By Danielle Breen
Phishing scams have been around for a long time, and many of us feel as though they are so obvious, we would never become victims. However, in the last few years, hackers are becoming more sophisticated in their methods. Even a Law.com reporter who writes about technology and AI for a living fell for a recent phishing scam. His scam, in particular, posed as a secure encrypted message within an e-mail. This is just one example of how hackers are becoming more sophisticated in the modern age.
So how do email phishing schemes even work? Usually, a hacker will send a phishing email to a target and ask that they enter their work login information for seemingly legitimate purposes. If the target complies with the request, unaware of the fact that it is a phishing scam, the hacker then gains access to the target’s information. This can include emails, client lists, and documents, all of which can be devastating for law firms and their clients.
More than 100 law firms across 14 states have been victims of phishing scams by hackers since 2014. The number is staggeringly high and poses concerns about hackers gaining access to sensitive client information. Powerhouse law firm DLA Piper’s United Kingdom office was targeted in May 2019 with two hacker emails posing as two partners in the firm in an attempt to gain access to company information. The hackers in this scheme simply changed the e-mail domain from “dlapiper.com” to “dlappeir.com,” however it is easy to see how someone quickly reading an e-mail may not notice such a tiny detail. According to the United Kingdom’s Solicitor Regulation Authority, these types of e-mail schemes account for about half of the cybercrimes reported. It is essential for lawyers to become more vigilant than ever when it comes to hacking schemes.
In light of growing numbers of hacking incidents and how quickly hackers change methods, more firms should be conducting third-party security assessments of the firm’s security network. Robert Mueller put it perfectly in 2012 when he said, “…there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” According to the American Bar Association, in 2018 only about 28% of firms said they conducted a full cybersecurity assessment, generally among the larger firms over the smaller firms. The same study conducted by the American Bar Association also found that these cybersecurity assessments typically take place only after a client request. There was also a strong correlation between the size of the firm and whether or not clients requested an assessment. Eleven percent of overall firms reported a client asking for the assessment, with only 2% of solo practitioners and 39% of large firms performing one.
Even more alarming than the statistics above is the fact that most malpractice insurance does not cover cybersecurity breaches, and only about 34% of lawyers said they had some form of coverage for cybersecurity hacks. This is simply not acceptable in the digital age. Particularly if a law firm has already been hacked, it is essential that they conduct a third-party assessment of the firm’s cybersecurity. Even if a firm’s system has not been breached, chances are the firm’s system is not as prepared as it could be for a cyber threat. Having a periodic third-party review would ensure the security system is as formidable as it can possibly be from cyber threats. Although the review may be costly, it will be more costly for firms to deal with the repercussions of a breach of client information.
Law firms should also consider encrypting data. Encrypted data would provide more security to client information because it can only be accessed and read when the correct password is entered or access control. This would provide more security to client information because if an attorney were to fall victim to an e-mail phasing scheme, there would be an additional line of protection to stop hackers. At a bare minimum, law firms should be discussing phishing schemes with their attorneys and providing training on how to spot the schemes. With hackers becoming more sophisticated, even the most intelligent people can fall victim to phishing schemes. It is essential for lawyers to stay up to date on the most modern technologies in order to identify opportunities for phasing schemes. With technology changing so rapidly, it is of the utmost importance that this is a regularly discussed topic. Client information security depends on it.
Student Bio: Danielle Breen is a second-year law student at Suffolk University Law School. She is currently a Journal of High Technology Law staff member. Danielle holds a Bachelor of Arts in French Language & Literature and a Bachelor of Arts in Sociology from the University of Colorado Boulder.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.