As seen on ABA Journal...
Lawyers at Owens, Schine & Nicola, a personal injury firm in Connecticut, thought they had an easy collections matter to resolve.
In September 2008, the firm received an email from Donna Stepp, an attorney in North Carolina. According to the email, Stepp’s client, Chen Wu, the director of the Shenzhen Shan Magnetism Industry Co. Ltd. in China, needed to settle a debt with Connecticut-based Dynalock Corp.
Within the week, Wu reached out to the law firm, explained his situation and signed a retainer agreement. Shortly after, the firm received a Wachovia Bank “official check” for about $200,000, the amount of the debt owed to Wu’s company. The firm deposited the check in its trust account and waited instructions from Wu to wire the money to a bank account in South Korea, which the law firm did.
Unfortunately, while Donna Stepp is an attorney in North Carolina and Shenzhen Shan Magnetism Industry Co. and Dynalock are real businesses, none of them took part in this transaction, according to court documents.
The check was fake, the debt collection was a scam and the law firm was out nearly $200,000.
This well-planned grift was an example of social engineering, an attack that takes place through human interaction to obtain information, access to computer systems or money.
These types of attacks are on the rise. According to the 2018 Verizon Data Breach Investigations Report, companies are three times more likely to be breached via social attacks than technical failures. Almost all of these attacks will come via email, meaning it is important that attorneys and firm employees act more skeptically when trafficking sensitive information or when opening a particular file or link they see in their inbox.
“Generally, social engineering involves someone with bad intentions using human interaction to obtain information about an organization or compromise its policies or computer systems and entice someone to do something they wouldn’t otherwise do, such as allow unauthorized access to an organization, wire money to a fraudulent account, or disclose proprietary information,” says Lucy Thomson, principal at Livingston PLLC, a law firm in Washington D.C., and past chair of the ABA Section of Science & Technology Law.
With such a broad definition, “fraud can be in many different flavors,” she says.
Phishing attacks—an email from a bad actor looking for sensitive information or to upload malicious software— are perhaps the most common and well-known type of social engineering attack. However, there are other, less used forms, like baiting people with infected USB drives or offering a quid pro quo trade to get a victim to unknowingly install malicious software. There are also old-fashioned ways of getting information, including tailgating or piggybacking, where an individual, dressed as a delivery person for example, walks into a restricted area after someone with access is allowed in.
While each of these examples have been successfully executed in the real world, phishing and pretexting, which is the creation of a false narrative to obtain information, make up 98 percent of social engineering attacks, according to the Verizon report. The same report says phishing is the third most-common action leading to data loss, behind hacking and user error.
Phishing and pretexting are not mutually exclusive. For example, some phishing attacks might use pretext to obtain information. However, other phishing attacks will use a quantity approach called “fire and forget” where the malefactor sends a more generic email and hopes a small percentage of recipients will click on the malicious link or file.
“Law firms are reporting almost daily attacks on one or more users in the firm,” says Ian Raine, director of product management at iManage, a work product management company.
According to the Anti-Phishing Working Group’s Phishing Activity Trends report, the first half of 2017 saw a 15 percent rise in phishing attacks.
Putting that into context, the 2018 State of the Phish report by Wombat Security Technologies found the attacks are having greater impact. Between 2016 and 2017, there was a 22 percent increase in malware infections due to phishing, which nearly doubled incidents of data loss. Of the 10,000 surveys given to information security professionals across industries, only 4 percent of respondents said phishing attacks were on the decline.
“Low-tech social media attacks are a dangerous form of cyberattack that goes straight to the heart of a law firm’s biggest point of weakness – their users,” says Raine. “The consequences of a successful attack can be firm ending.”
According to the Verizon report, just under 20 percent of investigated phishing emails led to a breach. And according to a 2017 IBM Security report, a data breach during fiscal year 2017 cost an affected U.S. company on average $7.35 million, which includes productivity loss and remediation.
As phishing attacks have become more common, they are also a lot more sophisticated, says Jill Rhodes, chief information security officer at Option Care in Chicago and co-editor of The ABA Cybersecurity Handbook.
She says long gone are the days of easily spotting the typo-ridden email from an African prince asking for benevolent and selfless help in the form of a wire transfer. Now, criminals are breaking down silos and teaming up with phishing experts, linguists, computer scientists and other scammers to improve their work. For instance, Rhodes recalls that she recently received what appeared to be a legitimate electronic receipt from Apple in her email inbox. The problem? She hadn’t purchased anything from Apple recently. Nevertheless, she logged in to her Apple account and make sure a charge had not been made. It had not.
A subset of phishing is called “business-email compromise,” which is a type of fraud focusing on companies engaged in wire transfer payments. In 2016, the FBI’s Internet Crime Complaint Center released a public service announcement that said losses from BEC has increased 1,300 percent since 2015, totaling over $3 billion and affecting 22,143 domestic and international victims.
These attacks are often in the form of an impersonation of a C-suite executive, business partner or lawyer asking for a wire transfer. In the case of lawyer impersonations, the FBI says this type of scam may come at the end of a workday or week and demand a quick resolution for a time sensitive matter.
The attacks work, because, as Thomson explains, “a malicious person who is into social engineering will do extensive research on the company and the people.” This means reading court documents, news reports and other public filings. The fraudster will also look at social media postings by employees to discover information that will assist in the scam.
Thomson says social media posts “are rich with this information that hackers can use.”
To proactively avoid being a victim of BEC, the FBI recommends that companies and their employees be careful about “what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out-of-office details.” They also recommend a healthy dose of skepticism when secrecy is requested or if a current business contact abruptly changes business practices, like asking to be contacted through a different email.
To help employees stay vigilant against phishing, Rhodes says her company sends phishing emails as an education tool—a near-universal corporate practice according to the State of the Phish report. This allows the company to test employees’ ability to spot a phishing email, if they open the email or click on a link, it creates an opportunity for extra training.
As law firms continue to confront online threats like social engineering, there is still a worry that they will slough off good advice for lack of understanding the technology-side of things, says Rhodes.
“Information security is about governance, people, process and technology,” she says. With technology making up only a quarter of that equation, Rhodes argues that attorneys can be on top of 75 percent of information security, and they can ask questions about the other 25 percent.
And this is critical, she says, because when it comes to social engineering attacks, it is the people, not the technology, that will save the day.