What is Phishing? What are the threats and how to best safeguard against it?
Written by Shrisha Sapkota
Blogger
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers.It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.[1] It is a form of cyber-attack that aims to exploit the naivety and/or gullibility of legitimate system users.[2] Across the web, phishing attacks have baited unsuspecting victims into handing over bank info, social security numbers, and more.[3] Phishing continues to be the weapon of choice for cyber attackers.[4] Attackers will commonly use phishing emails to distribute malicious links or attachments that can perform a variety of functions. Some will extract login credentials or account information from victims.[5] The rise of phishing attacks poses a significant threat to organisations everywhere. All companies must know how to spot some of the most common phishing scams if they are to protect their corporate information.[6]
Phishing attacks are prevalent in all industries, and the legal profession is no different.[7]
Phishing emails typically try to lure the recipient into doing one of two things: a) handing over sensitive or valuable information; or b) downloading malware. There are several types of phishing, and each has the potential to wreak havoc on an organisation.[8] An attack can have devastating results. For individuals, this includes unauthorised purchases, the stealing of funds, or identity theft.[9] While every attack is different, there are some specific departments and individuals that are being targeted more frequently than others. According to the FBI, phishing was the most common type of cybercrime in 2020—and phishing incidents nearly doubled in frequency, from 114,702 incidents in 2019 to 241,324 incidents in 2020.[10]
Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.[11]
How does phishing work?
Phishing attacks typically rely on social networking techniques applied to email or other electronic communication methods. Some methods include direct messages sent over social networks and SMS text messages.[12] Phishers can use public sources of information to gather background information about the victim’s personal and work history, interests and activities. Typically through social networks like LinkedIn, Facebook and Twitter.[13] If you so much as click a link, you could be the scammer’s next victim.[14] Successful credential-harvesting phishing attacks allow hackers to access data-dense services like Office 365, online banking, and practice management software.
Stolen credentials lead to account takeover scenarios that result in further exploits, including network infiltration, database infiltration, and data exfiltration.[15]
Typically, a victim receives a message that appears to have been sent by a known contact or organisation. The attack is then carried out either through a malicious file attachment or through links connecting to malicious websites.[16] For example, the attacker may send an email disguised as the victim’s internet provider, requesting bank account information for a billing problem. The recipient, believing that the email is legitimate, provides their bank account number to the attacker who then uses that information for personal and financial gain.[17] Phishing emails can be targeted in several different ways, with some not being targeted at all, some being “soft targeted” at someone playing a particular role in an organisation, and some being targeted at specific, high-value people.[18] LinkedIn, Facebook and Twitter are normally used to uncover information such as names, job titles and email addresses of potential victims. This information can then be used to craft a believable email.
[19] Sometimes these threats don’t stop with just you. If a hacker gets into your email, contact list, or social media, they can spam people you know with phishing messages seemingly from you.[20]
It’s a problem that law firms have to tackle, or else face the devastating consequences that phishing scams can have on highly sensitive client data and the firm’s reputation. However, worryingly the Solicitors Regulation Authority (SRA) has stated that it is unrealistic to expect staff to identify all phishing emails.[21] Thus, it is important for law firms to choose the right legal tech software with law firm security controls.
Coronavirus/COVID-19 phishing scams are the latest to weaponize fear of cyber theft. It baits people into paying to learn who is infected nearby. This scam ends with criminals taking off with the credit card info.[22]
Types Of Phishing:
Email phishing
Most phishing messages are delivered by email, and are not personalised or targeted to a specific individual or company–this is termed “bulk” phishing.[23] In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, as previously shown, an email could threaten account expiration and place the recipient on a timer. Applying such pressure causes the user to be less diligent and more prone to error.[24] The attacker understands that this approach is a scattershot. However, that isn’t of much consequence since the attacker only needs one successful victim to gain a foothold. These scams target a wide audience with general bait.[25] Those emails use threats and a sense of urgency to scare users into doing what the attackers want.[26]
Domain spoofing is a popular way an email phisher might mimic valid email addresses. These scams take a real company’s domain (ex: @america.com) and modify it. You might engage with an address like “@arneria.com” and fall victim to the scheme.[27] Most often, phishers trick victims to click a malicious URL and interact with spoofed login pages. Microsoft is the most spoofed brand in the world because it is the hub for organisations to collaborate and exchange information. If a lawyer enters their Office 365 credentials onto a spoofed login page, the username and password go directly to the hacker’s server.[28]
Successful phishing messages are difficult to distinguish from real messages. Usually, they are represented as being from a well-known company, even including corporate logos and other collected identifying data.[29]
Lastly, links inside messages resemble their legitimate counterparts but typically have a misspelt domain name or extra subdomains. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.[30] Phishing is one of the main reasons why law software needs to have encryption.
