How To Spot Phishing In A Legal Firm

By

on

Phishing image_Afinety, Inc.

Alert: Phishing Methods That Law Practices Need To Know

Everyone has experienced phishing in some way, whether through a phone call from an obscure agency, a letter claiming its recipient won a contest he or she didn’t enter or an urgent email either offering a fortune or threatening legal action. Phishing is one of the oldest scams in existence, and this is what makes it so dangerous.

With powerful new ransomware being developed by cybercriminals, some may believe that all cyberattacks are increasingly sophisticated, but this is only partly true. Phishing today is more cunning than it was years ago, but it still operates on the same simple principle: trick the user into a response. With legal firms handling so much confidential data, they cannot afford to ease up on phishing. Firms don’t need to be hit with ransomware like WannaCry to suffer a breach.

Phishing Is Evolving

Phishing isn’t what it was even five years ago. The days of the Nigerian Prince are largely over. These cyberattacks depended on malicious attachments to infiltrate a secure network. Thanks to providers like Google and Microsoft, however, these emails were increasingly filtered to spam folders. The suspicious attachment, especially from an unknown source, was easy to detect.

In order for phishing to work, the recipient first needs to see it. Recent Proofpoint research has uncovered a switch in phishing tactics. Phishing emails are now far less likely to use the filter-catching attachments, opting instead for emails with dangerous hyperlinks and attached archives like compressed Javascript files. This change is designed to beat the automatic filters and deliver the message into a regular inbox where it has a much higher chance of being read.

This change also allows phishing to deliver far more than ransomware and malware. Adware, banking trojans and generalized information theft are now possible through these malicious messages.

Phishing can be used to deliver a host of unfriendly software into a network, or to steal confidential employee information.

Why Comprehensive Employee Training Matters

One of the most dangerous aspects of phishing is that every employee is at risk. Cybercriminals can target executives, assistants and everyday employees once they have the right email address. It only takes a breach at one level to potentially expose an entire network.

Take this real world example: an HR officer preparing the office W2s. This officer receives an urgent email from the CEO (or at least from a very similar email address), stating that there’s been a problem and HR must email the W2s back right away, so that they might be fixed. The tone of the email implies that the problem is severe and that immediate action must be taken. Given that it’s the boss, why hesitate?

In this instance, personal identifying information of not just the HR rep but the entire staff has been exposed. Life-crippling data like Social Security Numbers are now in malicious hands that can use the information for a variety of nefarious deeds.

Phishing can also retrieve passwords, usernames and a host of other information that can enable network access. Many legal firms operate on older systems, ones created before the principle of least privilege, software construction designed to limit employee access to only the files they need, was widely implemented. This means that an assistant might have full access to case files and other sensitive data.

“Most successful phishing attacks are designed to look like emails the recipient is expecting.”

The Telltale Signs Of Phishing

According to Verizon’s 2017 data breach report, roughly a third of phishing emails are opened. Organizations cannot be dismissive of any kind of cyberattack that has this level of success. While phishing has evolved, the benefit is that it has retained certain common characteristics. This makes the malicious messages easy to spot, so long as an individual knows what to look for.

A Wombat security report claimed that the most successful phishing attacks were, unsurprisingly, designed to look like emails the recipient was expecting. That HR example was one such instance. This practice, known as spear phishing, is designed to camouflage into the regular inbox traffic. However, the email – while similar – will always be at least slightly different.

Be weary of suspicious domain names. For example: LawCEO@Firm.com may be real but LawCEO@Firm.com.co is likely malicious.

Instruct staff and partners to never click on an embedded link from an unknown source, even if the email looks legitimate. Employees should also be weary of any correspondence containing multiple spelling or punctuation mistakes. Hackers rarely have the same commitment to standards that corporations do.

Lastly, train all staff to beware of any messages with intimidating or overly urgent tones. Phishing schemes are designed to make a person act first and think later. It is not uncommon for these malicious messages to threaten legal action or firing in an attempt to force an immediate response. Employees should be advised to contact a supervisor if they ever feel threatened before responding to an email.

Phishing tones are typically charged, whether ecstatic or enraged. They are trying to discourage rational thought.

How A Cloud Solution Helps

Unfortunately, many legal firms do not have the budget to retain a full time information security specialist to monitor for phishing schemes and keep employees up to date on cybersecurity trends. Many do not even have the resources to fully meet all cybersecurity needs.

In an increasingly dangerous technological landscape, legal firms can feel like little fish in a very large pond. However, passing off data solutions to a trusted cloud provider can help. Cloud companies typically have much more in the way of resources to help prevent data breaches. Companies like Microsoft annually invest $1 billion in cybersecurity research, according to Reuters.

At Afinety, we take all aspects of cybersecurity seriously. Our cloud platform has been tailored to the legal industry, making sure all of your needs are met. As phishing and other cyberattacks continue to evolve, so will our product. Contact Afinety today to learn exactly how our experts and software can help your firm.