Hackers attack every 29 seconds. 32% of all data breaches are phishing and social engineering spoofs. Given the pure scale of complex phishing campaigns, nearly every business on the planet receives phishing emails and spear-phishing attempts. In 2018, two-thirds of businesses fell prey to a successful social engineering attack. Over half of the tech decision-makers protecting the business world put phishing as their single biggest security threat.
All of these stats point to one thing: social engineering and phishing are a plague on modern business. The cold fact is that your firm will be the target of a phishing scam. The odds are against you. So what can law firms do to avoid being targets?
Instead of focussing on avoiding the crosshairs of nefarious threat actors, law firms should tighten security.
Here’s how to start:
Understanding Social Engineering and Phishing Attack Vectors
- Social engineering is a form of hacking that uses social interaction (usually via email) to steal credentials.
- Phishing is a type of social engineering attack where a threat actor appears as a harmless or helpful entity to gain access to networks.
Phishing is harmful to any business. But when it comes to companies that deal with highly-sensitive information like law firms, a single phishing attempt can wreak havoc on your bottom line. 81% of consumers will avoid your brand after a single data breach, and the average cost of a data breach (across industries) is over $3 million.
Law firms are targeted by different types of attacks. DDOS attacks, vulnerability abuse, and network hacking are all serious and rampant attack vectors. But there’s nothing quite like phishing. Nearly 80% of law firms were targeted by phishing attempts last year. And it doesn’t matter if you’re a big firm or a small firm: hackers want your data. Over 90% of breaches at small law firms came from phishing attempts.
Mossack Fonseca & Co. went from being one of the largest law firms on the planet to closing its doors after a single data breach. 18 of the top 50 firms in the world fell victim to phishing scams last year.
With social engineering and phishing attacks on the rise, it’s important to understand one thing: preventing social engineering requires a combination of security solutions and training. You need both.
Training informs employees about risks associated with phishing emails. Security software identifies and mitigates phishing attempts, waging a two-pronged attack against threat actors.
Here are three ways you can stop phishing scams dead in their tracks.
1. Identify a phishing scam
You can’t fight what you don’t know. So, what does a phishing scam look like? Typically, they come in the form of an email. According to Verizon, 94% of all malware comes from emails. How can you tell if an email is a phishing scam?
- Check the sender: Sometimes, phishing emails will come from sources that look… fishy. But usually, the sender appears legitimate on the surface. You may get an email from Mi.crosft.com or Microsft.com. Check each letter of the domain name carefully. Never open emails from senders you don’t know.
- Look at the language: Phishing emails prey on human emotions. Fake crisis notes, phony bill and credit alerts, and free giveaways are all immediate red flags. In the past, spotting a phishing email came down to grammar. But today’s threat actors are increasingly sophisticated. Learn how to identify the type of language used in these scams. They’re almost always of an “urgent” nature. They prey heavily on “Fear of Missing Out” (or FOMO).
- Avoid downloads: This is easy. Don’t download attachments unless you know the sender—even if the email looks legit.
- Don’t click those links: 1.5 million new phishing websites are created each month. If an email points you to a website, don’t click it unless you know the sender.
- Reputability isn’t guaranteed: Scam artists can make an email look legit. A Google logo doesn’t mean that an email came from Google.
2. Invest in Training
Even if you know what a phishing scam looks like, that doesn’t mean 100% of your employees understand how to avoid them. In fact, 30% of phishing emails get opened. That’s a big problem! If you want to mitigate phishing scams, you have to invest in the right employee training. There are a few ways to go about this. You can learn about phishing scams and attempt to train employees yourself, or you can use a third-party consultant with years of experience handling phishing scams.
Obviously, we recommend the latter. Bring in a reputable consultant who understands your industry. Not only will they have experience with training, but they’ll understand the complex types of phishing attempts that threat actors regularly deploy.
This is especially critical in today’s remote-heavy ecosystem. Your employees won’t have the protection of your on-premise network security policies. They need to be trained on how to effectively identify risks.
3. Get the Right Security Tech Stack
Training doesn’t always work. According to Eric Johnson at Vanderbilt University, “training exercises are not going to move the needle a lot.” Johnson claims that “even security professionals will click on links they shouldn’t click on” and adds: “the weakest link in security is often the human being in the loop.”
And he’s right! The reason that phishing works is that it preys on people. Social engineering requires human participation. It’s designed around abusing the human element of security. So, training yes—even if it only helps so much. But the best way to fight phishing is with tech. Software isn’t fooled by tricky fake logos and vague promises. It’s not fooled by “almost” identical domain names. And it certainly isn’t fooled by emotional messages.
Mitigate phishing scams with software that can identify, isolate, and delete these types of messages. If employees never see them, they won’t have a chance to fall for them. Of course, you need to go beyond simple mitigation. You need solutions that can identify malware, protect your server in the case of a successful breach, and monitor your entire network for phishing attempts.
Is Your Law Firm Ready to Stop Social Engineering Attacks?
Over a quarter of law firms experienced a data breach in 2019. Don’t join the club. At Vertex, we provide best-in-class security technology, training, and consulting for law firms in the Toronto area. We can help you solidify your security presence and reduce your threat landscape. Let’s stop phishing attempts in their tracks. Contact us to learn more.