Spear phishing
[40][41][42]
With this information at their fingertips, criminals are quickly able to understand the most effective strings to pull. Falling for the deception, some firms have unknowingly transferred anything between £5,000 and £1m to cybercriminals. And by the time these law firms realised they’d been successfully attacked, it was too late.[43]
In 2008, cybercriminals targeted corporate CEOs with emails that claimed to have FBI subpoenas attached. They downloaded keyloggers onto the executives’ computers—and the scammers’ success rate was 10%, snagging almost 2,000 victims.[44]
The United Kingdom’s National Cyber Security Centre (NCSC) learned of several instances where attackers followed up a whaling email with a phone call confirming the email request. This social engineering tactic helped to assuage the target’s fears that there could be something suspicious afoot.[45] At their core, the common thread in examples of past successful whaling campaigns aren’t too dissimilar from successful phishing campaigns: The messages are seemingly so urgent, so potentially disastrous that the recipient feels compelled to act quickly, putting normal security hygiene practices by the wayside.[46]
Legal Sector Phishing
Law firms, with their legal software tools, can be targets for cyber hackers. They recognize that law firm servers can contain extremely valuable data, from bank and medical records to business trade secrets and even classified government documents. Hackers want access to this information, so they take great strides to get it.[47]
Last year, nearly 80% of law firms reported phishing attempts and, according to Osterman Research, the number of mass phishing attempts getting through to end users increased by 25% while spear-phishing attempts rose by 26%.[48] After cybercriminals infiltrate a law firm’s systems in a successful phishing or malware attack, they leverage breached information for financial gain.[49] Sadly, hackers are also getting more successful in their attempts; the amount of money stolen from legal tech as a result of phishing scams, in the first quarter of 2017, was 300% higher than the year before.[50]
According to one ABA article, small and midsize firms are even more desirable targets for hackers.
They know that these smaller practices have budget limitations that may preclude them from implementing adequate infrastructure and staff training for the prevention of cyberattacks.[51]
How to prevent phishing?
Phishing is constantly evolving to adopt new forms and techniques. With that in mind, organisations must conduct security awareness training on an ongoing basis so that their employees and executives can stay on top of phishing’s evolution.[52] Solely relying on rule-based phishing solutions will certainly protect your firm from some of the weak-form phishing attacks and impersonation techniques attackers are using. Training, too, will arm staff with the knowledge they need to identify the cues that signal a potential threat.[53] For the strong form of phishing attack, Advanced legal solutions are required.
There is no one-size-fits-all solution. The legal tech software must tailor its defence mechanisms for its unique business needs. To identify the areas requiring improvement, many firms start with a red team security assessment.[54] By taking a pause, instead of taking immediate action, you’ve taken an important step to protect yourself. However, you’ve still got to determine if this is legitimate or a scam.[55] Legal clouds should also be protected with encryption to prevent Phishing. For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example.[56] These tools for law can’t detect or prevent the strong-form impersonation and social engineering attacks that are becoming more prevalent across the legal sector.[57] Enterprise mail servers should make use of at least one email authentication standard to confirm inbound emails are verifiable.[58] Thus, it is important to choose the right legal tech software, with encryption to prevent many issues regarding phishing and ensure that your data is protected from cyber attacks.
