Credit: Shutterstock.comWatch Out For That Email From Management: The Latest Scams Targeting Lawyers
Several firms have been targeted by phishing scams in recent months, but why are cyber criminals so drawn to law firms and how can management safeguard their businesses?
September 10, 2019 at 09:42 AM
6 minute read
Seeing an email from your firm's managing partner flash up on your phone is something that would give even the most laid-back lawyer pause for thought, let alone if your boss is asking to see you urgently.
But before typing back a quick, slightly panicked response, asking what's wrong and why they are needed, lawyers are now having to confront a different, more sinister possibility: is this email really coming from my boss? Or is it coming from a total stranger?
One managing partner at a U.K. firm says that his lawyers have been targeted by email phishing scammers several times in recent months, part of a wave of phishing attacks to have hit law firms.
As his lawyers – as well as people in his human resources and business support departments – rush around trying to make the firm run smoothly on a daily basis, they are being instructed to second guess the sender of emails they have received in an attempt to protect the firm's interests – and themselves.
"The problem," the managing partner says, "is when you're on your phone and someone's name just comes up in your email folder, they can't tell immediately that's not you. They have to press on the name to see the full email address.
"A couple of people respond to the phisher, who then says: 'Don't worry, it's not that urgent, I was just looking for the payment details of so-and-so.' They just try to start up a conversation with you."
Easy targets
"Law firms are attractive places for cybercriminals to hunt"
Management teams, cybersecurity experts and human resources departments seeking to curtail the scams before money is transferred, face no small task.
"Law firms are attractive places for cybercriminals to hunt," adds the managing partner, and the recent phishing attempts back up his statement.
Some of the U.K.'s largest firms and their clients are targets. Linklaters has had its name used in phishing scams three times since January, while Clifford Chance's U.K. managing partner Michael Bates was impersonated by scammers in March, and the same thing happened to two DLA Piper partners in May.
Yesterday (September 10), the Solicitors Regulation Authority announced that emails have been sent misusing the name and address of top 50 law firm Mills & Reeve, which requested a payment of £7,560 into a fraudulent account.
"When you get an email from a senior colleague, our natural response is to help that individual"
"Things are getting more sophisticated," says the managing partner, who says that while he has never been impersonated to clients, the firm is almost constantly bombarded with emails looking to take advantage of its staff.
Adam McElroy, head of cyber risk at Deloitte, says this type of fraud (known as CEO fraud), "really plays on our innate desire to be helpful", adding: "When you get an email from a senior colleague, our natural response is to help that individual."
Several lawyers in the City agree that social media has exacerbated the problem. Networking social media app LinkedIn, in particular, is used by scammers to look up people working in a firm's HR or central finance departments.
The managing partner adds that in his view, the most dangerous fake emails are those that impersonate lawyers to HR, asking to have their monthly drawings details changed to funnel funds elsewhere.
"That's trickier because it could actually happen – I've done it lots of times. We have processes in place now to stop that happening without face-to-face verification."
Individuals under attack
McElroy says he is seeing increasingly well-crafted and personalised scam emails that do not attack the whole firm and focus instead on individuals.
"What we're seeing is the increase in size of the attack surface. Rather than making a direct attack on a law firm, they will target clients by looking for a number of ways into that organisation.
"Every firm has robust controls over email, but how many people are using a cloud service on a mobile device? Which is a greater threat? What are the other sources of information? What's the third-party risk that should be considered there?"
Ross McKean, data response and cybersecurity co-head at DLA Piper, says that about a third of the cyber incidents he and his team deal with involve some form of phishing attack.
"Payment scammers can create very convincing and authentic-looking emails, supposedly from partners within the firm demanding immediate bank transfers from finance teams"
He adds: "Many cyber scammers are professionals – scamming is their full-time job and you can often see a regular 9am to 5pm pattern of activity from known 'bad' IP addresses, as the scammers clock in and clock off from work. Phisher scammers know it's much more likely that people are going to enter their details on a Friday afternoon when their brain is already halfway home, or on a Monday morning when wading through a mountain of emails at the start of the week.
"Payment scammers can create very convincing and authentic-looking emails, supposedly from partners within the firm demanding immediate bank transfers from finance teams. More sophisticated scammers will use social engineering techniques to improve the effectiveness of their scams. It's easy money and much lower risk for the perpetrators than real-world crime. Scamming is a huge business."
The managing partner stresses the importance of using passwords on apps to make sure everyone in the firm is keeping themselves as safe as possible, and says the firm holds compulsory cyber training sessions for lawyers about personal risk.
"The biggest risk we all pose to a business is ourselves. As long as you're one step ahead, if the cybercriminal feels like they can't target you, they will move on."
"I don't think it's really on most fee-earners' or support staff's top 10 list of things to worry about, because we're all busy"
McKean foresees regulators taking a tougher line on data breaches in this area, because law firms deal with so much sensitive client data. He recommends that firms undertake a combination of intensive staff training on how to deal with scam emails, and keep up to date on ever-evolving anti-phishing control systems.
"I don't think it's really on most fee-earners' or support staff's top 10 list of things to worry about, because we're all busy and our minds are crowded with 101 other priorities and actions," he says. "That's why phishing and payment scams are so successful."
"It's also why training staff and awareness raising programmes, although important, will never be 100% effective. They are often promptly forgotten after the multiple-guess certification is completed. So firms should also consider and implement appropriate technical controls as part of their cyber defences."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Trending Stories
- 1The Law Firm Disrupted: Playing the Talent Game to Win
- 2A&O Shearman Adopts 3-Level Lockstep Pay Model Amid Shift to All-Equity Partnership
- 3Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 4BD Settles Thousands of Bard Hernia Mesh Lawsuits
- 5A RICO Surge Is Underway: Here's How the Allstate Push Might Play Out
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
