Phishing schemes have been a threat for years. But the COVID-19 pandemic seems to have intensified the risk, with criminals applying new twists on their approaches. Among other developments, law firms are increasingly targeted, due to their wealth of confidential information and the high value that firms place on their reputations.
Of course, reputational damage is not the only cost. According to the IBM Security 2020 Cost of a Data Breach Report, breaches initiated through phishing schemes had an average total cost of more than $4.25 million per incident.
Related Read: Law Firms are Prime Targets for Hackers — Do You Have a Cybersecurity Plan?
Phishing 101
Phishing generally refers to fraudulent schemes by which cybercriminals fool victims into providing personal information (including login credentials) or clicking on links that infect computers with malware and viruses in order to swipe such information. Numerous variations exist and more are emerging on a regular basis.
For example, someone on your staff might receive an email with a link to a spoof of a legitimate document-sharing site, such as Dropbox or Office 365. Once the culprits obtain that person’s login information, they will have access to all of the information stored there.
In another instance, cybercriminals may plant ransomware in an email attachment so that they can steal data after the recipient clicks on the attachment. They will then hold the data hostage until the firm pays a ransom. The criminals might leak some confidential client information just to show that they are serious.
Cyberattack methods are evolving constantly. Hackers are now using social media to execute their schemes, posting links to phony websites that capture information they can leverage against you or your clients.
How to combat phishing
The most important step to mitigate the risk of phishing is to provide training to all staff, including every attorney. Training should include testing to demonstrate to employees how easy it is to fall prey to the schemes. Numerous free simulations that use examples of actual phishing schemes are available online.
Training should cover the red flags of phishing schemes. For example, the messages usually have a sense of urgency, such as a subject line that says, “Are you available right now?” Other examples of subject lines that are used to lure in victims include references to upcoming meeting agendas, job applications (or resume attachments), payroll and password verifications. Still, others may reference important messages from HR regarding a vacation or COVID-19 policies.
In addition, phishing messages frequently are scattered with poor grammar and misspelled words. They may use numbers and special characters that look like letters to dodge anti-phishing software. They include URLs that are close to the real address but not quite correct. They also often contain several different fonts.
Additional security measures
You should also look into password managers. A stunning number of people still use passwords like 1234 and PASSWORD. Password managers generate much more complex passwords and store them for users.
Two-factor authentication, while a bit of a hassle, is also advisable. And be sure to implement hardware and software updates on a timely basis. In addition, firms should stop using programs that are no longer supported by their makers, such as Windows 7, MS Office 2010 and various versions of Adobe Acrobat.
Stay alert
Hackers are only growing more sophisticated as time goes by. You owe it to your clients and yourself to stay up to date on the latest schemes and take the necessary actions to secure your systems.
Related Read: Lawyers’ Professional Obligations in Regard to Legal Technology
For more information, contact Sharon Alexander-Jenkins at 312.670.7444. Visit ORBA.com to learn more about our Law Firm Group.