods of information transfer has been exposed as a primary target for criminal activity.

When a lawyer is engaged by a client to handle the legal aspects associated with selling their home, the final act in the process is for the lawyer to transfer the sale proceeds from their firm’s client account to the client’s bank account. In most cases this is a simple process that is carried out without difficulty, but in recent years there has been an alarming increase in the level of criminal interception of email. It is common for the lawyer to request the client to provide the details of their bank account by email, by telephone, or by filling in a paper form and sending it back to the lawyer. All of these methods of delivery are potentially insecure, but there is mounting evidence that interception of emails and fraudulent alteration of the target bank details has become a major problem.

Impact on Professional Indemnity Insurance premiums

The existence of the problem has been recognised by the providers of professional indemnity insurance for law firms. Premiums are starting to increase steeply for those firms who use the traditional insecure means of obtaining clients’ bank account details.

Secure Property Conveyancing

The Safe4 Asset Register allows this risk to be eliminated. By opening a secure vault for each property transaction, and creating data fields into which basic bank account information – account number, sort code – can be entered directly by the client, the lawyer can offer the client a higher level of protection than has hitherto been possible.

After the client has entered their bank details, the conveyancer will receive an email automatically generated by Safe4 confirming that the information is available. After logging in, the information can then be transferred safely into the internal systems used for handling client payments. There is of course the standard Safe4 audit trail facility associated with all activity, providing a strong evidential record of everything that has been done during the transaction.

If the Safe4 Application Programming Interface (API) is used, the bank account details can be transferred completely automatically into the law firm’s practice management or accounting systems, thus improving security and efficiency further.

UK Hosting

Because all Safe4 data is hosted in the UK in ISO 27001-accredited data centres, the professional practitioner can also take advantage of Solicitors Regulation Authority compliance. All of the activities of Safe4 are conducted under the law of England and Wales.

Safe4 Information Management have partnered with VaultConnect to offer best-in-class security for the systems that handle the transfer of confidential information between the professional practitioner and the client. This collaboration is now benefiting law firms throughout the United Kingdom, who are able to gain the advantage of the security of the Safe4 platform with the expertise and experience of the VaultConnect team.

More concern over the use of public email

Interference with personal email accounts has become a major source of fraud in the UK. Take a look at this alarming article. However, more than 70% of UK law firms are still communicating with clients via their clients’ personal email accounts, in many cases to carry highly confidential information such as bank account details when executing conveyancing transactions. Repeatedly, criminals are intercepting email messages to fraudulently change bank details, resulting in money being transferred to the wrong account – and innocent lives being ruined.

The Safe4 Asset Register has been designed to eliminate the risk of fraudulent interception of email. It allows clients to enter their banking information directly into one of the most secure sites on the Internet, and automatically notifies the conveyancer that the information has been provided. The lawyer can then login and obtain the information, whilst audit trails are recording all of the details.

Not only does the Safe4 Asset Register eliminate a risk of major financial loss and severe reputational damage, but it enhances compliance with the SRA guidance on the use of cloud computing services. Furthermore, leading brokers in the Professional Indemnity sector believe that using facilities such as that offered by Safe4 will significantly slow down the recent dramatic rises in premiums.

Please contact us. We can help you to improve compliance and reduce risk.

Email phishing scams increasing rapidly – what is the answer?

Almost everyone who has an email account will have received large numbers of unsolicited emails from an unknown sender requesting that the recipient “click here” to gain access to a website or service that offers something of interest or value. Some of these are laughably inept, and are so obviously scams that they can be deleted immediately. However, an increasing number are from criminals who purport to represent a reputable and trusted party, often cleverly formatted in a way that makes it very difficult to differentiate between the scam and the real thing.

In 2015, the last full year for which there is appropriate data, instances of phishing emails of this type rose by 21% in the UK, as reported in the media by Silicon.  As the article suggests, the organisations that have been falsely represented most often in the UK are BT, Apple and HMRC. The Apple emails in particular are very realistic. Clicking the link as requested will normally result in ransomware or some other form of malware being downloaded on to the recipient’s computer, leading to problems that can be very damaging and difficult to deal with.

Increasingly the criminals have turned their attention to banks and their clients, and social media services such as LinkedIn. Safe4 have recently worked with Investec, one of the financial sector’s most respected specialist banking and asset management service providers, to offer solutions to this ever-worsening problem. This involves using the Safe4 service to create a highly secure vault, into which clients can place their own important documents, and which can also be used as a means of distributing bank-generated documents to clients. It will thus become possible to inform clients that if any unsolicited email is received bearing the bank’s branding, it should be deleted immediately.

Investec, headquartered in Johannesburg, South Africa, also have a substantial presence in the UK and in other locations internationally. The Safe4 integration project was carried by the Investec Digital team in Johannesburg, who worked closely with the Safe4 developers in the UK and South Africa. Investec are no strangers to innovation, and are constantly seeking ways to improve their clients’ banking experience, and importantly to increase the level of protection offered to clients.

Safe4 offers a highly secure facility for distributing documents to any recipient outside the sender’s own IT domain. Using UK-located data centres only, accredited to the ISO 27001 international security standard, Safe4 has been independently ranked among the 0.8% most secure site on the internet, out of millions tested.

Contact us for more information on the Safe4 service, and for ideas on how using Safe4 can enhance the security of your communication with the outside world.

Personal email systems still being used to carry confidential information

It is no major surprise to learn that a major email service provider has been hacked – again – and that millions of people have had their personal information exposed to criminals. This is highlighted in an interesting article in The Times, published today.

What is still very unfortunate, however, is that a large number of professional practitioners in the UK are still failing to acknowledge that email is the leading source of computer crime and online fraud. Time and again personal financial information is being passed between lawyers and their clients, in residential property transactions for example, using the client’s personal email account. Repeated examples of these emails being hacked and bank account details being changed have not deterred some high-profile UK law firms from continuing this practice, irrespective of severe financial losses being experienced by their clients.

Also worrying is that it is common practice in some firms for lawyers and others to send confidential documents to their own private email accounts so that they can be worked on outside business hours or away from the office.

The Safe4 service was launched in 2010 to offer a highly secure alternative to email, not just for document transfer, but also for medium-term or permanent management of information. Based on UK-only storage in data centres that are accredited to the ISO 27001 international security standard, Safe4 offer a service that complies with the Solicitors Regulation Authority guidance on the use of cloud computing. Accessible at any time, from anywhere, it eliminates the need to trust confidential information to high-risk systems.

For more information on how Safe4 can assist your firm to minimise the risk of information loss or interception, please contact us.