I. Law Firm Cyber Risk Phishing – Explained
Phishing is one of the the most common cyber crimes.
The FBI describes phishing – and spoofing, which is related – this way:
Spoofing is a cybercrime, whereby someone disguises an email address, sender name, phone number, or website URL—often just by changing one letter, symbol, or number—to convince you that you are interacting with a trusted source.
For example, you might receive an email that looks like it’s from your boss, a company you’ve done business with, or even from someone in your family—but it actually isn’t.
Criminals count on being able to manipulate you into believing that these spoofed communications are real, which can lead you to download malicious software, send money, or disclose your own or your employer’s personal, financial, or other sensitive information.
An example of this is CEO fraud, whereby cybercriminals spoof company email accounts, and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information. The expectation is that that the employee will comply with the ‘CEO’ demand unquestioningly.
The FBI calls CEO Fraud an example of Business Email Compromise.
Phishing is a cybercrime that often uses spoofing techniques, designed to trick you into giving information to criminals that they shouldn’t have access to.
In a phishing scam, you might receive an email that appears to be from a legitimate business, and asks you to update or verify your personal information by replying to the email or visiting a website. The web address might look similar to one you’ve used before. The email may be convincing enough to get you to take the action requested.
But once you click on that link, you’re sent to a spoofed website that might look nearly identical to the real thing—like your bank or credit card site—and asked to enter sensitive information like passwords, credit card numbers, banking PINs, etc. These fake websites are used solely to steal your information, which is then used to steal your money.
An early example of phishing, was a Californian teenager who created an imitation of the website “America Online” in 2003. With this fake website, he was able to gain sensitive information from users and access the credit card details to withdraw money from their accounts.
Phishing has several variations that use similar techniques:
- Vishing scams happen over the phone, voice email, or VoIP (voice over Internet Protocol) calls.
- Smishing scams happen through SMS (text) messages.
- Pharming scams happen when malicious code is installed on your computer to redirect you to fake websites.
II. Law Firm Cyber Risk Phishing – Common Features of Phishing Emails
- Too Good To Be True – Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Don’t click on links in a suspicious email!
- Sense of Urgency – A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it’s best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.
- Hyperlinks – Hover over a link to see the actual URL where you will be directed upon clicking on it. It could be different from what you were expecting, or it could be a popular website with a misspelling, for instance www.bankofarnerica.com.
- Attachments – If you see an attachment in an email you weren’t expecting or that doesn’t make sense, don’t open it! It may contain ransomware or another virus. The only file type that is always safe to click on is a .txt file.
- Unusual Sender – Whether it looks like it’s from someone you don’t know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious, don’t click on it!
III. Law Firm Cyber Risk Phishing – How to Prevent It
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
- Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know, and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
- Be especially wary if the requestor is pressing you to act quickly.
They should inspect each email, and not open attached files or click on included links, unless the email is from a trusted sender. Type in a site’s URL manually to avoid landing on a spoofed version of it. Most problems can be avoided by being careful.
IV. The Role of Insurance
Even the best plan to avoid a phishing scam may fail, leaving your firm with a large monetary loss, i.e., from a hacker withdrawing money from your account. An insurance policy can cover some or all of that loss, essentially reimbursing your firm for the stolen funds. However, it wouldn’t be a cyber insurance policy, but rather a crime insurance policy with a computer fraud endorsement attached.
Ask your agent or broker to obtain quotes, if you think that a crime insurance policy would benefit your firm. The annual premium would likely be about $2,000 for a $1,000,000 policy limit.
V. Further Reading
Identifying Social Engineering Red Flags
Best Practices to Avoid Wire Fraud