How Law Firms Can Avoid Phishing Scams in 2022

Law firms’ greatest enemy is faceless and invisible. It makes malpractice claims and talent shortages look tame, and it can leave firms bankrupt in a matter of weeks. 

The greatest threat to law firms? Email phishing scams.

Phishing in Plain English

“Phishing” is a type of fraud that’s carried out online via email, social media, or advertisement.

Offline, they occur via phone call or text message.

By impersonating trusted companies like Microsoft and IKEA, hackers use enticing or time-sensitive messages to compromise your information and steal from you or your business.

For example, messages like “You’re the lucky winner! Click now before your prize goes away!” and “Immediate action requested by the IRS” are classic hooks used to draw in unsuspecting victims.

Microsoft, DHL, and LinkedIn were the three most impersonated brands by hackers in 2020.

Look out for blatant misspellings, domain inconsistencies, and downright spamminess – these are obvious indicators of a phishing email (or of a coworker who doesn’t know how to spell).

You’ve probably received messages like that, and nine times out of ten, you were probably conscientious enough not to click on the link.

Watch Out, Law Firms: They’re Coming for You

But law firms now face a terrifying development: hackers are getting more and more sophisticated. In a highly lucrative field like law, extra effort on their part could lead to a gold mine.

Your gold mine that, if compromised, could spell financial ruin for your firm.

We’re not talking chump change.

Phishing ranks as the second most expensive cause of data breach.

According to IBM, phishing costs businesses an average of $4.65 million per breach.

Why is that number so high?

Partly due to the sensitive nature of the information meant to be stored safely in a law firm’s operating system.

From medical and financial figures to merger and acquisition data, unprepared firms are essentially sitting on a ticking time bomb.

The question for them isn’t if hackers will come along and steal their information; it’s when.

In 2020, 74% of American companies experienced a successful phishing attack.

Of course, finances aren’t the only thing you’ll need to worry about if your firm’s data is compromised. You might lose your good reputation, and you’ll probably lose client trust; you may even be subject to regulatory penalties and fines.

Hackers also take advantage of regulations in the legal industry.

They know that attorneys have to make certain information available to the public, including information about the firm and its employees. Hackers do their homework in private and strike when you least expect it.

Methods of Attack

Some hackers are computer experts with a dark side. Most, however, are petty thieves with an intuitive streak. More knowledgeable hackers use more sophisticated phishing tactics.

For example, seasoned hackers often steal users’ information by getting them to click on a file that they’ve designed to infiltrate the computer system and clone itself as a legitimate computer process, gaining secret access to the user’s network.

But most phishing scams aren’t as complex. Less-experienced hackers use the following simpler methods to steal from victims:

Link Manipulation

Email phishing scams often include seemingly legitimate links to well-known websites like Facebook or Amazon, as well as messages asking you to click on the link in order to “retrieve” or “fix an issue” with your account.

Clicking on the link sends you to a malicious website, not the one you thought you were visiting.

Website Forgery

Website forgery is similar to link manipulation.

In this method, a hacker designs a webpage that looks identical to the real one, tricking users into entering personal or financial information that the hacker will then steal and use on the real site. This scam is common on e-commerce sites like Amazon.

Spear Phishing

This is worlds away from the spearfishing you did in Hawaii last summer. Unlike the more common approach of sending mass emails to unknown users, spear phishing is highly targeted.

Hackers research a much smaller number of targets in advance and send emails that they’ve personally tailored to the victim’s company, location, and even personal interests.

With spear phishing, hackers can target individuals or departments (i.e., the HR team).

Whaling

Whaling is similar to spear phishing but involves a much bigger fish.

Instead of targeting a lower-end department or team, hackers set their sights on the company’s “big fish” – the CEO, CFO, head of HR, or anyone else who makes big decisions and has a lot of influence.

Successful whaling relies on in-depth research, as the hacker will try to accurately impersonate their victim and convince employees to reveal sensitive information.

In this way, hackers can exploit the whale’s authority to keep employees from questioning their demands – and make a lot of money.

Whaling (also known as Business Email Compromise, or BEC) is the highest-yield tactic for hackers. According to IBM, whaling costs businesses an average of $5.01 million per breach.

Business applications like Zoom and Microsoft account for 45% of impersonation-style phishing attacks.

Clone Phishing

Clone phishing involves duplicating, or “cloning” a legitimate email that was previously sent by a trusted organization or employer.

