4 Phishing Tactics That Dupe the Legal Profession

Phishing attacks are prevalent in all industries, and the legal profession is no different.

However, unlike other industries, lawyers possess a plethora of information regarding their clients that makes attorneys an attractive target for hackers. Likewise, hackers are studying their lawyer targets to understand how to craft an attachment file or link that is just too compelling or too run-of-the-mill for a lawyer to ignore.

The list below highlights some of the legal industry-specific phishing tactics hackers are leveraging to gain access into lawyers' sensitive data files.

Accessing the cloud

Last week, managed detection and response company eSentire Inc., in collaboration with the International Legal Technology Association, released the "Threat Intelligence Spotlight: Legal Industry" report that tackled "phishing lures" specific to the legal industry.

The report found phishing schemes regarding Adobe's cloud service are unique to the legal industry because of lawyer's heavy reliance on PDFs.

ESentire data visualization leader Keegan Keplinger explained hackers leverage attorneys' Adobe account by sending an email notifying lawyers of an update that requires their Adobe log-in credentials. Unbeknownst to the lawyers, they've submitted their password and username into a fraudulent site, and now a hacker has access to their data stored on the Adobe cloud service.

Faking credit card inquiries 

ESentire's report also highlighted American Express phishing scams are also found more commonly in the legal profession.

Moreover, lawyers and law firms are more susceptible to this phishing scheme because lawyers are usually thought of as high-income earners or work for a firm that has a credit card, said eSentire vice president and industry security strategist Mark Sangster.

Generally, someone will send a fake AMEX payment confirmation request to a lawyer or law firm and obtain access to their credit card accounts, Sangster explained.

Exploiting law firms' hierarchy

Not all phishing attacks are tech exhaustive. Instead, someone can impersonate a high-ranking partner and email an administrative-level staffer and make a demand. Their email isn't vetted for authenticity because the staffer hopes to appease a high-ranking employee, said Joshua Crumbaugh, CEO of cybersecurity company PeopleSec.

"Law firms are some of the worst at hierarchy, and some of my experiences has been with information technology and any support staff that has a subordinate role and they tend to be very afraid to ask questions of partners in the firm," Crumbaugh said. "This is unique to law firms. In general they've got to empower their lower-level and support staff to be confident with asking those questions and saying, 'No, that's not part of the policy.' "

Spear phishing

To be sure, law firm websites' bios and social media are good tools for obtaining clients and networking, but they also provide hackers with information to make a convincing phishing email tailored to a lawyer's interests, said cybersecurity experts.

That type of spear phishing could come as an email about news affecting his practice group or other interests.

The tailored communications are an attempt to "try to put something in that email that would get them to click the link or attachment," said Adam Levin, chairman of CyberScout, an identity and data protection company. While the content may appear innocent, the lawyer has clicked a link or downloaded a file that contains malware that infects the firm's systems.

Additionally, someone can send a realistic demand or request tailored to a current client's legal matter. Stoked by the rush to help their client, lawyers may unsuspectingly transfer cash or sensitive data to a hacker, Crumbaugh added.