By Aaron H. Wallace, Esq.
Teach a man to fish, you feed him for a lifetime.
Teach a lawyer to avoid a phish, you spare him or her a lifetime of regret.
That’s how the old saying goes, right? Perhaps not, but nothing old holds true anymore — at least not in the world of cyber security. The threats are fast-changing, and even if you were up to speed on all things phishing five years ago, you might be a few steps behind the criminals today.
Who are those criminals? Hard to say. They might be in another country. They might be down the road. They might be tech geniuses, or they could be relative novices who’ve taken a crash course on the dark web and now know how to swindle unsuspecting professionals.
Here’s the thing, though. Whoever they are, the criminals are after you. Yes, you: a lawyer practicing in Florida. There are mountains of evidence that lawyers are a favorite target for bad actors, especially solo and small firm lawyers who may not have the IT security resources of a larger firm but who nevertheless deal in high-dollar transactions that hackers want their hands on.
While there are many schemes available to those digital delinquents, the one they are most likely to hit you with — and the one that is most likely to get you — is called phishing. Given the threat level, you need to know everything about phishing and how to avoid it. This article provides a primer on phishing in the ’20s and best practices for cyber risk management for lawyers in Florida.
What is Phishing?
Phishing refers to an email that a bad actor sends you in order to infiltrate your systems or otherwise compromise you. For many years now, phishing has been the number one attack vector online. Countless law firms have been targeted. Many have fallen prey. There is no reason to believe you won’t be next.
The tricky thing about a phishing email is that it may look entirely legitimate at first glance. Years ago, it was easier to spot phishing emails than it is today. As modern schemes grow increasingly sophisticated, it’s possible that even the best IT defenses could fail. Your security software could succeed 99.9% of the time, but the hacker only has to get it right once. A single email can cause disastrous effects for you and your law firm. But while foolproof prevention may not be possible, there is hope.
Cyber security experts say that human error is the single biggest cause of successful cyber crime, and therefore human precaution is the single greatest line of defense.
Here are some helpful tips to avoid becoming bait.
The Red Flags of Phishing: Cyber Risk Management for Lawyers in Florida
To recognize a phishing email, what you’re looking for is called a hook. It’s the “gotcha” buried somewhere in an otherwise normal-looking email. Here are some of the most common hooks:
- The sender’s email address is misspelled, sometimes by just one letter (beware the lower-case “l”— it looks a lot like a capital “I”!)
- Other spelling or grammatical errors
- The email is written in an unusual tone or conveys urgency
- The email is strangely short and curt, e.g. lacks common courtesy and salutations (or has an unusual greeting)
- The email requests payment, password credentials, transaction-related action, or personally identifying information
- The email pertains to a wired funds transaction and asks for an urgent, unexpected, or last-minute action (such as a change to the account number or the payment date or time)
- The email claims to be from someone new to your organization (or new to your client’s organization)
- The email is sent at an unusual time — late at night, early in the morning, on a holiday, etc.
- The email contains a threat or purports to have information about you
- The email asks you to click a link, download a file, install software, or open an attachment
- The email tells you that you’ve won an award, honor, or prize
- The “From:” email address does not exactly match the email/domain you see when expanding the email header and hovering over the sender’s email address
- The URL of a link in the email does not exactly match the expected URL
- The email is from a service such as LinkedIn but comes to an email account that you do not use for that service
- Attachments with strange file extensions or file formats commonly associated with malware. (Files ending in .exe and .scr are examples of those that should be treated with extreme caution. Beware of .zip too — it may be a harmless compressed file from a colleague or a bundled virus.)
- The email just seems “off” or too good to be true
Phishing Doesn’t Always Look Like Phishing
Lawyers are busy by nature — a fact that cyber thieves love. They hope to catch you off guard with an email that looks like something you wouldn’t suspect. So it’s up to you to outsmart them!
Think of it as a golden rule of cyber risk management for lawyers in Florida: phishing doesn’t always look like phishing.
Why Your Law Firm Support Staff May Be Your Greatest Vulnerability
As lawyers, we know that behind every great law practice is a paralegal or support staff making it all come together. Unfortunately, cyber criminals know that too. Don’t be surprised, then, if they target your employees first.
Is your support staff ready for the attack? Will they even know it’s happening? Remember: they may not have attended the same educational sessions you have. They may not have read articles like this one. But they still have what thieves want: sensitive information, access to your systems, participation in wired funds transactions, etc.
As an easy first step, we recommend distributing our printable Wire Transfer Fraud Prevention one-sheet and requiring every staff member to keep it posted by their computer. You might also consider sending this article (and our entire Cyber Resource Center for Florida Lawyers) to your staff members.
Skeptical Inboxing Is the New Defensive Driving
Defensive driving is the practice of proactively reducing the risk of collision through sustained vigilance and anticipation of sudden dangerous behaviors by others. It is statistically proven to reduce the likelihood of an accident. It’s also useful as a mindset for browsing the web.
The next time you open your email, imagine yourself “driving” through your inbox. Don’t trust an incoming email to be legitimate any more than you would trust that the teenager in the sedan next to you is a world-class driver.
Stay skeptical. Assume that every email may be bait on a hidden hook.
About Florida Lawyers Mutual
Created by The Florida Bar so that Florida lawyers would have a high-quality source for professional liability insurance, Florida Lawyers Mutual is the state’s only direct-write lawyers’ professional liability insurer and the only one created by The Florida Bar. A-rated by AM Best for Excellent Financial Strength and owned by its member lawyers, Florida Lawyers Mutual offers high-quality policy features (including an automatic cyber liability endorsement on every policy at no additional premium cost — with increased limits options available), valuable membership benefits, and legendary member service. The Company recently declared an historic member dividend and launched an extensive library with 33+ hours of cost-free CLE for its member lawyers.* Learn more or apply for coverage at www.flmic.com.
*Dividends are paid at the sole discretion of the Company’s Board of Directors. This year’s dividend does not guarantee the payment or amount of future dividends.
Get a Quick Premium Indication with no obligation: