You, or someone you know, have invariably received a phishing email message. A phishing email can be a simple request for assistance by someone purporting to be your colleague or employee or another person or entity you trust. It is often sent on a summer Friday afternoon when the leadership who made the request is no longer available or at an odd hour (think 5:30 A.M. or 8:30 P.M.). The email commonly uses the style and/or logo of your firm’s standard emails, and begins a vague request for assistance, such as:
“Hey, I am stuck in a meeting but I need your assistance. Are you in the office right now and able to assist.”
For others, phishing emails come from a person pretending to be Dropbox or another recognized service and requesting that you download a resource or document. The goal of all these emails is the same–to get you to do something that benefits the fraudsters on the other end, such as sending them money [sometimes by installing ransomware on your computer] or giving up your login usernames, passwords and account numbers or your DOB, Social Security number. Phishing is also a common way that cyber criminals obtain access to company computer networks, including a law firm’s network, from which they launch a larger attack.
The Federal Trade Commission provides resources to help businesses –including attorneys–address cybersecurity, including the risks posed by phishing. Check out the FTC website here. Specific advice concerning phishing attacks can be found here and here. They include calling the sender or a colleague to verify the bona fides of the request, keeping computer security software updated and implementing email authentication technology.
In addition, Rob Kleeger, the Founder & Managing Director of Digital4nx Group, Ltd., a New Jersey-operated digital forensic investigation and national cybersecurity consulting and advisory boutique, recommends that businesses take several reasonable and cost-effective steps to begin to protect themselves from phishing emails and other cyber threats.
- Pay attention to the sender’s email address. Cyber criminals often mimic a legitimate business email address with only a character or two altered or omitted.
- Hover over hyperlinks. Hover the cursor over any links in an email-those not matching the text that appears when hovering over them raise a red flag. Additionally, using a URL shortening service to hide the true source and destination of the link also raises a red flag.
- Use complex and unique passwords. Use unique passwords for each account you own, with long character counts and a mix of upper and lower case letters and special characters. Using a password manager like LastPass, KeePass, Dashlane, and others is a good idea.
- Enable Two-Factor Authentication (2FA). While two-factor authentication (2FA) isn’t bullet-proof, it is an important line of defense against attackers who are trying to access your accounts after your credentials have already been compromised.
- Cyber Awareness Training. Proper training which makes cybersecurity “personal” establishes a “human firewall” and is the best method for personnel to embrace a cyber culture.
For lawyers, the ever present and growing concerns about phishing emails and all types of cyberattacks are serious. Indeed, as discussed in the first installment in this series, practitioners have an ethical duty to educate themselves about cybersecurity and take reasonable measures to protect against unauthorized access to private information. The next time you get a strange email requesting client information, remember these tips and proceed with caution.