Table of Content:
Phishing in the Legal Sector
The legal sector is a prime target for phishing attacks. According to FBI statistics, phishing was the most common cyber-attack. It doubled from 114,702 incidents in 2019 to 241,324 incidents in 2020. While phishing targets many industries, the legal sector is one of the most lucrative targets because of the amount of sensitive information that legal firms handle. This includes medical, financial, and merger and acquisition (M&A) data and other personal client information. Failure to protect against these attacks can have dire consequences for law firms, including a damaged reputation, lost client trust, regulatory penalties, impeding ongoing cases and overall loss of business operations.
How Does a Phishing Scam Work
A phishing scam is a type of social engineering where the person attempts to manipulate the recipient into performing a malicious action. This is usually done by the attacker pretending to be from a legitimate source or someone the recipient trusts typically. Let's look at some of the tactics hackers use to perform phishing attacks:
1) Leveraging Publicly Available Information
Hackers use publicly available information to make more convincing phishing attacks. Hackers can use online research to find who the target reports, the victims' likes and dislikes, internal company information, contact details and more. This information is invaluable for a hacker when creating convincing phishing emails.
2) Choosing Specific Targets
To make the attack more effective, rather than simply sending out a mass spam of emails, attackers will sometimes create tailored attacks targeted towards specific individuals. This is referred to as spear phishing, which is far more effective than generic phishing attacks. These attacks focus on targets considered high value or easier to compromise, such as new employees, upper management, third-party vendors etc.
3) Building Rapport With the Targets
This technique tries to build trust between the attacker and the victim so that the target will more likely comply with the attacker's request. It can be as simple as beginning the email with a friendly message or as detailed as inviting the recipient out to lunch while pretending to be a managing partner. This method allows the attacker to build trust while identifying weak spots within the organization to deliver another attack.
4) Impersonating a Specific Person of Authority
In many cases, lawyers and employees of law firms have been fooled by emails that were made to look like they came from the High or Supreme court. Hackers use this common tactic to impersonate someone in high authority to make the email seem more legitimate and pressure people into compliance. This tactic is very effective and usually gets targets to comply quickly with the requests.
How to Prevent Phishing Attacks
Limit Public Information: The first thing you can do to prevent phishing attacks is to limit the information employees post online. If made publicly available, this information can be used by hackers to trick those employees through phishing attacks. Companies must restrict their publicly exposed data related to employees.
Security Awareness Training: All employees should be given basic security awareness training on how to handle phishing emails and identify them on the job. This is your best line of defence for preventing phishing-related incidents.
Have suitable company protocols: You should implement company protocols around if and how data is sent to parties outside your company. These protocols should include verifying the identity of the person that the information is being sent to, what data can be sent and under what circumstances money should be sent to anyone outside the company.
Do phishing simulations: Phishing simulations are when you hire a security firm to perform a fake phishing campaign against your organization to measure your company's ability to detect and respond to phishing emails correctly. This is a great way to measure your company's level of security awareness.
The Importance of Public Key Encryption for Sender Verification
Another way to limit the chances of employees being fooled is to use public key encryption to verify the sender's identity. This is done with the use of something called a cryptographic digital signature. This works because the sender will encrypt the message with their private key and send it to the receiver. The receiver will then decrypt the message using the sender's public key. If the receiver can decrypt the message using the private key, it proves that the message was sent and encrypted by the recipient, not an imposter.
Conclusion
Phishing attacks can be a devastating attack for any legal firm. They work by trying to manipulate the victim into believing that the message is legitimate and performing an action that will compromise their business. Hackers make these messages believable by doing several things, including using public information, choosing specific targets, building rapport with the victim and impersonating authority.
As a law firm, it's critically important to protect yourself from these attacks by limiting your publicly exposed information, providing security awareness training for staff, having company protocols for information disclosure and doing regular phishing simulations to test your employees.
For more tips on protecting against phishing attacks, subscribe to our newsletter!