According to recent research by Tessian, 26% of employees have clicked on a phishing email at work in the past year. For this reason, and many others, there is no surprise that most CISOs are concerned about how phishing attacks are evolving.
Phishing is the most common cyber-attack affecting law firms and is particularly prevalent in areas of practice such as conveyancing. According to the Law Society’s online cybersecurity poll in June 2018 approximately 80% of law firms have reported phishing attempts in the last year. Its relative low cost/low tech to high reward relationship makes it a popular and lucrative method for cyber criminals.
Thankfully, email security solutions are always becoming more advanced and stopping more potentially malicious emails and attachments. However, it only takes one mistake or slip in judgement for a legal employee to click on a phishing link or follow the instructions of a social engineer, which can have devastating effects on a business.
In this article, we will look into some of the common and not-so-common phishing methods, and what your business can do to protect itself from the evolving threat of phishing attacks.
Phishing Methods
With the benefits of technology, cloud storage space, and online communication, law firms are actively transferring parts of their operations to the digital world. The advantages of conducting business online are numerous, from speeding up many processes, like archiving and data processing, to making it easier to meet with clients and get all the necessary information and documents from them. However, exposure to the Internet and online communication also brings security concerns.
Bulk Phishing
Bulk phishing is the most common form of phishing attack. This is where a cybercriminal sends the same phishing email to a large number of employees or individuals. The messages typically impersonate a legitimate company in an attempt to steal personal data, login credentials or coerce the victim into sending them money. Some of the common companies that are impersonated are Apple, Amazon, Microsoft and LinkedIn.
These bulk phishing attacks often use language that creates a sense of urgency to stop the victim from taking time to check if the message is fraudulent. Whilst these phishing attacks are low effort and high volume, untrained or distracted employees may follow the instructions of a cybercriminal.
Some tell-tale signs of these attacks include:
Language that creates a sense of urgency
Redirects and shortened links, using services such as TinyURL or bit.ly
Incorrect spelling, grammar or punctuation
Email addresses and domains that don’t match
Odd requests, such as asking for gift cards or transferring funds
Spear Phishing
Whereas bulk phishing attacks are high volume and low effort, spear phishing attacks are low volume and high effort. In these attacks, cybercriminals use open-source intelligence (OSINT) to gather information about their targets. For example, their name, position, employer, phone number, and previous job roles. The attacker will use this information to customise the phishing email to deceive the victim into believing the attacker can be trusted.
This information used to tailor the attacks can be easily gathered from sources such as LinkedIn, Facebook simple Google searches. The attacks are more likely to be successful as employees are more likely to follow the instructions or click a link from someone they believe they trust.
It can be difficult to detect a spear phishing attack, but employees should look out for:
Emails with unsolicited attachments or links
Language that creates a sense of urgency
Emails addresses and sender names that do not match
Inconsistencies in formatting
Falsified forwarded emails
Whaling
Whaling is a form of spear phishing that specifically targets high-level employees, such as an organisation's partners, directors or managers.
Typically, the goal of these attacks is to gain access to the high-level employee’s account, also known as business email compromise (BEC). Once they have gained access they can abuse this to authorise transactions, email employees asking for sensitive information, or use high-level privileges to access systems and information to exfiltrate.
Smishing and Vishing
Whilst most phishing attacks use emails, some cybercriminals use SMS (smishing) and voice calls (vishing) to deceive their victims. Similar to email-based forms of phishing attacks, the goal of smishing and vishing is to deceive the victim into sharing sensitive information or sending money to the attacker. Cybercriminals are more likely to target consumers rather than businesses with these attacks, but it is important to be aware of this form of attack.
As with email phishing, individuals should not share information or follow the orders of an individual on an inbound voice call or SMS. It is also possible to Google search the phone number to ascertain if it is a legitimate call.
How To Keep your Firm Protected
Email Security Solutions
There are many email security solutions on the market that can help keep your law firm safe. Some common features of these solutions include:
AI-powered phishing detection
Behavioural intelligence modelling
DLP functionality
Anti-spoofing policies and DMARC analysis
Automated detection, investigation and remediation
Although email clients, such as Gmail and Microsoft Outlook have some of these features included as standard, most businesses rely on a third-party solution to increase their security posture and decrease the chance of falling victim to a phishing attack.
The Human Firewall
A traditional firewall is an IT system that monitors and filters inbound and outbound network traffic, blocking anything malicious. Typically, it acts as a boundary between a trusted network, and an untrusted network.
A human firewall is similar to a traditional firewall, however rather than being an IT system, the employees within a business are given the tools and education to reduce cyber risk.
The foundation of any strong human firewall is a comprehensive education and awareness program. This education program should give employees the skills to detect a potential cyberattack, and what actions to take to reduce the chance of falling victim to an attack. Phishing awareness training should include common phishing methods, examples of phishing emails, how employees can reduce the amount of information online that can be used for spear phishing attacks and how to report a potential phishing email.
The human firewall is important as employees are the final line of defence. In an ideal situation, the previous security controls will stop a phishing attack before it lands in an employee’s inbox. However, this is not always the case, so employees need to be able to correctly identify a phishing email.
Multifactor Authentication
In the worst-case scenario, if your email security solution does not stop a phishing email and an employee clicks on a malicious link and the attacker steals their login information, businesses need a method of preventing access to their account. There are solutions such as Conditional Access, which can stop unusual login attempts, but 99.9% of account compromise attacks can be stopped with the simple addition of multifactor authentication (MFA).
With MFA enabled, even if a cybercriminal has the login credentials for an employee, they will also need access to their phone, or biometrics to access their account. In terms of bang for your buck, MFA provides immense value and security for a business, however, does not take long to set up and is not expensive. For this reason, all businesses should implement MFA enables for all employees, no matter what.
How to Spot a Phishing Attack on Your Law Firm
Phishing attacks have become one of the most common types of cyberattacks, mostly because all it takes is a simple human error for criminals to access their victim’s system. The attacks are usually carried out through an email that requires the reader’s immediate attention and urges them to take action.
Whether it’s an infected attachment that an employee downloads to their computer, a link that leads to a fraudulent website, or a corrupted sign-in page where they should leave their credentials—a phishing attempt aims to trick the reader into providing them with the necessary information.
Phishing emails usually come from sources that appear to be verified and reliable, such as Microsoft or LinkedIn. However, a closer inspection of the email address usually reveals that it’s from a fake URL.
Another red flag is the subject line of the phishing email. If the subject gives out a sense of urgency and demands immediate action from the recipient, there is a good chance it is a phishing attempt. Bad grammar and spelling are also telltale signs of a fraudulent email.
Looking for Assistance?
Navigating the world of email security and phishing can be difficult for law firms, especially as the techniques are constantly evolving.
Contact Blue Car Technologies to learn how we and our specialist partners can help your firm choose the right security solutions, as well as the implementation and deployment.
Comments