Having experienced first-hand the problems law firms are currently facing, Cai Thomas, cyber security consultant at Tessian, shares his insight and (anonymised) client anecdotes about phishing threats.
Phishing is now the most common cyber attack affecting the legal sector. Last year, nearly 80% of law firms reported phishing attempts and, according to Osterman Research, the number of mass phishing attempts getting through to end users increased by 25% while spear phishing attempts rose by 26%.
Sadly, hackers are also getting more successful in their attempts; the amount of money stolen from law firms as a result of phishing scams, in the first quarter of 2017, was 300% higher than the year before. The simple fact is that law firms are a lucrative target for spear-phishing attacks because they hold many confidential secrets and deal with large financial transactions.
It’s a problem that law firms have to tackle, else face the devastating consequences that phishing scams can have to highly sensitive client data and the firm’s reputation. However, worryingly the Solicitors Regulation Authority (SRA) has stated that it is unrealistic to expect staff to identify all phishing emails.
So what do you need to look out for? What are the techniques hackers are using to try and trick employees in their spear-phishing attacks? Here are the most recent trends:
#1: Leveraging the LinkedIn treasure trove
Simply put, spear-phishing attacks are more sophisticated impersonation attempts, whereby an attacker skillfully leverages social engineering techniques to manipulate the targeted individual.
To do this successfully, criminals gather publicly available information about a firm’s business in order to masquerade as a reputable employee or counter-party. Today, there is so much valuable data for criminals to easily access online – from your LinkedIn career updates to employee details on company websites. In the case of law firms, savvy criminals have also realised that any lawyer regulated by the SRA must legally ensure their contact details are publicly available online.
With this information at their fingertips, criminals are quickly able to understand the most effective strings to pull. Falling for the deception, some firms have unknowingly transferred anything between £5,000 and £1m to cybercriminals. And by the time these law firms realised they’d been successfully attacked, it was too late.
#2: Identifying prime targets
New joiners are an attacker’s ideal prey; fresh into the firm; they have the energy to act upon request and prove themselves. But this could be their, and your firm’s, downfall. One firm, for example, experienced an unfortunate incident whereby a new Finance Manager – just two months into the job – was fooled into transferring £60,000 to an impersonated supplier. Security awareness training on these types of attack, therefore, must take place as soon as an individual joins the firm.
However, it’s not just new joiners that you need to be wary of. Leavers, too, pose a threat. A quick update on LinkedIn tells opportunist criminals of that person’s departure from a company, and we’ve seen that fraudsters are quick to piggyback this move – creating freemail impersonations of leavers to request credentials or documents or to change their bank details. In this case, staff should notify IT when a supposed leaver gets in contact to confirm the identity of the sender.
#3: Testing the waters
Another common technique is attackers masquerading as Managing Partners, starting emails with trivial subjects such as ‘How was your weekend?’ or ‘Do you have five minutes?’ in order to test a firm’s security. These introductory emails have no URL, attachment or payload included; they sail through a firm’s defences in order to start a conversation. In one particular incident, an email was sent to a law firm, supposedly from the ‘Managing Partner’, asking recipients to meet him at the local shop – you’d be surprised how many lawyers actually waited outside a corner shop!
The reason for this technique? If an attacker notices weak layers of defence by receiving many responses from a particular firm, it signals that it is a target worth pursuing. The attacker is, then, more likely to deliver the real fraudulent email a few weeks later. If criminals find that they don’t get a bite from the initial bait email, however, they will likely move on.
Another reason for this approach is that attackers tend to use the content within any bounce-backs and OOO emails to craft future impersonation attacks. Information such as the length of time a particular person is out of the office or the name of the person to contact in their absence helps an attacker build a legitimate impersonation attack, making the message seem more believable.
#4: Posing as a position of authority
In a number of cases, lawyers have been fooled by emails, supposedly from the High or Supreme Court, that includes a false link to a ‘new legal case’. All too often, hackers will impersonate positions of trust and authority to convince victims to fulfil their requests. The problem is that, with the continued development and ubiquitous deployment of new technologies, the way in which trust develops online has shifted. Without the typical behavioural cues available to us when we interact with someone in person, trust is more easily manipulated and the believability of a message or online persona increases.
Protecting your people
As you can see, with our ever-growing digital footprint, cybercriminals are using a number of impersonation techniques to deceive unwitting victims into transferring finances or handing over credentials. These are just some of the recent approaches; there are many more and firms need to be able to protect their people and, consequently, their data from all of them.
Solely relying on rule-based phishing solutions will certainly protect your firm from some of the weak-form phishing attacks and impersonation techniques attackers are using. Training, too, will arm staff with the knowledge they need to identify the cues that signal a potential threat.
However, it’s the strong-form impersonation and social engineering attacks, that are becoming more prevalent across the legal sector, that you need to worry most about. Attackers are only becoming smarter in their approaches to evolve the threat, bypass secure legacy email gateways and craft more convincing and persuasive messages. Law firms, therefore, need to find ways to help their people spot the good from the bad and think before they click, in order to protect their data and systems.