Festive phishing

Law firms are not immune to cybercrime, fraud and deepfakes. In fact security experts advise that they are a favourite target for cyber criminals due to the amount of data held.

The risk of theft by fraudulent ‘phishing’ emails remains an ever-present threat. It is still the top cause of cyber breach or attack; see the UK Government’s Cyber Security Breaches Survey 2024. Law firms are not immune to this risk and in fact, security experts advise that they are a favourite target for cyber criminals, due to the amount of data held.

Just as Friday afternoon frauds are recognised risks, busy times of year and holiday seasons are also danger periods. As we barrelled toward the end of the year and practitioners navigated December deadlines and Christmas preparations, it was important to remain on high alert.

Last highlighted in the Journal in early 2023 as part of Cyber Scotland week (see The red flags to watch for in phishing emails), it’s time to revisit this tricky area of risk to look at the various ways a firm can be targeted. Phishing is just one method of using the way we communicate to illegally obtain funds. These methods can be broadly divided into four categories:

Phishing

By now, most of us are probably somewhat familiar with the concept of phishing. These are fake emails purporting to be from a client, colleague or a reputable business. The emails will tell the recipient that they need to do something and will generally include a fake attachment or link that will either cause corruption in a firm’s computer systems or allow access for hackers.  

Smishing

This is the phrase now used for scam texts. The classic example from day-to-day life is a text saying that your parcel couldn’t be delivered and asking you to click on a link to re-arrange delivery. Look out for these appearing on company-issued mobiles as well as your personal device.  

Quishing

This relates to fake QR codes which can be stuck over genuine ones – for example, on a parking meter. These will then take the unwitting user to a fake website where, of course, they will be directed to put in payment details.

Vishing

Extremely relevant in the workplace, vishing describes fraudulent phone calls and (a more recent development) video calls. For example, a busy solicitor may get a call allegedly from IT support, advising them that they must do an update on their laptop immediately. Or the trainee may pick up the phone to someone posing as the managing partner who has lost their phone and needs them to arrange an urgent bank transfer.

Fraudulent video calls are now a concern, thanks to the murky world of AI deepfakes. In simple terms, a deepfake is an artificial video that will use a known individual and show them appearing to say or do something that they did not. In the context of the work of a law firm, a deepfake may impersonate a senior colleague or they could impersonate a client or third party in order to elicit payment from the firm.

There is no doubt that we must now be on high alert for all these methods of fraud. As phishing is still the most prevalent method used, here is a useful acronym to remember the red flags:

SLAM!

This stands for Sender, Links, Attachments, Message. Taking each one in turn:

Sender

• Unknown senders: who is this email from? Is the sender unfamiliar? Be wary of emails from unfamiliar sources. Even if you recognise the sender, verify the email using another source.
• Spoofed email addresses: does the email address look slightly odd? Check for spelling mistakes or additional letters, numbers or symbols (although remember that phishing emails are now highly sophisticated and the address may look correct).
• Large recipient or cc list: if the email was sent to many recipients, this could be an indicator of phishing, especially if you can see the other email addresses. Threat actors will often send emails to multiple recipients, hoping that at least one will be compelled to act, and they are unlikely to have the same regard for data protection as genuine senders!

Links 

• URL inspection: if in doubt, DO NOT CLICK! Hover over any URL to reveal the address. You may find that it contains spelling mistakes or additional letters, numbers or symbols.

Attachments

• Unexpected attachments: do not open or download attachments from unknown or unexpected senders.
• File types: be particularly careful with attachments that are executable files (for example, ending in .exe, .zip or .docm).
• Verify: if you know the identity of the sender but you were not expecting to receive an attachment from them, contact them in another way (don’t send a reply to the same email).   

Message

• Greetings: is the greeting oddly generic (“Dear customer”, “Attention account holder”)?
• Poor spelling and grammar: these may not necessarily be present in a phishing email but they are still a red flag to watch out for.
• Sense of urgency and threatening language: are you being asked to do something immediately? Does the message warn of dire consequences for not acting on it? Threat actors will try to elicit panic in the recipient. Check with an outside source if you are worried.
• Current events: threat actors like to take advantage of current topics. They may leverage awareness of a recent publicised security breach to play on the recipient’s concerns.

How to Avoid Phishing Attacks

It’s important for firms to employ a mix of technology-based defences, workforce education and robust policies and procedures to detect and defeat phishing attacks.

Security is key.

If you are unsure of the protections you have in place, or if you know your firm’s security needs an upgrade, the Law Society of Scotland’s Guide to cybersecurity is a good place to start. It contains more in-depth information on current cyber threats and advice on how to prepare for and respond to a cyber attack. The Law Society has also curated trusted partners in the cyber security world to whom you can turn for more tailored advice.   

People power

Any cyber security specialist will tell you that people are the last line of defence when it comes to preventing an attack through phishing or a similar method. Training is vital. All staff need to know how to be vigilant and what to do if they think an email or other communication is fraudulent. If you have not already done so, it is a good idea to put a specific training programme in place covering phishing and other cyber threats. Consider running a regular phishing campaign where staff are deliberately sent a ‘would be’ fraudulent email. These can monitor how many employees click on a fraudulent link or open an attachment and identify training needs.

On this note, look out for Lockton’s new phishing online training modules, which will be released on our website soon. These are freely available to the Scottish legal profession and will provide 30 minutes of CPD for each module.

Make sure that all staff know the importance of reporting a suspected phishing email, and how to report it. There should be a clear pathway for employees to alert your IT support, who can then take the appropriate action, including blocking malicious senders.  

Cyber insurance

Subject to its terms and conditions, the Master Policy itself will typically respond to any situation involving loss of client account funds that were in the control of the law firm, regardless of whether that loss has been caused by a cyberattack or fraud.

However, there are situations where a cyber incident will lead to first party costs and, generally, these will not be covered under the Master Policy. Examples include where there is a data breach event or a ransomware attack. In these circumstances, a well-written cyber policy can help to protect a firm when an incident occurs. Firms interested in learning more about the protection offered by a cyber insurance policy can approach Lockton, or their own insurance brokers, for more information.

So, as we enter a new year, the message is to stay vigilant and don’t unwrap any unwanted belated gifts that may appear in your inbox.

Article written by Lockton as part of their Journal and Law Society partnership