How to Avoid Becoming the Next Phishing Victim
Traditionally, social engineering attacks have been executed against law firms' core networking infrastructure. But, with the proliferation of smartphones, remote access, cloud computing and social/business networking, attacks now target individual employees.
November 26, 2019 at 07:00 AM
6 minute read
We all have intimate familiarity with phishing emails and social engineering attacks because they are so commonplace. Rarely does a day go by that we don't get a fraudulent phone call or find numerous "phishy" emails. There's a very simple reason why we all get so many fraudulent messages, and that is because social engineering works!
Social engineering attacks such as phishing are likely to succeed because human nature includes an "assumption of truth" that allows us to live in organized societies. Without an innate assumption of veracity in our interactions with other humans, all groups of people would quickly collapse into chaos.
Sadly, for every 99 of us who've learned not to trust that assumption of truth, there's still that one person who hasn't yet been inoculated to social engineering attacks. If you've ever thought to yourself, "How do these fraudsters make a living? Don't they all know we're savvy to these attacks yet?", the answer is attackers don't care if 99 out of 100 of us are immune to their attack, they're content to cast a wide net looking for that one weak target.
Social engineering attacks also result in tremendous impact. While computer systems have firewalls, anti-malware protections and many other technical controls, one user with a valid username and password can cut right through those safeguards and access sensitive information and systems, whether it's an individual's personally identifiable information or a corporation's proprietary intellectual property.
Given social engineering's success rate and the high impact of an effective attack, there's little doubt why it's so popular. So it's not surprising that social engineering attacks appear to be on the rise for law firms. As organizations that perform significant communication via email and phone and are perceived to have corporate wealth, but are not necessarily large enough to have state-of-the-art protection systems, law firms make great ransomware targets. Also, as the curators of sensitive client information, an attacker that breaches a law firm may harvest the specific information they're seeking on a single client, or even net sensitive data on multiple organizations while only putting forth the effort required to perpetrate a single breach.
Traditionally, social engineering attacks have been executed against law firms' core networking infrastructure. But, with the proliferation of smartphones, remote access, cloud computing and social/business networking, attacks now target individual employees. Once that compromise is complete, the attacker then seeks to pivot to firm computing resources.
Two of the most effective social engineering attacks are spear phishing and vishing. Spear phishing is simply a targeted email attack, wherein the fraudster attempts to send us a timely topic or reveal some insider knowledge, along with spoofing (impersonating) a valid company email address in an attempt to enhance perceived credibility.
Common scripts used by spear phishers include security patches, surveys, billing or payables actions, job opportunities, job applicants, and other seemingly timely or topical issues. The primary objective is to get the victim to click on a link to a malicious website, open a malicious attachment, or divulge user credentials.
Vishing is a phone-based phishing technique. Often used in conjunction with CallerID spoofing, vishing is annoyingly commonplace. While tried and true vishing scripts, such as impersonating Microsoft tech support, the Social Security Administration, the IRS, and other intimidating organizations, may be a bit overused by now, the latest and greatest vishing attacks use scripts that are tougher to spot, often exploiting the victim's own digital presence to lend perceived credibility to the call. Seemingly innocuous scripts, or calls to arms like these are among the current favorite choices of attackers:
"I'm from the customer service department at Acme Company, and I'm calling about your recent Yelp review…"
"Your (credit card, debit card, etc.) at Acme Company has been compromised…"
"Your account at Acme Bank is showing potentially fraudulent activity…"
Once they get the victim duped into the conversation, then accepting an emailed "gift card" as a gesture from the nice customer service representative seems like a wonderful bit of mana from heaven; that is, until the victim opens the gift card attachment only to have their pc commandeered.
Obviously, the most important thing all firms can do to avoid becoming the next phishing victim is to remain ever vigilant. Stay on the lookout for key hallmarks of social engineering attacks, such as:
- Name dropping;
- Claims of authority;
- Compliments, flattery, or flirting;
- Promises of rewards; or
- Anything out of the ordinary.
Pay attention to the "From" field for inbound emails. Is it coming from exactly the correct email domain? How about if you click the "Send" button and inspect the "To" field? Is it replying to the same email address it professed to be originating from? (Hint, if the "From" and reply "To" addresses aren't exactly the same, something phishy is going on.)
Additionally, technical controls can help prevent, or limit the impact of, a phishing attack. Have your IT department implement, and then test, prohibitions on email address spoofing and malicious inbound attachments and links. Whenever possible, use multi-factor authentication for email access and strong passwords.
For vishing, keep phones and message applications updated in a timely fashion. Disable scripting on mobile browsers and don't trust CallerID (though a recent letter by a coalition of state attorneys general spurring major phone carriers to action may finally help bring an end to the scourge of CallerID spoofing). Also, with new artificial intelligence aided applications, attackers can replicate known voices, so don't trust formerly reliable human-ear voice recognition, either.
These tactics and strategies, incorporated as part of a comprehensive information security risk management program, can reduce both the likelihood or a successful phish and the impact of a successful phish campaign.
David Trepp is the Partner in Charge of BPM LLP's Eugene office and specializes in IT assurance and information security assessment. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250