Going phishing

The Law Society of Scotland, in collaboration with Master Policy lead insurers RSA, brokers Lockton and cybersecurity specialists VYUS, is offering firms the chance to participate in a Scotland-wide cybersecurity awareness exercise. Firms will be contacted by the Society with a view to them signing up to the scheme, whereby highly convincing but fake emails will be sent to email addresses provided by the firm in an effort to remind staff of the importance of vigilance when using email.

What is phishing?

While email has become an indispensable feature of legal practice, it is also replete with risks for those who too readily click on a link or open an attachment. “Phishing” generally refers to any attempt by criminals to trick users into granting them access to protected computer systems or confidential information for nefarious ends. When private individuals are targeted by phishing it is generally to find out personal information such as their bank details, but attempts on institutions will have bigger aims than that.

The criminals will attempt to infiltrate or even gain control of the organisation’s systems. They may harvest data held by the organisation to sell on the black market, or lock users out of the system pending payment of a ransom. They may also gain access to individual users’ email accounts, enabling them to send or intercept emails, giving out false bank account details and making off with the money.

Phishers will not necessarily act immediately on having gained access to the firm’s systems, but may instead hide and wait for their moment. This inactivity can allow them to remain undiscovered in the system, even where the security breach has been identified.

Mark Gray, client director at Lockton, comments: “While the Master Policy does provide protection to the profession against claims arising from losses sustained by a firm’s client resulting from a cyber breach, it does not cover losses the firm itself may suffer from such a breach. These costs would generally be classed as “first party” losses and include things such as breach event costs, cyber extortion and digital asset loss. Firms interested in learning more about the protection offered by a cyber insurance policy can approach the Master Policy brokers, Lockton, or their own insurance brokers for some more in-depth advice.”

What to look out for

Spelling and formatting errors used to be easy giveaways for a fake email, but fraudsters are becoming ever more sophisticated in their efforts to trick recipients into clicking on malicious links or opening attachments containing malware.

The emails will often be about an enticing topic, such as payslips or online shopping deliveries, to excite the user into clicking. They may also be about more mundane topics but contain a sense of urgency, to pressure the recipient into acting quickly without thinking about the risks. What the most effective phishing emails have in common is that they look highly plausible, making them even more difficult to spot.

Sender email addresses will be made to look convincing, or indeed the sender account itself could already have been hacked through phishing. More sophisticated hackers may even have been watching the communications for some time and learned to mimic the sender’s style of writing.

As there is no single immediate way to spot a phishing attempt, staff should approach all emails with a general level of caution. Links contained in them should be hovered off with the mouse to check the destination address, and the same should be done with the sender email address – though caution should still be exercised even if that address is correct, for the reasons given above.

Attachments are even harder to screen, but the same caution should be exercised. Is the email expected or does the message explaining the attachment make sense? Sending files around is an essential part of doing business, but we should all feel comfortable picking up the phone for a quick confirmation if anything looks unusual.

While the software to combat these attacks is becoming ever more sophisticated, staff are any organisation’s first line of defence against cyberattacks and there really is no software substitute for human vigilance.

Other security tips

The risks facing legal firms continue to evolve, so keeping staff up to date on cybersecurity risks through appropriate training is key. As well as informing participants of new or evolving risks and the latest avoidance strategies, regular training should serve to keep the importance of cybersecurity in the front of people’s minds when going about their day-to-day work.

Maintaining the firm’s anti-virus and anti-spyware software and an efficient firewall should also help to inhibit phishing attempts. Remember too that phones can be just as susceptible as computers to attacks, so make sure that staff are regularly updating the operating systems to take advantage of new security patches.

Regularly changing passwords (and changing them altogether, rather than just “Dundee1” to “Dundee2” and so on), and not using the same password over multiple services, are easy steps to take and will reduce – though not eliminate – the chance of a hacker being able to exploit the firm’s systems. Two-factor authentication (whereby users verify their identity through a second method after their password, usually an app or code sent to a mobile device) is also an effective tool, but does come with cost implications.

Firms should also maintain a policy, clearly communicated to clients at the outset of a transaction, that bank details will not be accepted by email without face-to-face or telephone verification, and that a change to them in the course of the transaction will not be accepted. Telephone verification should always be carried out using a number that is known to be correct and never one taken from the suspicious email itself. Recognising the increasing threat to law firms, in 2020 the Society established a strategic partnership with cybersecurity firm Mitigo to help Scottish law firms with information, best practice and cyber risk management support services.

More details can be found on the Society’s website, including a helpline if you are under a cyberattack.

Phishing trip

Firms will shortly be contacted by the Society to invite them to participate in the exercise, being called “Phishing Trip”. It is absolutely free for all firms and there will be no implications on the Master Policy arising either from taking part or from the firm’s performance. Recipients’ email addresses will be provided by the firm itself, meaning the firm can decide which users should be included. It is recommended for transparency that each firm makes its staff aware that it is participating.

The exercise will see a one-off, phishing-style email delivered to each employee email address submitted by the firm. Emails will come at different times and be in different highly-convincing formats, to mimic the nature of real phishing emails. They may contain a link, an attachment or both, and the external provider running the exercise will gather information as to how many users in each firm click on them or open them up.

Anyone who does fail the test will be taken to a learning page showing them exactly what they missed, the lessons they can learn and the steps they can take to protect themselves from a real phishing attack. The information on this learning page will also be made available to the firm in its report following the exercise and used for staff training. No information will be gathered about how individual users perform in the exercise.

Once the Phishing Trip is finished, firms will receive a detailed report of their own firm’s performance and of the broader profession’s, as well as advice to understand the key risks uncovered and recommendations for improving threat prevention and employee resilience.

How to participate

Firms will be contacted by the Society by email in the coming weeks and invited to sign up by 31 March, but can do so right now at www.lawscot.org.uk/phishing-trip.

Email addresses for recipients at a firm will be collected later, so there is no need to wait until those have been compiled before signing up. Further information about the process and contact details for queries can also be found at that link.

The Society hopes that as many firms as possible will agree to participate in the exercise and raise awareness of the phishing threats that legal firms across Scotland are facing.