Seeing an email from your firm's managing partner flash up on your phone is something that would give even the most laid-back lawyer pause for thought, let alone if your boss is asking to see you urgently.

But before typing back a quick, slightly panicked response asking what's wrong and why they are needed, lawyers are now having to confront a different, more sinister possibility: is this email really coming from my boss? Or is it coming from a total stranger?

One managing partner at a U.K. firm says that his lawyers have been targeted by email phishing scammers several times in recent months as part of a wave of phishing attacks to have hit law firms.

As his lawyers—as well as people in his human resources and business support departments—rush around trying to make the firm run smoothly on a daily basis, they are being instructed to second guess the sender of emails they have received in an attempt to protect the firm's interests – and themselves.

"The problem," the managing partner says, "is when you're on your phone and someone's name just comes up in your email folder, they can't tell immediately that's not you. They have to press on the name to see the full email address.

"A couple of people respond to the phisher, who then says, 'Don't worry, it's not that urgent, I was just looking for the payment details of so-and-so.' They just try to start up a conversation with you."

|

Easy Targets

"Law firms are attractive places for cyber criminals to hunt."

Management teams, cybersecurity experts and human resources departments seeking to curtail the scams before money is transferred face no small task.

"Law firms are attractive places for cyber criminals to hunt," adds the managing partner, and the recent phishing attempts back up his statement.

Some of the U.K.'s largest firms and their clients are targets. Linklaters has had its name used in phishing scams three times since January, while Clifford Chance's U.K. managing partner Michael Bates was impersonated by scammers in March and the same thing happened to two DLA Piper partners in May.

Yesterday (September 10), the Solicitors Regulation Authority announced that emails have been sent misusing the name and address of top 50 law firm Mills & Reeve, which requested a payment of £7,560 into a fraudulent account.

"When you get an email from a senior colleague, our natural response is to help that individual."

"Things are getting more sophisticated", says the managing partner, who says that while he has never been impersonated to clients, the firm is almost constantly bombarded with emails looking to take advantage of its staff.

Adam McElroy, head of cyber risk at Deloitte, says that this type of fraud (known as CEO fraud), "really plays on our innate desire to be helpful. When you get an email from a senior colleague, our natural response is to help that individual."

Several lawyers in London agree that social media has exacerbated the problem. Networking social media app LinkedIn, in particular, is used by scammers to look up people working in a firm's HR or central finance departments.

The managing partner adds that in his view, the most dangerous fake emails are those that impersonate lawyers to HR asking to have their monthly drawings details changed to funnel funds elsewhere.

"That's trickier because it could actually happen—I've done it lots of times. We have processes in place now to stop that from happening without face-to-face verification."

|

Individuals Under Attack

McElroy says that he is seeing increasingly well-crafted and personalized scam emails that do not attack the whole firm and focus instead on individuals.

"What we're seeing is the increase in size of the attack surface. Rather than making a direct attack on a law firm, they will target clients by looking for a number of ways into that organisation.

"Every firm has robust controls over email, but how many people are using a cloud service on a mobile device? Which is a greater threat? What are the other sources of information, what's the third party risk that should be considered there?"

Ross McKean, data response and cyber-security co-head at DLA Piper, says that around a third of the cyber incidents he and his team deal with involve some form of phishing attack.

"Payment scammers can create very convincing and authentic looking emails supposedly from partners within the firm demanding immediate bank transfers from finance teams."

He adds: "Many cyber scammers are professionals, scamming is their full-time job and you can often see a regular 9 a.m. to 5 p.m. pattern of activity from known 'bad' IP addresses as the scammers clock in and clock off from work. Phisher scammers know it's much more likely that people are going to enter their details on a Friday afternoon when their brain is already halfway home, or on a Monday morning when wading through a mountain of emails at the start of the week.

"Payment scammers can create very convincing and authentic looking emails supposedly from partners within the firm demanding immediate bank transfers from finance teams. More sophisticated scammers will use social engineering techniques to improve the effectiveness of their scams. It's easy money and much lower risk for the perpetrators than real-world crime. Scamming is a huge business."

The managing partner stresses the importance of using passwords on apps to make sure everyone in the firm is keeping themselves as safe as possible, and says that the firm holds compulsory cyber training sessions for lawyers about personal risk.

"The biggest risk we all pose to a business is ourselves. As long as you're one step ahead, if the cyber criminal feels like they can't target you, they will move on."

"I don't think it's really on most fee-earners or support staff top 10 list of things to worry about because we're all busy."

McKean foresees regulators taking a tougher line on data breaches in this area since law firms deal with so much sensitive client data. He recommends that firms undertake a combination of intensive staff training on how to deal with scam emails, and keep up to date on ever-evolving anti-phishing control systems.

"I don't think it's really on most fee-earners or support staff top 10 list of things to worry about because we're all busy and our minds are crowded with 101 other priorities and actions," he said. "That's why phishing and payment scams are so successful."

"It's also why training staff and awareness raising programs, although important, will never be 100% effective. They are often promptly forgotten after the multiple guess certification is completed. So firms should also consider and implement appropriate technical controls as part of their cyber defenses."