Law firms are prime targets for fraud and cyberattacks, and incidents are on the rise across the globe, including here in Canada.
Not only do lawyers and their staff safeguard sensitive information that can bring a high price on the black market, but they can also provide hackers with a path to a more valuable target: corporate and institutional clients.
Up-to-date and optimized IT systems are a crucial component of cybersecurity, however the vast majority of data breaches are actually caused by human error, whether through negligence or by falling victim to fraud.
Resourceful fraudsters know that a firm’s employees can be its greatest vulnerability, and they know exactly how to take advantage. The term for this is social engineering, and its most common tactic is called phishing.
What is “Phishing”?
Phishing is a scheme in which a hacker sends emails to targets with the intent to trick them into sharing sensitive information. This can be done with links to copies of legitimate websites, by emailing documents with scripts or viruses embedded, or simply by impersonating an authority figure or trusted individual.
The information sought out during phishing events may be anything from login credentials to account numbers to more subtle and innocuous details such as internal extension maps or a targets’ nickname or personal hobbies.
In 2014 the Canadian Department of Justice sent mock phishing emails, designed to look like they were from government and financial institutions, to 5,000 employees to test their ability to identify cyber fraud. Nearly 2,000 employees fell for it, (37%), clicking on the phony link. - CBC News
The next level of phishing is called “spearphishing”, in which hackers figure out something about you or your business and use this snippet of knowledge to gain your trust. Last year, American firm O’Neill Bragg & Staffin was spearphished by hackers who posed as a firm partner. The hackers sent emails to a senior partner concerning a loan transaction of which the hacker seemed to have intimate knowledge. In the correspondence, the hackers addressed the senior partner by his nickname to make the ruse even more convincing, and asked for a $580,000 transfer from the firm’s IOLTA sub-account. After the transfer was made, the senior partner called his colleague to discuss it, finding out only then that he had no knowledge of the request.
Red Flags
It's from an unfamiliar sender
Is the email from an unfamiliar sender, or a known company with whom you haven’t had dealings? If sender name looks familiar, would they have reason to contact you about issue they make reference to?
What to do: Don’t click anything! If the sender name is familiar, check the actual email address to see if it matches. If you’re still unsure, find the company’s number online (don’t use any numbers or links provided in the email) and give them a call to verify the email. If you can't obtain confirmation, send the email along to your IT team for analysis.
They're requesting sensitive information
A legitimate company will never ask you for your password, account number or other sensitive information. Hackers know most people won’t fall for this, so they take it a step further – they’ll invite you to visit their corporate page to see for yourself, conveniently providing you with a link. But that link takes you to a false website, designed to look exactly like the pages of the legitimate institution. The hackers can easily record any information you enter on this page, and they may even imbed malware into the script, infecting your system.
What to do: Don’t click anything! If the sender appears to be someone you deal with regularly – including colleagues and clients – give them a quick call first.
They use intimidation tactics
Phishing emails will often try to generate a sense of urgency with phrases such as “your urgent action is required!” or “your computer has been compromised!” and even resort to using threats from government agencies such as the CRA and police agencies. These agencies would never use emails as first contact for important matters such as this.
What to do: First, take a deep breath and review the message with a critical eye. Hackers like to cast a wide net with their phishing emails, so it’s likely that others have received it too. Try Googling passages of the text, or check fraud debunking websites such as LawPRO, the Canadian Anti-Fraud Centre and Snopes.com.
The message contains typos, poor spelling and grammar
Misspelled words, poor grammar and atrocious typos can be a red flag for phishing emails, especially when a message claims to be from a professional organization or company. Some attempts are downright sad, with the purported company spelling its own name and products incorrectly! This is often because the emails are generated by bots or by persons who speak a foreign language.
What to do: Be critical, but also be aware that fraud schemes are becoming more sophisticated than ever. Some phishing emails read exactly like legitimate corporate messages, with very polished language and design.
There’s no way to be sure
It’s important to be aware of the above red flags, as it trains your mind to be critical and could prevent a system breach with disastrous consequences for your firm. That being said, there is no way to be sure whether an email is legitimate or not. For this reason, we recommend that law firms educate their employees about cybersecurity, maintain up-to-date anti-virus protection at all times, and implement two-factor authentication for all individuals with access to the firm’s system.
Helpful resources:
While You Were Sleeping: Ever-Changing Cybersecurity Threats and What you Need to Know Now (pay wall, On-Demand CLE) – presented by American Bar Association
Recent Fraud Warnings – published by Avoid a Claim, PracticePRO
Canadian Anti-Fraud Centre – Government of Canada’s central fraud agency
Snopes.com – Fact-checking against fraud and fake news
