The 1 Cyber Threat Lurking in Your Law Firm Inbox
Law firms are a big target for cybercriminals. Law firm BEC scams are among the top cyber threats.
The data many law firms manage is of high value to cyber criminals making law firms an appealing target. According to the ABA, in 2020 29% of law firms experienced a security breach of some sort.
36% of law firms reported experiencing a malware infection in 2020, while 26% were unaware if they had experienced a malware attack. A malware attack could be a virus, spyware, or other malicious computer software and often leads to more severe attacks like ransomware and/or a data breach.
25.2% of the businesses targeted by ransomware attackers are professional service businesses.
Ransomware, data breaches, and phishing attacks get a lot of attention in the media and by IT service providers, as they should. There is one type of cyber attack that does not receive enough attention.
Business Email Compromise (BEC) attacks are a form of phishing but are usually a little more complex than most phishing attacks. The goal of a BEC is financial.
In 2020, the IC3 received 19,369 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with adjusted losses of over $1.8 billion.
What is a BEC attack?
A Business Email Compromise attack occurs when a cybercriminal inserts themselves in an email conversation with the intention of changing payment instructions. By changing payment instructions, the criminal effectively steals money from one or more parties.
To help you understand here is an example of a successful BEC scam that happened to someone I know.
The owner of a service company provided a quote to a homeowner. The service provider requires a deposit for the work before the job begins. The required deposit is half of the quote provided. In this case, the deposit was to be $2250.
The service company received an email from the homeowner asking if they accepted payments through Venmo (first red flag). The service company did not reply right away and about an hour later received a second email from the homeowner advising them to never mind, they would pay a different way.
A few days later the service company received a phone call from the homeowner asking if they received the money that was sent to them through Venmo. They obviously never did.
What really happened? The email account of the homeowner was compromised. The cybercriminal was eavesdropping on the homeowner’s email until they found something of interest. The criminal created another email account that was almost identical to the homeowner’s email and inserted themselves into the conversation. The criminal also created an email account like the service company’s email and sent them a Venmo account to send money to.
Both parties were tricked into believing the emails were legitimate, but the service company never participated in this conversation. Only the homeowner did. The homeowner was scammed out of $2250.
Initially, the homeowner believed the service company was at fault. It was not until they were made to understand what really happened that they relinquished the service company from responsibility.
I don’t know if Venmo was able to recover the money as the homeowner did not want me to be involved. Either way, it’s an expensive lesson for the homeowner.
I use this as an example to explain how BEC scams work. This is a simpler example of a BEC scam. The truth is they can be very complex and often end up costing someone tens or hundreds of thousands of dollars.
BEC scams happen a lot with real estate transactions, municipalities, and service businesses including law firms.
The cybercriminal may already be lurking in your inbox. They often hang around for a while to see if there is anything of interest to them and if they can compromise other email accounts.
How Can You Prevent a Law Firm BEC Scam?
The good news is your law firm can prevent becoming a victim of a BEC scam. We’ve put together a few steps for you to take to protect your law firm from a BEC scam.
- Strong password policy – the longer the password the better. Use UPPER CASE, lower case, numbers, and special characters. Use a password manager. AND NEVER REUSE passwords
- MFA – Configure two-factor or multi-factor authentication on all email accounts (and every other account for that matter). If possible do not use SMS for MFA.
- Monitor email logins – set up alerts and/or logging for email logins. If a login looks suspicious (ie. Logging in from an area the user is not in) investigate. Routinely check log in attempts to understand where potential compromises may be coming from.
- Verify payment details using alternative methods (phone). If the accounts receivable is asking for payment via a different method call the authorized person to verify. Never reply to the email or call a different phone number than the one you have on record. Make sure you have an individual on your team designated as the authorized person for payment details.
- Set up SPF, DMARC, and DKIM on your email to prevent spoofing. When correctly configured these DNS records will prevent spoofing of your email account.
- DON’T USE POP/IMAP or FREE EMAIL – this shouldn’t have to be stated but it still happens all too often. It’s a bad security practice. It’s bad for branding. It’s borderline non-compliant for law firms.
- Immediately disable email and access for terminated employees – leaving an email or other access available to an ex-employee is very dangerous. There are numerous stories of what can happen if access is not removed immediately.
- Do not click links or open attachments that are sent unsolicited. Adding security software that scans attachments and blocks phishing sites is highly recommended.
- Utilize anti-phishing software to identify external and unrecognized email addresses. Include a reporting feature.
- Make sure you clearly instruct all involved in financial transactions on the who, what, where, and how. Clearly identified internal and external processes can prevent financial loss.
Some businesses go as far as to not allow external email or only allow email from specific domains. This is difficult for a smaller business trying to grow as you may miss out on potential business, but certainly makes sense in an enterprise environment where not all employees need to communicate externally.
Final Thoughts BEC Scams Targeting Law Firms
Law firms are almost always involved in financial transactions. Real Estate Attorneys, Personal Injury Attorneys, Estate Planning Attorneys, and others are involved in large financial transactions. If these transactions are interrupted by someone stepping into the conversation unbeknownst to the lawyers and clients, the financial loss can be tremendous.
If you do become a victim of a BEC scam it’s very important to report it. This can help you potentially recover the stolen funds but will also help prevent other law firms from BEC scams by the same cybercriminals.
You can report it at https://bec.ic3.gov/.
If you would like to discuss your business’s technology challenges, click here.Get our Free eBook Business Continuity for Law Firms