The fight against phishing: How to identify and avoid phishing scams targeting your law firm in 2023

The beginning of the new year is all about goal setting and making resolutions, including those that will improve IT at your law firm. Many of our clients use the new year as a time to evaluate their cybersecurity preparedness and data management processes. Law firms are a prime target for hackers. According to the ABA, 1 out of every 4 law practices has been a victim of data breach.

Another study led by a prominent security firm and Stanford University professor found that nearly 90% of law firm security breaches are inadvertent, unintentional and caused by human error. This data coincides with increasingly sophisticated phishing scams, which are most commonly deployed by cybercriminals against law firms. 

What is phishing? 

A phishing scam is a fraudulent message, often an email, text message or phone call, that is intended to trick the recipient into disclosing sensitive information. Phishing emails usually request the recipient follow a link, send a payment, reply with private info, or open an attachment.

What are the most common types of phishing?

Phishing scams come in many shapes and sizes. Spear phishing is a targeted attack where the attacker researches the victim and creates a customized phishing email. On a mobile phone or tablet, the sender’s email address is not readily apparent, which makes it easier for people to be tricked and fall prey to spear phishing emails. Domain spoofing occurs when an attacker appears to use a company’s domain to impersonate a company executive or one of its employees. Hackers will even go as far as developing fake websites to trick users. SMS phishing or “smishing” involves text messages purporting to be from reputable companies that request recipients reveal personal information, such as passwords or credit card numbers. 

How to spot a phishing scam

Phishing scams can be well-disguised and hard to spot. However, they often include the following elements. 

• Threats or sense of urgency
• Suspicious attachments 
• Poor grammar or misspellings 
• Pop-up windows with valuable offers for little cost 
• E-mail address or domain name inconsistencies 

How to prevent law firm employees from falling for phishing scams

Preventing those at your firm from accidentally disclosing private client or firm data requires proactive steps. 

Training

Regular cybersecurity policy reviews and training sessions help identify security holes and can prevent user error. Hacker tactics are always evolving. Regular cybersecurity training programs heighten awareness of common practices to gain unlawful access to systems. With regards to phishing specifically, be sure to educate employees on the latest phishing tactics and trends. Encourage employees to share the phishing messages they’ve received to gauge how your individual firm is targeted. 

Data Backups

Backing up data is the process of making digital copies of the information stored on devices. There are several backup methods available, including backing data up to the cloud, to a removable device or to an external hard drive. Some firms may use a combination of backups. The nature of the data that law firms hold may warrant daily or weekly backups. An IT partner can help determine the best backup methods and schedules for firms. 

Multi-factor Authentication

Multi-factor Authentication (MFA) is a method of computer access control that requires users to provide authentication methods from at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). For example, an application on your phone may require a face or fingerprint scan and a security question or password. 

MFA provides an extra layer of security. This is especially important for remote workers or for those using personal devices to access client data. MFA can protect your remote team against basic attacks like email phishing as well as more complex attacks, such as ransomware. 

Policies and procedures 

Law firms must create comprehensive information security policies to overcome the increasing amount of cyber threats. An information security policy makes it possible to coordinate and enforce a security program and communicate security measures to third parties and external auditors.

A process-driven approach is the best way to create sound security policies. Develop policies in the following framework to ensure your firm has a comprehensive plan if a breach occurs: identify, protect, detect, respond and recover. Determine and document how you will handle breaches in each of the framework’s stages. 

Hire the right security partner

A managed service provider can provide the training, resources, and cybersecurity support necessary to prevent and remedy phishing attacks. A good outsourced partner will provide services like 24/7 network monitoring, security audits, emergency response and security documentation. 

Frontline Managed Services provides a full suite of IT Managed Services, including cybersecurity, that allows firms to outsource and optimize their IT Departments. If you have questions about how to minimize cybersecurity risks for your firm, Frontline Managed Services can help. Contact us today.

Gulam Zade is the Chief Legal Officer at Frontline Managed Services.