Keeping things secure is at the forefront of most thoughts and actions by lawyers and law firms. The practice of law by nature encircles the handling of sensitive and protected data; Therefore, it is the responsibility of all legal professionals to protect the data they have and are provided to the best of their ability.
Taking precautionary measures, staying up to date on potential security threats, and enacting security plans and protocols within legal practices are responsible and essential measures that should be taken. With technology continuously changing and developing, and with the use of technology becoming more prevalent in law, there’s a greater chance of lawyers and their clients becoming victim to cybersecurity threats; One of these threats being that of phishing.
Phishing was reported to be the top threat in security by those in high-level positions in IT; And, in 2018 there were reported phishing attacks by 62% of businesses. Phishing has become a pretty substantial problem for businesses and in particular law firms. According to a recent Law.Com article, “...data security experts said phishing schemes are the most common threat to law firms right now.”
So, what is phishing exactly? And, why is it such a considerable threat to law firms? Below, we’ll take a closer look at what phishing emails are, how they impact the legal industry, and how they can be recognized.
What are Phishing Emails?
As Cisco Systems explains, ”Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information, or to install malware on the victim’s machine.”
Essentially, phishing can be conducted through smartphones, computers, tablets - any smart device that offers a means of communication, such as email or texting. The hacker will send a message to the victim, pretending to be someone else or a trusted company, and then proceeds to request private and confidential information from the victim that can then be used in fraudulent attempts. Sometimes, links clicked on in phishing emails can also download malware or viruses.
How Has Phishing Affected the Legal Industry?
According to an ABA report on cybersecurity in 2018, law firms are often viewed as “one-stop shops,” according to the FBI; This is because law firms not only hold large amounts of private data, but the data is on many different clients. In the ABA’s 2018 Legal Technology Survey Report, the number of reported cybersecurity breaches is staggering:
- 14% of solo firms reported breaches in 2018
- 24% of small law firms with 2-9 lawyers reported breaches in 2018
- 24% of small law firms with 10-49 lawyers reported breaches in 2018
- 42% of small law firms with 50-99 lawyers reported breaches in 2018
During a 2018 Futures Conference, speakers reported that law firms experience a particular weakness when it comes to emails due to phishing encompassing one of the more common cybersecurity threats experienced within the legal industry.
One example of a substantial security breach caused by phishing occurred in 2017 with the Jenner and Block law firm. During this incident, hundreds of employees, both former and current, had their tax forms exposed. This was a direct result of employees transmitting their information due to a fake request appearing to be from law firm management.
What Are the Different Types of Phishing and What Gives them Away?
In this case, knowledge of and familiarity with the different types of phishing attacks possible can make all the difference. To begin, there are five different phishing categories:
- Whaling - Whaling is a type of phishing attack that targets upper management within companies specifically, such as CEOs and CFOs.
- Spear Phishing - One of the most common forms of phishing, spear phishing targets users individually, often following social media and web research on the user.
- Vishing - This form of phishing is conducted verbally through phone calls.
- Search Engine Phishing - Search engine phishing is done by way of fake websites and links that can lead to malware downloads or the giving of private information to hackers.
- Smishing - Smishing is essentially SMS or text phishing. Texts with malicious links are sent, or private data is prompted to be given.
Within the five main categories, there are 14 different types of phishing attempts commonly seen:
- Brand Impersonation - This type of phishing attack is conducted by the hacker, pretending to be a company and sending a large batch of emails to victims with similar demographics and preferences.
- Email Spoofing - Email spoofing is done by impersonating people or companies that the victim is familiar with through email and asking for personal information and data.
- URL Phishing - This is phishing conducted through links that can then infect the user’s device once clicked on.
- Pop-Ups - Hackers can conduct phishing through pop-ups that appear when users visit specific webpages and will ask for pertinent information or redirect to a fake website.
- Subdomain Attacks - This is done through message or email and provides a fake link requesting the victim click to provide or confirm urgently needed information.
