Phishing & Business Email Compromise (BEC): How Law Firms Can Protect Against Email Scams

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By Armen Najarian

The legal sector is learning some painful lessons about the growing threat phishing and business email compromise (BEC) scams pose to legal firms’ brand reputations — and to their bottom lines.

Just ask the five US law offices believed to be hit in recent weeks by email attacks that led to sensitive client information getting posted online in million-dollar extortion schemes fueled by Maze ransomware.

According to the FBI, phishing is usually the point of entry for malware such as the Maze ransomware. But while this often involves infected attachments, that’s not always the case anymore. Today, email crime rings increasingly leverage simple, plain-text email messages that employ clever social engineering tricks to fool recipients into giving attackers access to key systems that they can then infiltrate and seed with malware.

In these recent legal services attacks, perpetrators encrypted the firms’ data and demanded $1 million in exchange for access. They also posted small amounts of confidential client information online to demonstrate that they can and will release more if the firms don’t cough up the money. To add insult to infamy, they’ve even published some the data in Russian hacker forums with an invitation to “use this information in any nefarious ways you want.”

Falling victim to this kind of email scheme is a good way to lose some of your clients — or maybe all of them. But if it’s any consolation to the firms hit in these recent attacks, they’re hardly alone.

Phishing for Lawyers

Over the last few years, email crime groups that have long targeted the financial services industry have begun expanding the threat surface in search of new prey. And they’re finding plenty of fresh meat in the legal sector.

According to Information Age, 80% of law firms report being hit by phishing attacks during the previous 12 months. And in recent years, the amount of money pilfered in email scams in all their forms has been rising as much as 300%.

Law firms make tempting targets because they possess confidential data, financial records, and information on political figures, major corporations, patent applications, mergers and acquisitions, and more. They also operate in a sector where reputation (aka brand equity) is everything — and where avoiding negative publicity can be a powerful motivator.

Not that this has translated into an overabundance of caution. According to Verizon’s 2019 Data Breach Investigations Report (DBIR), lawyers and other professional services workers rank among the most likely groups to click on phishing emails, including the kind that can lead to data breaches or ransomware attacks.

It shows. Law firms and other professional services organizations make up the largest single group of targets for ransomware attacks. And since 2014, more than 100 large law firms in 14 states have reported data breaches to authorities. And it’s only getting worse.

BEC: Brazen, Embarrassing, Costly

In truth, today’s costliest email scams don’t directly involve malicious links or malware, which most email security controls stop with high efficacy..

Instead, cybercriminals have been upping their game with highly-personalized, plain-text email messages that easily bypass traditional security controls altogether.

In February, for instance, researchers for one software company reported many of its law firm clients had seen a boom in BEC attacks involving links to legitimate document sharing sites hosting documents infected with tools that allow remote access, password stealing, keylogging, and more. In other cases, cybercriminals send “time-bombed” URLs that redirect to phishing sites only after an email has successfully been delivered to a target’s inbox.

The price tag for these and other cons can be steep. According to the FBI, BEC scams lead to more than $700 million in business losses each month. When a malicious email leads to exfiltrated data — ransomed or otherwise — the average cost is more than $8 million per incident for US-based companies, according to Ponemon Institute.

Even without a breach or ransomware infection, the risks can be monumental. As I wrote in a recent post, compromised email accounts are leading to a growing number of law firms being impersonated in phishing attacks targeting their clients and other businesses.

But let’s be real about all of this, too. Yes, data theft, direct financial losses, downtime, lost billable hours, and impersonation are painful for any company. But for law firms, the reputational carnage that can accompany them can represent an existential threat. So what can firms do to protect themselves?

Vigilance Matters-And So Does Preemption

With the number of email attacks that slip past security controls on the rise, organizations in the legal sector are taking action. According to a 2019 survey from the International Legal Technology Association, for instance, 68% of law firms now conduct phishing tests, up from just 38% in 2016.

And that’s critically important. Phishing training and testing can dramatically reduce the chances an employee will be duped. The most effective simulations include real examples of new phishing attacks as soon as they’re identified.

But firms should also look at stopping email attacks from ever reaching employees in the first place. That requires identity-based defenses that analyze the email behaviors between sender and receiver to detect and block even the most sophisticated email attacks — including those sent from compromised accounts — and removes any threats that manage to evade early detection from employee inboxes automatically.

Cyber Insurance Only Goes So Far

Cybersecurity insurance can also offer an additional measure of comfort to help senior partners sleep at night. But that’s only if the right defenses are in place.

According to Law.com, cyber insurance typically pays for a forensic investigation in the event of a successful cyberattack and the legal fees associated with notification requirements — which can run anywhere from $20,000 to as much as $20 million.

But even the most robust policy won’t do much to stem client defections if a phishing or BEC attack leads to the confidential data they’ve entrusted to your firm getting breached and posted to hacker forums. And then there’s the potential for costly lawsuits.

Either way, your firm’s brand reputation could still be toast. And there’s a good chance you’ll need to lawyer up.

To learn how law firms and other professional services organizations can protect themselves and their clients against phishing attacks and BEC scams, view the solution brief titled, “Stop Identity-based Email Attacks“.