Spear-Phishing a Serious Threat to Law Firms

Spear-phishing is a growing threat to the security of all law firms, no matter their size.

Over the last decade there have been many cyber-security threats to law firms. It is an ever evolving phenomenon, and law firms need to protect their and client data. Spear-phishing is the newest technique used increasingly by hackers.

This technique involves a hacker contacting the target individual via an email and impersonating a trusted person. The suspect email usually asks for confidential information or requests the target to download a Trojan file, thus infecting the entire network.

More tech may not be the solution

The problem with protecting against spear-phishing is that no matter how much money and time law firms spend on technical or software defenses and firewalls, they cannot stop these Trojan emails from getting through to employees and staff. Trojan emails are dangerous and hard to spot. Any employee or staff member can unintentionally open up the door to the law firm's network and invite hackers in to steal data. Law firms or every type and size are at risk. Recently, a three-lawyer law firm’s network and data in Philadelphia was compromised by spear-phishing hackers. Another law firm, one of the largest law firms in the world, was taken to its knees by hackers who breached its network firewalls and disabled the firm’s computer network for over a month, costing the firm millions of dollars and a blackened reputation.

One of the ways that hackers make money off of these scams is to convincingly pretend to be a partner or supervisor who is requesting money to be wired to a specific account. Another way is to hold the law firm’s data and confidential client data hostage. The hackers will not release the network until and unless a large ransom is paid, usually in untraceable cryptocurrency.

Learn to spot Trojan emails

In most instances Trojan emails are very similar to trusted email address, only differing by one digit. These emails are especially difficult to spot for busy professional responding to dozens or even hundreds of emails a day. Other times, the hackers have compromised the email servers and are monitoring the conversations, the emails going back and forth. When this happens, the hackers can take control and send an email directly from the trusted person’s account.

Cases where the hackers are attempting to convince someone to wire money to a strange, international account are harder to stop. Security experts say that a policy should be in place that all requests to wire money should be verbally confirmed by with all parties using known, valid phone numbers and known contacts. This is an example of why the best way to stop spear-phishing attempts is not by expensive technology upgrades, but by having human policies and protocols in place such as verbally confirming any major transaction. Another way to stop these scams is to have comprehensive and periodic training for employees of all levels to spot these Trojan emails. If there is a human shield against this technique in place from the very top of the firm to the mailroom employees, then firms can be seriously protected against spear-phishing.

Not only should all employees and partners of the firm be trained on spotting fake emails, but also be trained on safe browsing habits. There are thousands of phony websites that, when clicked on, could install malware onto your network, thus exposing email servers and confidential client data.

The most important thing to do, however, is first believe and understand that this is a real threat to your law firm, no matter what type of law you practice and no matter how big your firm is. Every firm should create a culture of safety and defense. As is often the case, this culture must come from the very top, the leaders of the firm must meet these threats head-on. The leaders of the firm must have a thorough and technical understanding of the threats and the way to defeat them. Do not just rely upon your cyber security experts or employees. Being a hands-on leader against these threats is the surest way to stop them.