Some time ago I was nearly stunned by a conversation with a few lawyers who had almost been scammed into sending several hundred thousand dollars overseas. While we all were pleased that the scam was recognized in time, I was floored by their response to what had happened. In talking about it, the lawyers acknowledged that they were fortunate to have listened to the wisdom of their firm administrator when they agreed to wait to release any funds until the deposited check had actually cleared. Yet, oddly enough, after the check finally did bounce these lawyers felt unable to do anything about it due to a perceived attorney-client relationship and the loyalties they believed flew from that. Apparently the scammers had invested enough time and become so involved with the firm that even after nearly being taken in, the lawyers still believed confidentiality trumped. They were hesitant to even consider having the situation investigated. Wow. Whoever was behind that scam knew what they were doing.
I wish that I could say this particularly story was an unusual situation and that lawyers needn’t worry but I can’t. In the years since, these types of scams have only gotten more frequent and more sophisticated and it’s all about social engineering. For the uninitiated among us, social engineering has nothing to do with a group of happy outgoing guys that get to put on those great blue and white stripped hats before heading out to drive their trains. Social engineering in the context of cybercrime is really about the use of psychological manipulation to trick a person into doing something that isn’t going to be in their best interests. The goal may be to gain access to confidential information, to steal personal identities or money, to gain access to computer network resources, and the list goes on.
An attacker has any number of methods at his or her disposal. If the goal is to insert some type of rogue software onto a computer network, perhaps they leave a USB flash drive in the parking lot or send a “lucky winner” a free digital music player. Of course once the device is connected to the network, in order to see what’s on the flash drive or to start enjoying that unexpected prize, the network is now compromised. This type of attack is called baiting, and law firms are not immune. Other attack methods include, but are by no means limited to, fake callbacks from technical support where the attacker randomly calls numbers at a business until someone falls prey; pretexting where the scammer impersonates a bank employee, tax authority, insurance investigator, etc. to try and trick someone into disclosing information; and phishing which is something we all need to know more about due to the sheer number of phishing attacks occurring.
First the basics, phishing is the criminal attempt to trick another into providing personal or sensitive information such as a birth date, their address, a credit card number, or their user name and password to some account typically by requesting a response to an email or text message that the scammer has sent. Many of us have some sense of this general approach and would just delete an email that says our bank account will be closed unless we open the attachment or click on some link in order to verify our logon credentials simply because the email came from the wrong bank. But what if the email does purport to be from the correct bank? What if the email looks exactly like the bank’s website and has all the correct official logos? What if, instead of having you verify login credential online, the email asks you to call a number and the automated system that answers asks for your login credentials?
Phishing attacks have become very sophisticated. Not only are all of the above examples real, there are many other approaches out there. Who hasn’t received one of those important emails informing you of a change in the delivery schedule of your UPS package or letting you know your eBay or email account is about to be closed unless you verify your credentials? I have personally received an email that appeared to be from a close friend stating that he had had his wallet stolen and was stuck in London. He was hoping I would wire some money to help him return to the States and he would pay me back upon his return. Then there was the one claiming to be from Microsoft. They wanted me to know about a serious security problem in their software and suggested I immediately click a link to download the necessary update so that I would remain secure. Honestly, I almost fell for that one. The level of sophistication with the Microsoft email was that good. In truth, the possible variations on phishing attacks seem to only be limited by the imagination and programming skills of the criminals behind them. Unfortunately, we’ll keep seeing these attacks and they’ll continue to evolve because they work.
Hopefully you now have a sense as to how ugly the situation has become. In my opinion, all lawyers need to be more proactive with computer security because the real risk comes from all who use your systems including yourself. Please understand that the security hardware and software in place at your firm is the last line of defense. It is you and your users that are on the frontline. It’s time to get in front of the problem because no one else is going to take care of it for you. It simply isn’t possible for your IT support to protect your systems from all phishing attacks because these attacks are directed at people not hardware or software. The good news is that there are a few things we can all do to protect our personal information as well as our client confidences and it begins with training. Everyone within your firm should be made aware of the nature of phishing attacks and learn how to spot them. Use online resources as training tools such as this Windows Safety & Security Center post, this Wikipedia entry, or this Ten Tips for Spotting a Phishing Email post on TechRepublic.com. If you have in-house IT, invite them to provide an annual in-house seminar on phishing and other online hazards.
In addition to training, keep all software updated in terms of critical security patches as they become available. Use reputable antivirus tools as well as spyware identification and removal tools on all computers that are part of the office network and don’t overlook remote and mobile computers such as home computers, personal laptops, and computer tablets. Check with your IT staff or consultant to see if you are running the most current version of your Internet browser. If your browser has anti-phishing capabilities built in make certain that this functionality is enabled on all devices that are on the network or that login to the network remotely. That said, the most important piece of advice is to remember that no matter how sophisticated the security systems and tools that are deployed are, the user will always remain a vulnerability. Awareness and training will continue to be key and should occur on a semiannual or annual basis in order to keep the issue front and center. Everyone at your firm needs to be on the lookout for phishing emails or text messages because law firms are a target for scammers. Lawyers have a significant amount of valuable data residing on their computer systems that scammers want. Yes, lawyers can be a trusting bunch; but as I shared at the beginning of this piece, that attribute doesn’t always serve us well.