A Lawyer's Email Account Was Compromised—And I Fell for a Phishing Scam
A lawyer at the firm of Barley Snyder had their email account compromised and used to send phishing messages, a problem that is becoming all too common in the legal industry.
January 09, 2020 at 02:58 PM
5 minute read
Late Wednesday afternoon I received an email from a lawyer at the firm of Barley Snyder who I have never met or spoken to before. The subject line was "Secure Encrypted Message." I'm not sure how much any of you know about reporters, but we like secure encrypted messages. It's sort of the sexier version of "please find the enclosed 42-page legal analytics survey." So I clicked.
No more than 33 minutes later I received a blanket message from an IT help desk technician at Barley Snyder alerting both myself and presumably several others that my new lawyer friend's email account had been "compromised." As those of you playing along at home have probably guessed by now, there was no "secure encrypted message."
"If you clicked on the link and entered any credentials, we advise that you change your password as your account is probably compromised now, too. If you replied to the email to ask if it was legitimate, you likely received a response from the hacker, so please disregard that as well," read the email from Barley Snyder's IT technician.
When one writes about legal technology for living, the list of occupational hazards occupies a small corner between "small" and "virtually non-existent." I always thought I'd go down leading the last of the human resistance against sentient contract AI, but no: I was going to die of embarrassment.
It's not as if I'd be alone. Stories like mine are becoming more common as more hackers realize that impersonating a lawyer has its perks. Last May, Legal Week reported on a scam involving two phony DLA Piper email addresses used in an attempt to persuade an entity to transfer funds into a fraudulent bank account.
Law firms also appear to be struggling to keep unauthorized intruders out of their systems in general. In fall 2019, Law.com leveraged public records requests to identify "more than 100 law firms that have reported data breaches to authorities across 14 states since 2014."
In the case of what happened at Barley Snyder, no client data appears to have been compromised.
"On Wednesday, we identified a recent data breach attempt on one of our internal email accounts, and a phishing email scheme was inadvertently sent to several company contacts," said George C. Werner, partner and firm counsel at Barley Snyder. "First and foremost, we can assure everyone that after our thorough investigation, we are confident that no firm or client information has been compromised in this attack."
Early Wednesday night I sent both the initial phishing email and Barley Snyder's alert to Gulam Zade, CEO of the legal IT consulting firm Logicforce. He's seen this type of thing before—in fact, it's become more common among law firms and other corporate businesses ever since hackers realized that's where the real money lives.
"You don't have to be a moron to fall for one of these things, right? Educated, smart people are falling for it," Zade said.
The proof is in the pudding. While neither Zade nor myself have any inside knowledge about the incident beyond Werner's statement, he suspects that the lawyer whose account was hijacked may have previously fallen victim to a phishing scheme.
Here's how it typically works: A target receives a phishing email that asks them to enter their email address and password under the guise of legitimate purposes—maybe retrieving a "secure encrypted message"—which then allows a hacker to surreptitiously gain access to their account plus any valuable information stored inside.
From there, the scheme repeats itself. Hackers raid an account's contact list and start chumming the waters for new usernames and passwords to add to their collection. But surely —surely—you would notice if an outside party was sending or receiving emails from your own mailbox, right? Not necessarily.
"[Hackers] have gotten smarter, so they will send the emails and then make them auto-delete out of the sent folder, and so you can't even see what they've sent," Zade said.
The resourcefulness of the modern hacker apparently knows no bounds. When I clicked on the link proffered by the stolen Barley Snyder account, for example, it took me to a page made to resemble a file-sharing site. From there, a prompt to enter my credentials brought up a page with a Microsoft logo and a box for my email address and password. Fortunately this is where a healthy fear of the unknown intervened and I promptly exited stage left.
According to Zade, hackers aren't above doing a little window dressing, so it's generally a good idea to double check the web address at the top of the page to make sure any familiar insignias aren't just smoke and mirrors. However, if law firms or other businesses really want to nip this kind of thing in the bud, two-factor authentication protocols are generally the way to go.
Once the damage is done, it's done and Zade he isn't sure what else Barley Snyder could have done outside of the warning email the firm sent. But if it's any comfort, this particular class of email scheme may be approaching its expiration date.
"This stuff is going to go away so enough, at some point, because it's just going to become like a Nigerian prince thing where everyone is going to know about it," Zade said.
For the record, I have never once given money to a Nigerian prince.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250