Risk and Your Law Practice
Beware of Phishing! Social Engineering Scams
Some time ago I was stunned by a discussion with a law firm that had almost been scammed into sending several hundred thousand dollars overseas. The incident involved what turned out to be a fraudulent check from a “client” and a request to transfer funds.
What floored me was the firm’s response to the situation.
As we talked about what happened, the lawyers recognized they were fortunate to have listened to their firm administrator’s advice to not release any funds until the deposited check cleared. But even after the check did bounce, they felt unable to do anything about it, or have the situation investigated, because of a perceived attorney-client relationship and the loyalties they believed flew from that. The scammers had invested enough time in becoming involved with the firm that, even after nearly being taken in, the lawyers felt confidentiality trumped. Wow. Whoever was behind that scam knew what they were doing.
I wish I could say this particular story was unusual, but I can’t. In the years since, these types of scams have only gotten more frequent and sophisticated, and it’s all owing to social engineering.
The Psychological Manipulation
Social engineering, in the context of cybercrime, is about the non-technical aspects of the crime. It’s the use of psychological manipulation to trick people into doing something that isn’t going to be in their best interests. The goal may be to obtain confidential information, steal personal identities or money, gain access to computer network resources — and the list goes on.
These attackers have any number of methods at their disposal. If the goal is to insert some rogue software on your computer network, perhaps they leave a flash drive in the parking lot or send a free digital music player to a “lucky winner,” who happens to be a member of your staff. Of course, once the device is connected to your network, to see what’s on the flash drive or to start enjoying that unexpected prize, your network is compromised. This type of attack is called baiting.
Other methods include, but are by no means limited to, fake callbacks from technical support, where the attacker randomly calls numbers at a business until someone falls prey; pretexting, where the scammer impersonates a bank employee, tax authority, insurance investigator or the like to trick someone into disclosing information; and phishing.
Phishing is something we all need to know more about because of the sheer number of phishing attacks.
Phishing is the criminal attempt to trick another into providing personal or sensitive information such as a birth date, address, credit card number or user name and account password by requesting a response to an email or text message. Many of us have a sense of this general approach and would delete an email that says our bank account will be closed unless we open the attachment, or unless we click on some link to verify our log-in credentials, simply because the email obviously doesn’t come from our bank. But what if the email does purport to be from the correct bank, replicates the look of the bank’s website and has all the correct, official logos? What if, instead of asking you to verify log-in credentials online, the email instructs you to call a number and the automated system that answers asks for your credentials?
Phishing attacks have become very sophisticated. Not only are the above examples real, there are many other approaches out there. I personally have received an email purportedly from a close friend, stating that he had his wallet stolen, was stuck in London and was hoping I would wire some money to help him return to the States. I have received email that claimed to be from Microsoft, wanting me to know about a serious security problem in their software and advising I immediately click a link to download the necessary update so that I would remain secure. Honestly, I almost fell for that last one, the email’s level of sophistication was that good.
In truth, the possible variations on phishing attacks seem to be limited only by the imagination and programming skills of the criminals behind them. Unfortunately, we’ll keep seeing these attacks, and they’ll continue to evolve, because they work.
Training and Other Prevention Tips
Hopefully, you now have a sense of how ugly the situation has become. The upshot is that it’s time to get in front of the problem because no one else is going to take care of it for you. It simply isn’t possible for your IT support to protect your systems from all phishing attacks because the attacks are directed not at hardware, but at the people who use your systems, including you.
The good news is there are a few things all of us can do to protect our personal information as well as our client confidences and it begins with training. Everyone in your firm should be made aware of the nature of phishing attacks and learn how to spot them. You can use online resources as training tools, such as this Windows Safety & Security Center post, this Wikipedia entry and this Ten Tips for Spotting a Phishing Email post on TechRepublic.com. If you have in-house IT, have them provide an in-house seminar on phishing and other online hazards.
In addition, here are other steps:
- Keep all software updated with critical security patches as they become available.
- Use reputable antivirus tools as well as spyware identification and removal tools on all computers that are part of the office network — and don’t overlook remote and mobile computers such as home computers, personal laptops, and computer tablets.
- Check with your IT staff or consultant to see if you are running the most current version of your Internet browser. If your browser has anti-phishing capabilities built in, make certain this functionality is enabled on all devices that are on the network or that log in to the network remotely.
That said, the most important piece of advice is to remember that no matter how sophisticated your security systems and tools are, the user will always remain a vulnerability. Awareness and training will continue to be key and should occur on a semiannual basis to keep the issue front and center. Everyone in your firm needs to be on the lookout for phishing emails or text messages because law firms have a significant amount of valuable data on their computer systems that scammers want.
Yes, lawyers can be a trusting bunch; but as I shared at the beginning of this post, that attribute doesn’t always serve us well.
Mark Bassingthwaighte is Risk Manager for ALPS Property & Casualty Insurance Company (ALPS), a leading provider of Lawyers’ Professional Liability Insurance. In his tenure with the company, he has conducted over 1,000 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the U.S., and written extensively on risk management and technology. Mark received his J.D. from Drake University Law School and can be contacted at firstname.lastname@example.org.
Illustration © iStockPhoto.com/Agustinc