References
[1][1] https://www.imperva.com/learn/application-security/phishing-attack-scam/
[2] https://www.synopsys.com/glossary/what-is-phishing.html
[3] https://www.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips
[4] https://www.optiv.com/insights/discover/blog/22-ways-protect-yourself-against-phishing-attacks
[5] https://www.techtarget.com/searchsecurity/definition/phishing
[6]https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
[7] https://www.law.com/legaltechnews/2019/08/21/4-phishing-tactics-that-dupe-the-legal-profession/
[8] https://www.optiv.com/insights/discover/blog/22-ways-protect-yourself-against-phishing-attacks
[9] https://www.imperva.com/learn/application-security/phishing-attack-scam/
[10] https://www.tessian.com/blog/why-law-firms-are-falling-for-phishing-attacks/
[11] https://www.imperva.com/learn/application-security/phishing-attack-scam/
[12] https://www.techtarget.com/searchsecurity/definition/phishing
[13]https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
[14] https://www.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips
[15] https://www.natlawreview.com/article/how-law-firms-can-prevent-phishing-and-malware
[16] https://www.techtarget.com/searchsecurity/definition/phishing
[17] https://www.timesolv.com/blog/phishing-spear-phishing-and-whaling-protect-yourself-and-your-law-firm/
[18] https://www.csoonline.com/article/2117843/what-is-phishing-examples-types-and-techniques.html
[19] https://www.techtarget.com/searchsecurity/definition/phishing
[20] https://www.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips
[21] https://www.information-age.com/phishing-techniques-law-firms-123483410/
[22] https://www.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips
[23] https://en.wikipedia.org/wiki/Phishing
[24] https://www.imperva.com/learn/application-security/phishing-attack-scam/
[25] https://www.synopsys.com/glossary/what-is-phishing.html
[26]https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
[27] https://www.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips
[28] https://www.natlawreview.com/article/how-law-firms-can-prevent-phishing-and-malware
[29] https://www.techtarget.com/searchsecurity/definition/phishing
[30] https://www.imperva.com/learn/application-security/phishing-attack-scam/
[31]https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
[32] https://en.wikipedia.org/wiki/Phishing
[33] https://www.imperva.com/learn/application-security/phishing-attack-scam/
[34] https://www.timesolv.com/blog/phishing-spear-phishing-and-whaling-protect-yourself-and-your-law-firm/
[35] https://www.csoonline.com/article/2117843/what-is-phishing-examples-types-and-techniques.html
[36]https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
[37] https://www.synopsys.com/glossary/what-is-phishing.html
[38]https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
[39] https://www.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips
[40] https://www.csoonline.com/article/2117843/what-is-phishing-examples-types-and-techniques.html
[41] https://www.ncsc.gov.uk/guidance/whaling-how-it-works-and-what-your-organisation-can-do-about-it
[42] https://www.techtarget.com/searchsecurity/definition/phishing
[43] https://www.information-age.com/phishing-techniques-law-firms-123483410/
[44] https://www.csoonline.com/article/2117843/what-is-phishing-examples-types-and-techniques.html
[45]https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
[46] https://www.rapid7.com/fundamentals/whaling-phishing-attacks/
[47] https://www.timesolv.com/blog/phishing-spear-phishing-and-whaling-protect-yourself-and-your-law-firm/
[48] https://www.information-age.com/phishing-techniques-law-firms-123483410/
[49] https://www.natlawreview.com/article/how-law-firms-can-prevent-phishing-and-malware
[50] https://www.information-age.com/phishing-techniques-law-firms-123483410/
[51] https://www.timesolv.com/blog/phishing-spear-phishing-and-whaling-protect-yourself-and-your-law-firm/
[52]https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/
[53] https://www.information-age.com/phishing-techniques-law-firms-123483410/
[54] https://www.synopsys.com/glossary/what-is-phishing.html
[55] https://www.kaspersky.com/resource-center/preemptive-safety/phishing-prevention-tips
[56] https://www.imperva.com/learn/application-security/phishing-attack-scam/
[57] https://www.tessian.com/blog/why-law-firms-are-falling-for-phishing-attacks/
[58] https://www.techtarget.com/searchsecurity/definition/phishing