Once a hacker has access to the email, they can replace the original links with links to a fraudulent or malicious site, where users, thinking they’re on the legitimate site, enter sensitive information or valuable credentials.

How to Spot a Law Firm Phishing Scam

Some of the following elements are easy to spot; for others, you’ll have to look closer.

Sense of urgency in the subject line.

Victims often feel alarmed by aggressive subject lines (Payment Declined – Update Card Now!) and click links out of confusion or fear. Watch out for emails with fear-mongering subject lines.

Generic or impersonal greeting.

It’s common for phishing emails to have impersonal greetings such as “Good morning, customer.” They usually address people impersonally, calling them “user” “fan,” or other ambiguous titles.

Note: this is not the case for most spear phishing and whaling attempts.

The “From” field is a spoof or imitation of the real address.

For example, appelsupport.com instead of applesupport.com. This is one of the most obvious signs of a phishing scam. Take a second to examine the “from” address – if it’s spelled incorrectly or just doesn’t seem to make sense, use caution and don’t click any links.

Grammar and punctuation mistakes.

Phishing emails are often riddled with errors. This may be because hackers are in a rush to produce dozens of emails and don’t bother to look over the copy, or because the hackers don’t speak the language well enough to proofread and correct mistakes.

Don’t assume an email is fraudulent if the author spelled one thing wrong; one or two misspellings aren’t usually cause for alarm. Instead, keep an eye on emails with multiple errors or very obvious mistakes that someone in the purported role probably wouldn’t make.

Scare tactics.

Be on the lookout for more fear-mongering in the email’s body copy. Look for phrases like, “Pay now or your account will be deactivated.”

Incorrect company information.

This is another obvious sign of fraudulent activity, but many people don’t even notice. Check the footer of the email and cross-reference the address and contact information they provide with the actual company’s information.

Don’t Wait; Here’s How to Protect Your Firm

Don’t drag your feet – take action now to protect your business from attackers. Rectifying just one phishing-related security breach could cost your firm hundreds of thousands of dollars, so treat this as a priority.

If you have any questions about implementing these steps, contact our website design and technical SEO department.

Be on the constant lookout for spam.

Keep your nose to the ground and stay vigilant. If you see a suspicious email, show a coworker and ask them what they think.

If you receive a strange-looking email from your boss, ask them if they actually sent it. Always check the sender’s email address, not just their name.

It’s also a good idea to check your emails only when you’re in a good headspace – not when you’re exhausted or frustrated at work when you’re more likely to click on a corrupted link out of confusion.

Install CAPTCHA and secure form plugins.

Data encryption platforms and challenge-response tests are great tools that you can install on your site to prevent spam from being sent to your clients.

96% of phishing attacks occur through email.

Secure form plugins protect data and information that clients enter on your site – for example, their name and email address to sign up for your weekly newsletter.

These plugins make it difficult for hackers to access your clients’ information. Challenge-response tests like CAPTCHA prevent bots and spam from entering your site.

An important note: secure form plugins and CAPTCHA are useful for mass phishing attacks, but may not be as effective against manual attacks where each email is sent individually and usually written in more detail than a generic phishing email.

For a stronger defense, you may need to set up protections on the email server level.

Set up protections on the email server level.

Does your business have its own email server instead of a large platform like Google or Yahoo? If so, you should probably think about setting up protections on that server.

Google and Yahoo have their own protections in place, but unique servers do not, making it necessary for businesses to employ spam, phishing, and malware protection against potential attacks.

You can secure your company’s mail server with the following tools and platforms:

• DKIM protocol
• DNSBL and RBL implementation
• SMTP authentication
• Reverse DNS
• S/ MIME and PGP encryption
• SMTP encryption
• SPF implementation
• SURBL implementation

Click on the links above to learn more about each layer of protection (don’t worry, these are legitimate links!). Email server protections are highly technical, so if you don’t have much IT experience, you should call a professional for help.

Law Firm Phishing Scams: Avoid Being Hooked

Phishing scams are one of the greatest threats facing law firms today.

They’re costly, devastating, and are becoming more prevalent in the aftermath of the COVID-19 pandemic, probably due to remote work becoming more common. According to GreatHorn, weekly and monthly phishing attacks have increased 14% and 6%, respectively, from 2020 to 2021.

We hope you’ll consider these security measures as integral to your business. The simple truth is that you can’t afford to ignore it. Reach out to us at (877) 323-4661 with any phishing-related questions and help implementing security protocol.