Sign up for our free newsletter.
When we think of information security breaches, we often blame weaknesses in technology. But in many of the most damaging security breaches, trusted law firm employees and partners are the weakest link.
An old email trick has resurfaced recently in the legal services arena. Fraudsters attempting to take advantage of the unwary use email to try to trick trustee office administrators. Using sham email addresses that look similar to a familiar one, requests are being sent to trustee administrators to send money immediately.
For example, an administrator working for a trustee with an email address of firstname.lastname@example.org receives a message from someone using an email address very similar to the trustee’s address (such as email@example.com). The email instructs the administrator to quickly send money to a “familiar” entity by wire transfer. The email request will be urgent and offer no alternative contact information that would allow the trustee office to verify the request or to contact the trustee. The information used by the fraudster is publicly available. While this example describes a bankruptcy services trustee, similar scams occur in all types of law firms and corporations.
The careful staff member will recognize these bogus requests quickly. However, those less familiar with the risks of social engineering may be targeted, or may inadvertently be duped.
Social engineering is a type of malicious attack that relies on individual human interaction and our trusting human nature to trick people into breaking normal security procedures.
Phishing. The email example above is called phishing. In a phishing scam, a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
The PCI Security Standards Council reports that these sneaky attacks are increasingly at the heart of today’s most serious cyber hacks. Every day 80,000 people fall victim to phishing scams from 156 million phishing emails sent globally — 16 million of which circumvent spam filters — resulting in 8 million scam emails being opened.
Baiting. Another type of social engineering attack is called baiting. In a baiting attack, the aggressor leaves a malware-infected device, such as a USB flash drive in a place where it is sure to be found. That device, when plugged in, kicks off a malware attack.
Pretexting. In yet another type of social engineering attack, called pretexting, one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient. Examples are the phony emails requesting that you update account information online or the telephone scam in which the attackers claim to be the IRS requesting a SSN, tax information or wire transfers.
Email is a particularly lucrative tool for social engineers — according to a 2014 study by McAfee, 97 percent of people globally were unable to correctly identify phishing emails. And the FBI reports that in the United States alone, there have been more than 7,000 victims and $747 million in losses as a result of business email compromise — a specific type of social engineering fraud — since 2013.
Because hackers can spoof a sending address, you can’t always trust a message, even if it appears to come from someone you know. Look at the content and tone of the message for these telltale signs:
The U.S. federal government online safety site, www.onguardonline.gov, offers examples of phishing scams and suggests the following actions when you suspect a phishing email:
If you suspect you’ve responded to a phishing scam with personal or financial information, Microsoft advises taking these steps to minimize any damage and protect your identity:
It’s more important than ever to have systems and policies in place to help detect and deter this type of fraud. Since humans are “the weakest link” in the security chain, firm-wide education is the first step toward reducing risk. If your partners and employees are aware of the characteristics of risky emails, they will be more likely to recognize them and avoid becoming a victim.
Kristi Singal is the CEO of Financial Software Solutions, LLC, a Houston-based software company that provides cloud-based enterprise software to professionals across the United States. FSS also provides a suite of web-based apps for legal professionals through its BlueStylus division, which includes case management, time and billing, and document sharing solutions.
Sign up for our free newsletter.
Offering remote work benefits can be a competitive hiring advantage.February 11, 2019 0 0 0