Protect Yourself from Phishing Scams

By Gina F. Rubel, Esq.

They can look like real e-mails, whether they’re sent from someone pretending to be an attorney from your firm or a customer service agent for your credit card company. However, when you look closely, something is a bit off about the sender’s address. It could be a slight misspelling or there may be an underscore added between the first and last name.

The ultimate goal of this practice, which is known more commonly as phishing, is to use fake e-mails, texts, or websites to extract your personal information. And unfortunately, this is becoming an exceedingly common practice.

Phishing affects the majority of organizations across the globe. In a report by Wombat Security from 2017, it was revealed that over three-quarters of information security professionals acknowledged that their organization was the target of a phishing attack. In fact, Kaspersky Lab’s Anti-Phishing system was triggered over 46.5 million times in just the second quarter of 2017.

For law firms, the statistics are quite high. According to the American Bar Association, roughly a quarter of all law firms with more than 500 lawyers had a security breach in 2017. And a study by e-mail analytics firm 250ok noted that more than 90-percent of cyberattacks began with a phishing e-mail.

Once a scammer is able to trick you, there are a number of issues that can arise for you and also your firm. One of the more common tactics involves asking someone to enter personal information, including passwords, Social Security numbers, and bank account numbers. The scammer is then able to use that information to wreak havoc on your life, such as stealing your money or your identity.

Another way that scammers attack via phishing is by installing malicious programs. For instance, they may be able to use a phishing e-mail to ultimately get someone to download a ransomware program. This can cause an individual—or their company—to be locked out of their files unless a certain amount of money is paid.

Scammers have gotten more and more sophisticated in recent years. One technique that attackers use is called spear phishing. Unlike more general phishing hoaxes, where many individuals are sent the same mass e-mail message, spear phishing involves targeting a specific target. The scammer will pretend to be a trusted source, whether a co-worker or a client or a family member, to trick the client into giving information or downloading a malicious program.

In 2017, Dentons Canada was the target of a spear phishing attack. They were in the midst of a real estate transaction with Timbercreek Mortgage Service Inc. During the course of this transaction, Dentons Canada began receiving e-mails purporting to be from the mortgage company, stating that one of their accounts was subject to an audit and that Dentons should send money to a third-party account based in Hong Kong. Dentons looked into the request, received what appeared to be authorization letters from Timbercreek and the third party, and ultimately proceeded to wire $2.52 million from the firm’s trust account to the Hong Kong account. In the aftermath of this, Dentons has been trying to recover the lost money and is making all employees go through cybersecurity training.

Being the victim of a cyberattack can have devastating effects, especially to a business. There can be long-term reputation damage, legal repercussions, and lost clients. According to the Ponemon Institute’s 2018 Cost of a Data Breach study, a global business can lose an average of $3.86 million for a data breach. In the U.S., that number is much higher, as the average figure is $7.91 million.

There’s a number of things you can do to help prevent a phishing attack. First, it is crucial to check the source of the e-mail. Phishing e-mails often will make slight alterations to spelling or add punctuation. If you suspect someone is attempting a spear phishing attack, then contact the party suspected of being impersonated to check whether or not they sent the message.

There are other ways to spot phishing e-mails, too. For instance, the e-mail will often be addressed to a generic person, such as “Dear User” and will have multiple spelling and grammatical errors. Also, it is very important to avoid clicking on attachments unless you are expecting to receive something. Additionally, avoid using login links embedded within an e-mail and entering personal information on webpages that aren’t secure (the URL should begin with https:// and not http://).

If you believe you’ve been the target of a phishing attack, you can forward the e-mail to spam@uce.gov and contact the party potentially impersonated in the e-mail. You can also file a report with the Federal Trade Commission.