- Website Spoofing - This type of phishing is performed by hackers imitating real websites and URLs to trick victims into clicking malicious links or providing their personal information.
- Search Engine Attack - Victims are fooled by fake click ads displayed on search engine results through this type of phishing. Victims are prompted to give out personal information through the link or can download malicious software.
- Man-in-the-Middle - This is an especially devious phishing form in which the hacker intercepts communications between the victim and another party in order to steal information.
- Scripting - This type of phishing is conducted by way of a coding script enacting through a legitimate website and then redirecting the user to a fake page.
- Clone Phishing - This is conducted by the hacker copying a real email sent or received and then inserting a fake attachment or link to steal information.
- Voice Phishing Attack - This version of phishing is conducted through phone calls. It encompasses the fraudulent impersonator calling the victim and pretending to be a trusted company or bank in order to gain private information or direct the victim to conduct specific actions (such as transferring funds).
- Image Phishing - In image phishing, hackers embed or attach malicious viruses into images that can then be activated once the victim clicks on them or downloads them.
- Malware Injection - This type of phishing is specifically centered around getting a victim to download viruses and other malware through emails in order to steal information, launch attacks, or otherwise hijack their system.
- CEO Fraud - In this type of phishing, hackers pretend to be trusted persons in charge, like CEOs or COOs and then request information of victims.
While phishing attempts are often cleverly disguised, certain key giveaways can help potential victims recognize them. Here are a few:
- Erroneous spelling and/or grammatical errors
- A general ”pushy” or insistent tone
- Use of general introductions, instead of personal ones
- An offer of free items or services
- A claim of an account issue or suspicious activity and a request to fix it
- A request to confirm personal information or financial information
Steps to Prevent Phishing Attacks
In a FindLaw article discussing the vulnerability of law firms to phishing attacks, a 250ok study on emails showed that 62% of law firms aren’t doing enough to protect their firm's email communication. Furthermore, according to the 250ok report, an astonishing 91% of cyberattacks are a result of phishing attacks. So, what can lawyers and law firms do to change these numbers? Here are some tips:
- Stay Up-to-Date - Ensure that all legal staff and employees are kept up-to-date on different types of phishing techniques to look for.
- Browse Safely - Use internet browsers that have pre-installed anti-phishing toolbars; Most come equipped with this these days. It’s also important to ensure that all browsers used firm-wide are updated regularly.
- Beware of Links - Be careful when clicking on things and discourage staff from clicking too quickly. Hovering briefly over links to view more information or questioning when personal data is being asked for can make all the difference.
- Install Firewalls - Both network and desktop firewalls should be used firm-wide to help block and identify phishing attacks; This can be done through software or various hardware. IT professionals can be beneficial in ensuring that firewalls are installed and running smoothly.
- Avoid Clicking on Pop-Ups - Pop-up blockers should be used to ward off unwanted or malicious pop-ups that could be phishing attacks. When pop-ups do come through that appear suspicious, nothing within the box must be clicked, and the “x” in the top right corner should be clicked instead, or the window is closed through the task manager.
What to Do In Case a Phishing Attack is Believed to Have Occurred
If a phishing attack is known or suspected and resulted in data loss or theft, lawyers and law firms must act quickly. In fact, they are obligated to do so both morally and legally. When the discovery of a phishing attack is made, lawyers are expected to act quickly and investigate thoroughly. All clients and parties involved should be notified immediately of the breach, and be provided with information on steps being taken to repair the issue. Once repairs have been conducted following the attack, lawyers and law firms are then encouraged to revise firm security plans and consider hiring IT services to help prevent a similar attack from happening again.
When it comes to phishing attacks, staying informed, cautious, and taking evasive and defensive actions are vital to protect law firms and their clients. As law firms continue to ease their way further into technology use, hopefully, the numbers indicative of data breaches will go down as better security practices and precautions are taken.