Welcome to a new year! And if you are an attorney in New York, you are welcoming a new category of CLE.
Beginning on July 1, 2023, licensed attorneys in New York will be required to complete one CLE credit hour of cybersecurity, privacy, and data protection training as part of their biennial learning requirement.
While 40 states (as of publication) have adopted the duty of technology competency (including Illinois, see Rule 1.1, Comment 8), and some states even require CLE devoted to technology training (see e.g., Florida, North Carolina), New York is the first state to require education in technology security.
I use this news to highlight the continued prevalence of cybersecurity attacks, specifically email phishing scams.
As a lawyer, email is likely a crucial part of your daily operations. It is often your main lifeline to clients, colleagues, and other professionals. But the risk of email phishing scams to your firm’s security and reputation has never been higher.
In this blog, I outline some novel cyberattack methods you need to know along with ways to ramp up your cybersecurity defenses this year for yourself and your organization.
Tactics to watch out for
For those unfamiliar with the term, email phishing is a cybercrime where scammers send fake emails that appear to be from legitimate sources. These emails often contain links or attachments that, when clicked, allow the attacker to access sensitive information or infect the recipient’s device with malware.
Law firms are particularly vulnerable to email phishing attacks because they often handle sensitive client information and financial transactions. It is not surprising that law firms have been described as the most accessible target for the most sensitive information.
If an attacker can gain access to confidential client information, it could result in serious damage to your firm’s reputation and financial stability, and even expose it to legal and ethical repercussions.
One way that attackers target law firms is by pretending to be a client or colleague and requesting sensitive information or access to accounts. These types of attacks are often difficult to detect, as the emails can look almost identical to legitimate ones. Some attackers even go beyond email and create a spoof website (called “domain spoofing”) to further mislead the user into providing passwords or other sensitive information.
Another tactic that scammers use is to send fake invoices or billing statements. These emails often contain links or attachments that, when clicked, allow the attacker to access the recipient’s financial information or infect their device with malware.
The attackers may even use a method dubbed “clone phishing” in which a legitimate email from a trusted sender is copied by the scammer and resent to the user. The scam email often tries to entice the user with a clickable link or attachment that the trusted sender “forgot” to include before.
How to protect against email phishing
One of the biggest challenges with email phishing is that it can be difficult to detect, even for experienced professionals. However, there are steps that law firms can take to protect themselves and their clients from these types of attacks.
In an early blog post, I provided seven tips to help protect against phishing emails and cybersecurity in general. These include things like being wary of emails from unknown sources and never clicking on links or opening attachments from unfamiliar emails.
I would recommend that lawyers embrace these tips and share them with your team. It is important to educate all employees, not just attorneys, on the risks of email phishing and the steps they can take to protect themselves and the firm.
You could also consider utilizing a phishing testing service. These services create and send mock phishing emails to employees to put their awareness to the test.
Finally, law firms should invest in email security solutions that can help detect and prevent phishing attacks. These solutions use advanced algorithms to identify fake emails and prevent them from reaching your inbox. The combination of data security and routine training can greatly reduce the risk of a successful attack.
Are you prepared?
In conclusion, the risk of email phishing to law firms is very serious. Not only can it result in the loss of sensitive client information and financial damage, but it can also severely damage a firm’s reputation.
By educating employees and investing in email security solutions, law firms can start to take the necessary steps to protect themselves and their clients from these types of attacks.
Do you think you are prepared? Take the FTC’s Phishing Quiz to test your knowledge.
Staying up to date on issues impacting the legal profession is vital to your success. Subscribe here to get the Commission’s weekly news delivered to your inbox.