When we think of information security breaches, we often blame weaknesses in technology. But in many of the most damaging security breaches, trusted law firm employees and partners are the weakest link.
An old email trick has resurfaced recently in the legal services arena. Fraudsters attempting to take advantage of the unwary use email to try to trick trustee office administrators. Using sham email addresses that look similar to a familiar one, requests are being sent to trustee administrators to send money immediately.
For example, an administrator working for a trustee with an email address of email@example.com receives a message from someone using an email address very similar to the trustee’s address (such as firstname.lastname@example.org). The email instructs the administrator to quickly send money to a “familiar” entity by wire transfer. The email request will be urgent and offer no alternative contact information that would allow the trustee office to verify the request or to contact the trustee. The information used by the fraudster is publicly available. While this example describes a bankruptcy services trustee, similar scams occur in all types of law firms and corporations.
The careful staff member will recognize these bogus requests quickly. However, those less familiar with the risks of social engineering may be targeted, or may inadvertently be duped.
What Is Social Engineering?
Social engineering is a type of malicious attack that relies on individual human interaction and our trusting human nature to trick people into breaking normal security procedures.
Phishing. The email example above is called phishing. In a phishing scam, a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
The PCI Security Standards Council reports that these sneaky attacks are increasingly at the heart of today’s most serious cyber hacks. Every day 80,000 people fall victim to phishing scams from 156 million phishing emails sent globally — 16 million of which circumvent spam filters — resulting in 8 million scam emails being opened.
Baiting. Another type of social engineering attack is called baiting. In a baiting attack, the aggressor leaves a malware-infected device, such as a USB flash drive in a place where it is sure to be found. That device, when plugged in, kicks off a malware attack.
Pretexting. In yet another type of social engineering attack, called pretexting, one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient. Examples are the phony emails requesting that you update account information online or the telephone scam in which the attackers claim to be the IRS requesting a SSN, tax information or wire transfers.
Email is a particularly lucrative tool for social engineers — according to a 2014 study by McAfee, 97 percent of people globally were unable to correctly identify phishing emails. And the FBI reports that in the United States alone, there have been more than 7,000 victims and $747 million in losses as a result of business email compromise — a specific type of social engineering fraud — since 2013.
How to Recognize a Phishing Scam
Because hackers can spoof a sending address, you can’t always trust a message, even if it appears to come from someone you know. Look at the content and tone of the message for these telltale signs:
- Alarmist statements and threats of account closures.
- Promises of money for little or no effort.
- Deals that sound too good to be true.
- Requests to donate to a charitable organization after a disaster that has been in the news.
- Bad grammar and misspellings.
What to Do If You Suspect an Email Is Phishing
The U.S. federal government online safety site, www.onguardonline.gov, offers examples of phishing scams and suggests the following actions when you suspect a phishing email:
- Delete email and text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords). Legitimate companies don’t ask for this information via email or text.
- Don’t reply, and don’t click on links or call phone numbers provided in the message, either. These messages direct you to spoof sites — sites that look real but whose purpose is to steal your information so a scammer can run up bills or commit crimes in your name.
- Be aware that area codes can mislead, too. Some scammers ask you to call a phone number to update your account or access a “refund.” But a local area code doesn’t guarantee that the caller is local.
What to Do If You Suspect Your Firm Has Been a Victim of a Financial Scam
If you suspect you’ve responded to a phishing scam with personal or financial information, Microsoft advises taking these steps to minimize any damage and protect your identity:
- Change the passwords or PINs on all your online accounts that you think might be compromised.
- Place a fraud alert on your credit reports. Check with your bank or financial advisor if you’re not sure how to do this.
- Contact the bank or the online merchant directly. Do not follow the link in the fraudulent email message.
- If you know of any accounts that were accessed or opened fraudulently, close those accounts.
- Routinely review your bank and credit card statements monthly for unexplained charges or inquiries that you didn’t initiate.
How Law Firms Can Reduce Risk
It’s more important than ever to have systems and policies in place to help detect and deter this type of fraud. Since humans are “the weakest link” in the security chain, firm-wide education is the first step toward reducing risk. If your partners and employees are aware of the characteristics of risky emails, they will be more likely to recognize them and avoid becoming a victim.
Kristi Singal is the CEO of Financial Software Solutions, LLC, a Houston-based software company that provides cloud-based enterprise software to professionals across the United States. FSS also provides a suite of web-based apps for legal professionals through its BlueStylus division, which includes case management, time and billing, and document sharing solutions.