Hackers will always exploit a crisis. Opening or clicking on one link in a phishing email sent to your firm can have disastrous effects. It is not just email either, they come from phone calls, texts, messaging services, and more. Learn how to identify the tell-tale signs of phishing, what you should do to minimize the threats, and how to make sure everyone in your firm keeps vigilance top of mind.
The COVID-19 pandemic has spurred an increase in phishing and swindles meant to prey on the fears of a vulnerable population. The attacks and scams have been perpetrated against businesses and individuals alike. It is important for lawyers and their teams in the office or working from home to understand the threats and know how to reduce exposure.
Most phishing and other types of exploits use social engineering to gain access to email accounts, networks, files, and sensitive information. The bad actors use techniques to instill fear (“your email account has been compromised”), make a too good to be true offer (“free Disneyworld tickets”), or leverage trust from a known individual (“please review the attached document”).
CISA (the Cybersecurity & Infrastructure Security Agency of the Department of Homeland Security) has some simple guides to help define and identify threats and how to reduce them.
- Phishing – using email to encourage a recipient to download a file, enter login credentials, or submit personally identifiable information in an attempt to fool victims into sharing confidential information such as usernames, passwords, and financial details for malicious purposes. These are usually sent to many people.
- Spear Phishing – targeted phishing emails to named individuals.
- Whaling – phishing for the “big fish” through targeted emails to high ranking executives.
- Vishing – Voicemails encouraging recipient to return a call and divulge sensitive information. VoIP numbers can be easily spoofed, making the call appear to come from a reliable source.
- Smishing – SMS (text) messages attempting to get the recipient to visit a website, download a file or call a number.
These are but a few of the exploitive methods to trick individuals into providing information useful to a hacker or bad actor, or to deliver and install dangerous software on a computer or network. Social engineering attempts including but not limited to social media, messaging services like WhatsApp, faxes, and phone scams are also common. Here are some recent examples of many types of scams to look out for.
What Do They Want?
Many social engineering and phishing attempts try to get information (PII, usernames/passwords) to sell on the dark web. You can check to see if your email has been harvested and sold at the venerable “Have I Been Pwned” website. Gathering personal information and login credentials one by one is time consuming so many hackers will use social engineering to get a person to click on a file, download an executable, or visit a website that delivers malware or a virus that mines for corporate data and email addresses.
Another common motivation is to deliver ransomware. Early ransomware would encrypt a firms’ files and demand a ransom, often paid in Bitcoin, to decrypt the files. Ransomware has evolved (now also known as doxware or leakware) and the ransom demand is to keep your data from being released on the open web. There are notable examples of law firms being exploited through ransomware.
This recent story in ZDNet describes the anatomy of a ransomware attack, all from clicking on one phishing email.
Ways to Identify Phishing
The CISA Guidelines include the following tell-tale signs for identifying phishing emails:
- Suspicious sender’s address. The sender’s address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
- Generic greetings and signature. Both a generic greeting—such as “Dear Valued Customer” or “Sir/Ma’am”—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
- Spoofed hyperlinks and websites. If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
- Spelling and layout. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
- Suspicious attachments. An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.
Additionally, cybercriminals exploit trusted services like Docusign to send an email that encourages recipients to click a link to sign a document. If you are not expecting an email with a link, a document signature request, an attachment, or a request for information contact the sender before taking any actions.
What About Your Smartphone?
While it is less likely to get a malware infection from a download on your smartphone, you can still easily be tricked into placing a phone call, clicking on a link or entering your credentials into a look-alike website. On your smartphone you may be less cautious and less likely to scrutinize an email, so pay extra attention on the small screen. If you have doubts about an email’s legitimacy wait and open the email on your computer so you can check the full headers and mouse over links.
What Do I Do If I Click on a Phishing Email?
First, follow guidelines to reduce threats including disconnecting the device from the internet, scan for viruses and malware and change your usernames and passwords. Contact your IT consultant or in-house team immediately. Your firm should develop an incident response plan so that everyone knows what steps to take to reduce the threat.
Protecting Yourself and Your Firm
There are some steps you can take beyond scrutinizing every email, text, or voicemail (which you will still need to do) to protect the firm’s data against phishing threats.
- Disable automatic downloads of images. Here are instructions for MS Outlook and for Gmail.
- Use spam and malware filters. If your firm uses an Exchange server to handle email (hosted or local) you can use Microsoft’s security tools and/or add a third party tool such as AppRiver, Zix or Barracuda at the email gateway to filter spam and suspect emails and quarantine files.
- Enable multi-factor authentication on everything you can.
- Add endpoint security.
- Use a corporate password manager to quickly change user passwords across the firm.
- Keep your systems and applications patched and updated. Common exploits include malware injected PDF files or trojans that leverage operating system vulnerabilities.
- Use the principle of least privilege. If a user does not have administrative rights on a machine the ability to run infected executables or PowerShell commands are significantly reduced.
- Train your team! Awareness is key to reducing effective phishing attempts. Training and awareness resources are available through IT consultants, managed IT/security vendors, or for free through companies like the SANS Institute with their “Tip of the Day” and “Ouch” newsletters (and yes, SANS just got hacked – it can and does happen to even the most wary organizations).
- Do not think you are not a target because your firm is small. Everyone is a target. No one is immune.
- Use a service like KnowB4 to send fake phishing emails to your team to keep everyone on their toes.
The result of a successful phishing attempt or cybersecurity attack on your law firm could mean down time, data breach notification requirements, financial implications and more. Take the time to get the right protections, have a plan and keep security top of mind at your firm and in your personal life.