Phishing-Attack

We all have intimate familiarity with phishing emails and social engineering attacks because they are so commonplace. Rarely does a day go by that we don't get a fraudulent phone call or find numerous "phishy" emails. There's a very simple reason why we all get so many fraudulent messages, and that is because social engineering works!

Social engineering attacks such as phishing are likely to succeed because human nature includes an "assumption of truth" that allows us to live in organized societies. Without an innate assumption of veracity in our interactions with other humans, all groups of people would quickly collapse into chaos.

Sadly, for every 99 of us who've learned not to trust that assumption of truth, there's still that one person who hasn't yet been inoculated to social engineering attacks. If you've ever thought to yourself, "How do these fraudsters make a living? Don't they all know we're savvy to these attacks yet?", the answer is attackers don't care if 99 out of 100 of us are immune to their attack, they're content to cast a wide net looking for that one weak target.

Social engineering attacks also result in tremendous impact. While computer systems have firewalls, anti-malware protections and many other technical controls, one user with a valid username and password can cut right through those safeguards and access sensitive information and systems, whether it's an individual's personally identifiable information or a corporation's proprietary intellectual property.

Given social engineering's success rate and the high impact of an effective attack, there's little doubt why it's so popular. So it's not surprising that social engineering attacks appear to be on the rise for law firms. As organizations that perform significant communication via email and phone and are perceived to have corporate wealth, but are not necessarily large enough to have state-of-the-art protection systems, law firms make great ransomware targets. Also, as the curators of sensitive client information, an attacker that breaches a law firm may harvest the specific information they're seeking on a single client, or even net sensitive data on multiple organizations while only putting forth the effort required to perpetrate a single breach.

Traditionally, social engineering attacks have been executed against law firms' core networking infrastructure. But, with the proliferation of smartphones, remote access, cloud computing and social/business networking, attacks now target individual employees. Once that compromise is complete, the attacker then seeks to pivot to firm computing resources.

Two of the most effective social engineering attacks are spear phishing and vishing. Spear phishing is simply a targeted email attack, wherein the fraudster attempts to send us a timely topic or reveal some insider knowledge, along with spoofing (impersonating) a valid company email address in an attempt to enhance perceived credibility.

Common scripts used by spear phishers include security patches, surveys, billing or payables actions, job opportunities, job applicants, and other seemingly timely or topical issues. The primary objective is to get the victim to click on a link to a malicious website, open a malicious attachment, or divulge user credentials.

Vishing is a phone-based phishing technique. Often used in conjunction with CallerID spoofing, vishing is annoyingly commonplace. While tried and true vishing scripts, such as impersonating Microsoft tech support, the Social Security Administration, the IRS, and other intimidating organizations, may be a bit overused by now, the latest and greatest vishing attacks use scripts that are tougher to spot, often exploiting the victim's own digital presence to lend perceived credibility to the call. Seemingly innocuous scripts, or calls to arms like these are among the current favorite choices of attackers:

"I'm from the customer service department at Acme Company, and I'm calling about your recent Yelp review…"

"Your (credit card, debit card, etc.) at Acme Company has been compromised…"

"Your account at Acme Bank is showing potentially fraudulent activity…"

Once they get the victim duped into the conversation, then accepting an emailed "gift card" as a gesture from the nice customer service representative seems like a wonderful bit of mana from heaven; that is, until the victim opens the gift card attachment only to have their pc commandeered.

Obviously, the most important thing all firms can do to avoid becoming the next phishing victim is to remain ever vigilant. Stay on the lookout for key hallmarks of social engineering attacks, such as:

  • Name dropping;
  • Claims of authority;
  • Compliments, flattery, or flirting;
  • Promises of rewards; or
  • Anything out of the ordinary.

Pay attention to the "From" field for inbound emails. Is it coming from exactly the correct email domain? How about if you click the "Send" button and inspect the "To" field? Is it replying to the same email address it professed to be originating from? (Hint, if the "From" and reply "To" addresses aren't exactly the same, something phishy is going on.)

Additionally, technical controls can help prevent, or limit the impact of, a phishing attack. Have your IT department implement, and then test, prohibitions on email address spoofing and malicious inbound attachments and links. Whenever possible, use multi-factor authentication for email access and strong passwords.

For vishing, keep phones and message applications updated in a timely fashion. Disable scripting on mobile browsers and don't trust CallerID (though a recent letter by a coalition of state attorneys general spurring major phone carriers to action may finally help bring an end to the scourge of CallerID spoofing). Also, with new artificial intelligence aided applications, attackers can replicate known voices, so don't trust formerly reliable human-ear voice recognition, either.

These tactics and strategies, incorporated as part of a comprehensive information security risk management program, can reduce both the likelihood or a successful phish and the impact of a successful phish campaign.

David Trepp is the Partner in Charge of BPM LLP's Eugene office and specializes in IT assurance and information security assessment. He can be reached at [email protected].