How to Help Your Office Staff Avoid Email Phishing Scams
To run a successful law firm– whether it’s a solo practice or a large firm– you’ll need to not only excel in the areas of law you’re practicing in, but also in all matters of running the practice itself. Running a legal practice comes with its own, unique set of challenges that even the most prepared lawyer setting out to start a new practice may find themselves overwhelmed with. I’m here to help make the job of running your law office just a little easier. Welcome back to Mike’s Office Management Tips.
— Mike Campbell
Law firms have an obligation to keep their clients’ information safe and confidential. Even the smallest breach could mean the difference between winning and losing a case and clients, and potentially running into legal issues. While there are many factors when it comes to protecting your data, one of the most common ways attackers steal data is through phishing scams. Let’s take a look at how to help your office staff recognize and avoid email phishing scams.
Phishing Techniques Attackers Use
When a hacker is successful at a credential-harvesting phishing attack, they could gain access to services like Office 365, online packing, and practice management software. A hacked law firm could experience further exploits, like network infiltration, database infiltration, and data exfiltration.
There are a number of techniques attackers use to steal information when it comes to email phishing scams. One of the most common is embedding a link in an email that redirects you to an unsecured website that requests sensitive information. They may also install a Trojan via a malicious email attachment or ad, which could allow them to exploit loopholes and obtain information.
Recognizing a Phishing Attack
With the number of techniques hackers use to attempt to infiltrate a business’s network, not every phishing attack looks the same. Your office staff will need to be well aware of the signs of a potential attack so they can avoid any problems. Some of the most common indicators of a phishing attack include the following:
- Urgent subject lines. The subject lines of phishing emails are often in all-caps—which signals a sense of urgency to the recipient. Some of the most common subject lines include phrases like “password check required immediately,” “urgent press release to all employees,” “important message from [company name] admin,” and “UPS label delivery, [fake tracking information].”
- Language errors. You’ll most likely notice a number of spelling errors, grammar errors, and awkward language in phishing emails. This is because hackers need to deceive language parsing technology that identifies suspicious content and blocks the message or forwards it to the spam folder. When it comes to phishing URLs, they are often misspelled, or the domain name won’t match the content of the page.
- Unexpected requests. Those looking to steal information may be able to spoof the sender name and domain of trusted contacts’ email addresses and ask for sensitive information like bank routing numbers, trust account numbers, login credentials, or document access. In the event you see something like this, be sure to confirm over the phone or any other communication channel that that information is actually being requested by a legitimate source.
Protecting Important Law Firm Data
There are a number of steps your law firm can take to protect against phishing. To start, you’ll want to verify if any email addresses associated with the firm were involved in high-profile breaches. You can use a website like Have I Been Pwned to identify compromised email addresses and passwords across online services. If you learn there’s been a breach, change the password for that account immediately.
When it comes to the passwords your law firm staff uses, consider installing a password manager. This way, you can easily implement complex passwords without having to worry about memorizing them. It’s also a good idea to make multi-factor authentication mandatory at your firm. This adds another step to the login process to prevent account takeover and the breach of confidential data.
Attackers are constantly changing the methods they use to steal information. To stay on top of the latest threats, you and your team can participate in phishing awareness training programs. The software programs are used to educate and train employees on the characteristics of spam, phishing, malware, ransomware, and social engineering attack methods.
Vigilance is crucial in today’s risk-filled digital world. When you and your office staff have an increased understanding of common phishing attacks and protective measures you can implement, you’ll reduce your chances of being impacted negatively by a scam.
Interview with Tim Phillips