At this point, most people know what "phishing" means - the creation of fake "spoofed" emails in order to trick people out of personal and banking details.
A variant, however, is becoming more and more common. So-called "spear phishing" is a growing problem affecting more companies every year, and it requires a bit of specific knowledge to deal with.
What is "Spear Phishing?"
In normal phishing attacks, the hackers spread a wide net. They may even send the fake emails to people who aren't even customers of the company they're spoofing. They send out thousands of messages in the hope of finding a few suckers. Often, they use pre-written "phish kits" to get large amounts of credentials.
Spear phishing, on the other hand, targets a specific individual, business, or organization. The hackers do their homework, study their victim, and launch a deeply personalized attack. Law firms tend to be particularly popular targets, with the goal of either stealing highly-sensitive information, installing malware or, in some cases, simple blackmail. Generally, the goal of stealing information is for insider trading or similar. Criminals can get a lot of money out of these attacks, with law firms sometimes being forced to pay up so as to avoid a reputation-destroying data breach. According to one report by Verizon Data Investigations, 59% of all emails to law firms are phishing attempts.
While most regular phishing emails try to trick you into logging into a fake website or downloading a malicious attachment, spear phishing can be more complicated. In addition to the above, hackers may use social engineering to convince you to send them money or documents. Malware attachments may not be attached to the email (where you can scan them) but put on Dropbox or Google Drive, which are generally not blocked by IT. Another trick that may be tried on law firms specifically is to identify a high-value client and impersonate them. It's not always possible to completely hide who you are working with.
At the higher level, what's known as business email compromise (BEC) targets payroll or invoicing, convincing payroll to send money to the wrong people, pretending to be suppliers, or pretending to be an executive and asking for employee W-2 forms.
Do Thieves Only Attack Large Firms?
No. Hackers will attack anyone from whom they think they can get enough money to make the effort worthwhile. In fact, small to medium-sized firms can be more of a target, as they tend to have a smaller budget to spend on both IT and training. Many spear phishing attacks will readily circumvent technological security and rely entirely on social engineering. Spam filters, for example, won't catch spear phishing emails because they are personally written and look just like normal correspondence.
In 2017 alone, W-2 phishing scams compromised over 100 different organizations, and the IRS continues to actively warn all companies about these kinds of attacks, with a mechanism for reporting them. And the last five years have shown an upward tick in attacks on businesses with less than 250 employees. As tactics become more sophisticated, it becomes easier to go after small to medium sized firms.
Why Should You Be Concerned?
Many small businesses can be knocked out of business by a single data breach, even one of relatively small scale. Small firms are naturally more vulnerable to anything which causes clients to lose trust. 60% of small businesses go out of business within six months of a cyber attack.
Trust, for lawyers, is important currency, and your clients need to know that their confidential information is safe and is not going to be stolen and published or used against them.
Spear phishing emails can be remarkably hard to spot, and executives and partners statistically have a harder time doing so than lower level workers. These attacks work on the weak link, the human element, and can even be conducted with essentially no technical knowledge whatsoever.
How Can You Protect Yourselves?
As already mentioned, spear phishing emails are generally not caught by spam filters (which can also have a hard time with the better quality mass phishing attempts). However, there are still things you can do:
1. Have IT set things up so that email from outside the company is marked with "External." This is relatively easy to do and makes it harder for attackers to spoof internal people. For example, W-2 scams are often conducted by impersonating a partner or other high level individual to ask HR for information.
2. Institute a practice of confirming via phone before sending money or sensitive information. Make sure that nobody is authorizing a wire transfer to a supplier based off of a single email. While this can be a pain, it can prevent many BEC type attacks.
3. If possible, have accounting use a separate machine to check email and surf the internet, which can set up a barrier against malware.
4. Use antivirus and malware protection on all devices, including phones. While spam filters can't generally catch spear phishing, they can sometimes intercept more generic phishing attacks, such as the common shipping details scam where a business is sent a UPS tracking number that leads to a bogus site. Some newer spam filters are starting to use machine learning to block emails in a more sophisticated way, but be aware that this can increase false positives. An outgoing email filter can be set up to block certain information from being sent to external addresses.
5. Educate users on the risks and train them in how to spot suspicious emails. Running occasional phishing drills is a good idea, allowing you to target vulnerable employees for further education. Make sure that this includes partners. Have a procedure to report suspicious emails to IT. Never reply to a suspicious email to ask if the person sent it, as the chances are that will go to a hacker. If unsure, call them or start a new email using your stored address for the person. User education is the most important level.
6. Make sure all users use strong passwords or pass phrases and implement multi-factor authentication for, at least, the most sensitive information such as client correspondence, payroll information, and banking information.
Protecting yourself and your clients from spear phishing is vital. The key element is user education. As with many modern threats, spear phishing uses social engineering and attacks the weakest part of your cyber security system: You. Small and medium firms should follow best practices to prevent spear phishing attacks.