According to the FBI, phishing was the most common type of cybercrime in 2020—and phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020.
And, while businesses across industries are vulnerable, law firms are especially lucrative targets. They handle an incredible amount of sensitive information, from medical and financial data to merger and acquisition (M&A) data.
Spear phishing is a problem law firms have to tackle to avoid the devastating consequences successful of attacks. For example a damaged reputation, lost client trust, and regulatory penalties. But, worryingly, the Solicitors Regulation Authority (SRA) has stated that it is unrealistic to expect staff to identify all phishing emails.
So what can you do? We break down four tactics employed by hackers, and offer tips on how to protect your firm.
1. Hackers are leveraging publicly available information
Spear phishing attacks are sophisticated impersonation attempts. Of course, the more believable the impersonation, the more successful the attack.
To avoid raising any red flags and boost their chances of success and , hackers do their homework by gathering publicly available information about a firm, its employees, and counter parties. LinkedIn, OOO messages, and even a firm’s own website make it easy, especially given the fact that any lawyer regulated by the SRA must legally ensure their contact details are publicly available online.
With this information at their fingertips, criminals are quickly able to understand the most effective strings to pull. Falling for the deception, some firms have unknowingly transferred anything between £5,000 and £1m to cybercriminals. By the time these law firms realized they’d been successfully attacked, it was too late.
Learn more about how hackers leverage social media for business email compromise (BEC) in our latest research report: How to Hack a Human.
What can you do?
Make sure employees understand how the information they share can be used against them, and implement strict approval processes for wire transfers.
2. Hackers choose their targets carefully
While every attack is different, there are some specific departments and individuals are are targeted more frequently than others.
Let’s start with new joiners. They’re fresh into the firm, may not be familiar with internal structure or policies, and are keen to prove themselves. But this could be their – and your firm’s – downfall. One firm, for example, experienced an unfortunate incident whereby a new Finance Manager – just two months into the job – was fooled into transferring £60,000 to an impersonated supplier.
But it’s not just new joiners that you need to be wary of. Leavers, too, pose a threat. A quick update on LinkedIn tells opportunist criminals that a person is switching firms. All they have to do is create a freemail account, impersoante the leaver, and request credentials/documents or request to change their bank details.
What can you do?
For new starters, make security awareness training a priority and include it as a part of onboarding. For leavers, create foolproof off-boarding processes and systems to verify the identity of freemail contacts.
3. Hackers will build rapport
Oftentimes, bad actors will start emails with trivial subjects such as ‘How was your weekend?’ or ‘Do you have five minutes?’ in order to test a firm’s security. These introductory emails have no URL, attachment, or payload included; they sail through a firm’s legacy defenses and SEGs, and don’t immediately appear suspicious to the target. In one particular incident, an email was sent to a law firm, supposedly from the ‘Managing Partner’, asking recipients to meet him at the local shop – you’d be surprised how many lawyers actually waited outside a nearby shop!
The reason for this technique? It allows them to identify weak spots and deliver the real attack email a few weeks later. Alternatively, if criminals find that they don’t get a bite from the initial bait email, they will likely move on.
What can you do?
Show employees a range of spear phishing examples and explain what social engineering is (and why it’s so effective).