Watch Out For That Email From Management: The Latest Scams Targeting Lawyers
Several firms have been targeted by phishing scams in recent months, but why are cyber criminals so drawn to law firms and how can management safeguard their businesses?
September 10, 2019 at 09:42 AM
6 minute read
Seeing an email from your firm's managing partner flash up on your phone is something that would give even the most laid-back lawyer pause for thought, let alone if your boss is asking to see you urgently.
But before typing back a quick, slightly panicked response, asking what's wrong and why they are needed, lawyers are now having to confront a different, more sinister possibility: is this email really coming from my boss? Or is it coming from a total stranger?
One managing partner at a U.K. firm says that his lawyers have been targeted by email phishing scammers several times in recent months, part of a wave of phishing attacks to have hit law firms.
As his lawyers – as well as people in his human resources and business support departments – rush around trying to make the firm run smoothly on a daily basis, they are being instructed to second guess the sender of emails they have received in an attempt to protect the firm's interests – and themselves.
"The problem," the managing partner says, "is when you're on your phone and someone's name just comes up in your email folder, they can't tell immediately that's not you. They have to press on the name to see the full email address.
"A couple of people respond to the phisher, who then says: 'Don't worry, it's not that urgent, I was just looking for the payment details of so-and-so.' They just try to start up a conversation with you."
Easy targets
"Law firms are attractive places for cybercriminals to hunt"
Management teams, cybersecurity experts and human resources departments seeking to curtail the scams before money is transferred, face no small task.
"Law firms are attractive places for cybercriminals to hunt," adds the managing partner, and the recent phishing attempts back up his statement.
Some of the U.K.'s largest firms and their clients are targets. Linklaters has had its name used in phishing scams three times since January, while Clifford Chance's U.K. managing partner Michael Bates was impersonated by scammers in March, and the same thing happened to two DLA Piper partners in May.
Yesterday (September 10), the Solicitors Regulation Authority announced that emails have been sent misusing the name and address of top 50 law firm Mills & Reeve, which requested a payment of £7,560 into a fraudulent account.
"When you get an email from a senior colleague, our natural response is to help that individual"
"Things are getting more sophisticated," says the managing partner, who says that while he has never been impersonated to clients, the firm is almost constantly bombarded with emails looking to take advantage of its staff.
Adam McElroy, head of cyber risk at Deloitte, says this type of fraud (known as CEO fraud), "really plays on our innate desire to be helpful", adding: "When you get an email from a senior colleague, our natural response is to help that individual."
Several lawyers in the City agree that social media has exacerbated the problem. Networking social media app LinkedIn, in particular, is used by scammers to look up people working in a firm's HR or central finance departments.
The managing partner adds that in his view, the most dangerous fake emails are those that impersonate lawyers to HR, asking to have their monthly drawings details changed to funnel funds elsewhere.
"That's trickier because it could actually happen – I've done it lots of times. We have processes in place now to stop that happening without face-to-face verification."
Individuals under attack
McElroy says he is seeing increasingly well-crafted and personalised scam emails that do not attack the whole firm and focus instead on individuals.
"What we're seeing is the increase in size of the attack surface. Rather than making a direct attack on a law firm, they will target clients by looking for a number of ways into that organisation.
"Every firm has robust controls over email, but how many people are using a cloud service on a mobile device? Which is a greater threat? What are the other sources of information? What's the third-party risk that should be considered there?"
Ross McKean, data response and cybersecurity co-head at DLA Piper, says that about a third of the cyber incidents he and his team deal with involve some form of phishing attack.
"Payment scammers can create very convincing and authentic-looking emails, supposedly from partners within the firm demanding immediate bank transfers from finance teams"
He adds: "Many cyber scammers are professionals – scamming is their full-time job and you can often see a regular 9am to 5pm pattern of activity from known 'bad' IP addresses, as the scammers clock in and clock off from work. Phisher scammers know it's much more likely that people are going to enter their details on a Friday afternoon when their brain is already halfway home, or on a Monday morning when wading through a mountain of emails at the start of the week.
"Payment scammers can create very convincing and authentic-looking emails, supposedly from partners within the firm demanding immediate bank transfers from finance teams. More sophisticated scammers will use social engineering techniques to improve the effectiveness of their scams. It's easy money and much lower risk for the perpetrators than real-world crime. Scamming is a huge business."
The managing partner stresses the importance of using passwords on apps to make sure everyone in the firm is keeping themselves as safe as possible, and says the firm holds compulsory cyber training sessions for lawyers about personal risk.
"The biggest risk we all pose to a business is ourselves. As long as you're one step ahead, if the cybercriminal feels like they can't target you, they will move on."
"I don't think it's really on most fee-earners' or support staff's top 10 list of things to worry about, because we're all busy"
McKean foresees regulators taking a tougher line on data breaches in this area, because law firms deal with so much sensitive client data. He recommends that firms undertake a combination of intensive staff training on how to deal with scam emails, and keep up to date on ever-evolving anti-phishing control systems.
"I don't think it's really on most fee-earners' or support staff's top 10 list of things to worry about, because we're all busy and our minds are crowded with 101 other priorities and actions," he says. "That's why phishing and payment scams are so successful."
"It's also why training staff and awareness raising programmes, although important, will never be 100% effective. They are often promptly forgotten after the multiple-guess certification is completed. So firms should also consider and implement appropriate technical controls as part of their cyber defences."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Almost Impossible'?: Squire Challenge to Sanctions Spotlights Difficulty of Getting Off Administration's List
4 minute read'Never Been More Dynamic': US Law Firm Leaders Reflect on 2024 and Expectations Next Year
7 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250