Why Your Law Firm Needs Social Engineering Awareness Training

Some time ago I had a conversation with a few lawyers who had come close to being scammed out of several hundred thousand dollars. While I was pleased to hear that the scam was recognized in time, I was simultaneously floored by their response to what had happened. The lawyers shared they were fortunate to have listened to the wisdom of their firm administrator, who had advised them to wait to release any funds until a particular suspect check had cleared. Yet, oddly enough, after that check actually did bounce a week or so later, these lawyers felt unable to do anything about it due to a perceived attorney-client relationship and the loyalties they believed flowed from that. It seemed clear to me that the scammers had invested enough time and become so involved with the firm that even after nearly being taken in, the lawyers still believed confidentiality trumped. They were hesitant to even consider having the situation investigated. I couldn’t help but think “wow, whoever was behind that scam knew what they were doing.”

I wish I could say this story was an unusual situation and that lawyers needn’t worry; but I can’t. In the years since, these types of scams have only gotten more sophisticated and it’s all about social engineering. For the uninitiated among us, social engineering has nothing to do with a group of happy-go-lucky folks who get together, put on those great blue and white striped hats, and take their locomotives out for a drive. Social engineering in the context of cybercrime is really about the use of psychological manipulation to trick a person into doing something that isn’t going to be in his or her best interest. The goal may be to gain access to confidential information, to steal personal identities or money, to gain access to computer network resources, and the list goes on.

An attacker has any number of methods at his or her disposal. If the goal is to insert some type of rogue software onto a computer network, they might drop a USB jump drive in the firm’s parking lot or send a jump drive that purportedly contains a free version of Microsoft 365 to a firm employee. Of course, as soon as someone tries to see what’s on the jump drive they found or tries to install Microsoft 365 on their work computer, the firm’s network will be compromised.

This type of attack, known as baiting, has been successfully used to breach law firm networks. Other very successful attack methods include, but are by no means limited to, fake callbacks from technical support where the attacker randomly calls numbers at a business until someone falls prey; pretexting, which is where a scammer impersonates a bank employee, tax authority, insurance investigator, etc. to try and trick someone into disclosing information; and phishing, which is something everyone needs to know more about due to the sheer number of phishing attacks that occur daily. 

First the basics, phishing is the criminal attempt to trick another into providing personal or sensitive information such as a birth date, their address, a credit card number, or their username and password to an online account typically by requesting a response to an email or text message the scammer has sent. Most folks will have enough common sense to recognize such scams and would just delete an email that says their bank account will be closed unless they open the attachment or click on some link in order to verify their login credentials simply because the email came from the wrong bank. But what if the email does purport to come from the correct bank? What if the email looks exactly like other’s they have received from their bank because it contains all the correct logos? What if, instead of having them verify login credentials online, the email asks them to call a customer service number and the person who answers that call is able to trick them into sharing their login credentials?

Phishing attacks have become very sophisticated. Not only are all of the above examples real, they are but the tip of the iceberg in terms of the types of scams any one of us might be faced with. Who hasn’t received an email notification informing them of a change in the delivery schedule of a FedEx package or letting them know their eBay, PayPal, or email account will be closed unless they verify their login credentials?

I can share that I have personally received an email that appeared to be from a close friend stating he had had his wallet stolen and was stuck in London. He was hoping I would wire some money to help him return to the States and he would pay me back upon his return. Then there was the one claiming to be from Microsoft. They wanted me to know about a serious security problem in their software and suggested I immediately click a link to download the necessary update so that I would remain secure. Honestly, I almost fell for that one. The level of sophistication with that Microsoft email was so good. In truth, the possible variations on phishing attacks seem to only be limited by the imagination and programming skills of the criminals behind them. Unfortunately, because phishing attacks are so incredibly successful, they’re not going to go away anytime soon, which means everyone at your firm needs to remain vigilant for the foreseeable future.

Hopefully, you are starting to get a sense as to how serious the situation is. And while the security hardware and software in place at your firm can be viewed as the front line of defense, those tools alone can’t do it all. You and everyone else who works at your firm has a role to play because together all of you are actually the last line of defense. If your firm hasn’t already done so, it’s time to get in front of the problem because no one else is going to take care of it for you. It simply isn’t possible for your IT support to protect your systems from all phishing attacks because these attacks are directed at people not hardware or software.

The good news is there is one critically important step your firm can take to assist in IT support’s efforts to protect all the information that resides on your firm’s network. Provide mandatory training to everyone who works at your firm, to include every lawyer regardless of status. Everyone must be made aware of the nature of phishing attacks and learn how to spot them. There are a number of social engineering awareness training companies here in the States worth investigating. Of particular note is KnowBe4 because even if you decide to provide training on your own, you will still find numerous free educational resources on their site; and don’t overlook their blog. Another idea would be to have your own IT support person or company conduct quarterly in-house seminars on phishing and other online hazards.

Now, one final thought. I often get pushback when recommending social engineering awareness training. A common response is something like “providing this kind of training just isn’t in the budget.” All I can say in response is this. If someone at your firm were to fall for one of these scams, how much do you think that might cost? Had the lawyers referenced above not listened to their office manager the cost would have been several hundred thousand. I’ll leave it to you to do the math.