As Phishing Scams Evolve, Law Firms Lead Way in DMARC Defense
As spear-phishing attacks become more strategic and targeted, law firms are adopting email authentication solutions faster than their counterparts in the the business and finance world.
July 16, 2019 at 09:00 AM
4 minute read
A new report released on Tuesday by the email analytics platform 250ok found that more global law firms are adopting domain-based message authentication, reporting and conformance, or DMARC, solutions designed to help authenticate emails and protect against spoofing. The report analyzed 100 parent domains belonging to the top 100 accredited law firms internationally.
The rising popularity of DMARC tools could be attributable to the evolution of spear-phishing attacks, which more often places a heavier emphasis on strategically selecting targets with lucrative relationships to exploit rather than relying on widespread and haphazard email campaigns.
Law firms, which possess an extensive web of contacts and sensitive information appear to be taking the lead on preventive measures compared to other industries like finance or even the Fortune 500 sphere.
“If you were to impersonate a lawyer that would carry a lot of weight. If you were to send [an email] to a lawyer impersonating a client, that would carry a lot of weight,” said Matthew Vernhout, director of privacy at 250ok.
According to the report, 39% of firms surveyed have invested in a “none policy,” a sort of entry-level and passive DMARC solution that allows an organization to gain insights into how many emails have passed or failed the authentication process.
It's a 6% bump up from last year's report and puts legal ahead of other industries such as financial services (19%), nonprofit organizations (7%) or even Fortune 500 companies (15%) who have invested in a none policy.
“Moving into even a none policy, just to be able to see where the problem is, is significant enough. You'll see the problems coming. You won't be able to stop them but you'll see them,” Vernhout said.
One reason law firms might be more willing to dip their toe into those waters than other industries comes down to attorney/client privilege. It's not uncommon for a hacker to spoof an email from a company's CEO requesting that an employee buy hundreds of dollars in gift cards. But the kind of information that might be obtained by someone posing as a lawyer could be much more valuable.
For instance, if an opposing counsel winds up on the wrong end of a phishing email, it could cause a kind of domino effect that cascades from firm to firm and client to client.
“It becomes sort of a kind of a chain of contacts, and you build some trust and say, 'I'm the new lawyer at Firm X and I'm working on this case. I need you to send me some files,'” Vernhout said.
Despite the risks, law firms don't appear to have ventured too far into the domain of more aggressive measures such as quarantine or reject policies, but those numbers could be on the rise. Only 7% of law firms surveyed have implemented quarantine policies, which essentially alerts the receiver that an email failed a security check and, depending on individual settings, places it into a spam folder. Still, that 7% represents a 5% increase over last year.
The same goes for reject policies, which block the delivery of suspect emails outright and are being utilized by 11% of law firms surveyed, but only around 5% of Fortune 500 companies and just under 6% of financial services organizations. Legal's 11% up 8% from last year.
Vernhout expects to see adoption continue to grow alongside ongoing media coverage of phishing scams and other assorted data breaches. Still, the cost associated with establishing quarantine or reject policies may keep law firms primarily focused on establishing a working none policy for now.
“It's not zero cost. There are man hours that need to be put forward. There may be systems that need to upgraded or systems that need to be implemented,” Vernhout said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250