The Legal Tech Podcast

Don't Eat the Phish - Practical Advice How to Prevent Phishing Attacks

Daniel J. Siegel Episode 5

Phishing and Spear-Phishing are two methods used by cyberattackers to obtain personal information from clients, staff and family, and to gain access to computers and office networks in order to install malware and ransomware. In this episode of the Legal Tech Podcast, attorney and technologist Daniel J. Siegel, a pioneer in the field of Techno-Ethics, provides an introduction to the world of phishing, offering background information and providing practical solutions that law offices and businesses can immediately implement to prevent these attacks. The Legal Tech Podcast is sponsored by Integrated Technology Services, LLC and the Law Offices of Daniel J. Siegel, LLC.

Hello. Welcome to today's edition of the Legal Tech podcast, sponsored by Integrated Technology Services LLC and the law offices of Daniel J. Siegel LLC. I'm Dan Siegel. Today's program is going to focus on fishing. I say phishing and spear phishing as S P E A R P H I S H I N G. These are two areas where offices and homes and everywhere else are particularly vulnerable to cyber threats and cyber attackers. And we're going to provide some very basic information about what phishing is, what spear phishing is and what you can do very easily to try to prevent some of these attacks from happening. Phishing itself is defined in a lot of different ways by a lot of different techies. But really, what it is is the fraudulent practice of sending emails that appear or are trying to appear to be from reputable companies or people to get you and their recipients to either reveal personal information or to go to a website where they're going to reveal personal information. And then they give away their passwords, their credit card numbers, their logins, all of that type of information. Spear phishing is a little bit different, but not a lot different. It's the same type of campaign or effort where criminals and others are trying to get personal information from people. But spear phishing targets very specific people or recipients. It is not uncommon, and we have seen it in our offices where a client of a law firm receives an email. The email appears to be from the attorney in that firm or a paralegal, or someone in the firm who regularly communicates with the client. The email then asks or directs the client, the recipient, to take certain action. It can often be to wire money, to provide log in information, et cetera, et cetera. And spear phishing emails are particularly effective because the senders have information and are able to literally duplicate exactly what the email would look like had it actually come from the attorney or the law office, or it could come from a bank, it could come from lots of different sources. Phishing, which is what most of us are used to, are those emails that theoretically appear to be from your bank but aren't with phishing emails. You can usually tell there are some telltale signs that help you understand why these aren't legitimate emails. The first thing is to look at the sender's email address because in many cases, even though it may say it comes from X Y Z Bank, you look at the sender's email address and you see it is not anything like that, and it's an at gmail.com email address or or some address that you know, has symbols, numbers or letters after it that make it appear that make it clear, really, that the email came from some other location. Another hint for phishing emails. And it's what we always tell people to do is that individuals who receive them should place their mouse over the hyperlinks the highlighted typically in blue links in the email. Don't click them, because if you click them, you could not only potentially be put in a spot where you're asked to reveal information, but even worse, you could actually allow a virus to infect your computer so you hover your mouse over those links. And often you will see right away that the links that may be directing you to Girard Bank actually are showing some other website as well. In many cases, phishing emails come from banks you don't even deal with or organizations that you don't or your clients don't deal with. So individuals have to take very good care to first look at the sender. Second, look at the recipient to see if there's even names in the To email because many times there aren't because these are being sent in a blank address. Third, hover over them, the mouse links, to see whether they appear legitimate or consider whether you even expecting or have any reason to expect an email from a bank , cetera. In most cases, banks do not suddenly send emails that are requesting personal information, and most banks will tell you in their legitimate emails that we are not going to request account information, personal information, etc. And if you're in doubt and you're not sure if that email is legitimate, well, then you don't have to click on it. You can simply go to the website for the particular bank, go directly and see if you log in there if in fact, there was any request pending. Another option is to pick up the phone, call the bank, call the business, call the vendor or whomever it is, and see if they sent the email. Another thing you can do many vendors, many companies, American Express, for example, have email addresses where you can forward suspicious emails and they will tell you if those emails are legitimate or not. But the worst thing to do is to click on or respond to those emails unless you are absolutely sure they come from the sender. Now, spear phishing is a little bit different because spear phishing emails look in many cases, to be completely legitimate and accurate. That doesn't mean that they are. The cyber criminals are getting more and more sophisticated, and as they get sophisticated, they are able to make links appear to be legitimate. Even though they're not, they can redirect you. But often they are directing the recipient to take an action that may not be on a link as much as it is to do something else, like wiring money to a particular account. So let me tell you a story about one law firm where spear phishing occurred. The attorney receives a call from a client, an elderly client, because the client had received an email directing the client to wire money to pay for inheritance taxes to a specific bank. The client not thinking about this in great detail didn't call the attorney and simply responded by wiring the money. That money was gone. The next thing the client knew they were getting a second email requesting an additional wire, and it was at that point that the client realized that something may not be right, and the client called the law firm only to find out that in fact, those emails were not legitimate. They were spear phishing. So what do you do as attorneys? What do you do in order to prevent clients from taking these types of actions? It's the same thing you should be doing with your staff. It's education. So what do we advise law firms to do when we are consulting with law firms? We advise them to not only have discussions about cybersecurity with staff to not only train staff in proper or best practices relating to cybersecurity and phishing emails, but to go a step further and to explain to clients so that when you meet with a client, particularly in matters where there may be financial transactions, an estate, an estate planning, insurance, planning trusts a lot of those types of business transactions. Explain to the client, just like the banks do with us that you are not going to request or will ever e-mail a client to take financial action to wire money, to send a check to do any of those things because that way, the client knows. Second, explain what the procedure is in your office for those types of transactions. So Miss Jones, let me explain to you that if in fact, we do need you to send us some money or to make a payment for an inheritance tax return or something like that, we will call you when it will either come from me or from an individual who you know in our firm who will then make that direction to you. That's what you want to do. And if you have any question, if you receive any type of communication that doesn't seem correct, then don't respond to it at all. Call us and we are here to take your call. We will always, you know, explain to you will always do all of that. So you want to be very careful when you're meeting with new clients or when you're having follow up conversations with clients to just remind them, Hey, Miss Jones, just so you know, it's getting to the time where we're going to have to pay that tax or that bill or whatever the case may be. And we're going to be in touch with you either by phone, but we're not going to just email you and tell you how to send the money or where to send money. You have to be careful. There's many security companies out there who are now saying that the two types of biggest threats to firms and individuals are ransomware and phishing and in particular, spear phishing. And one of those companies, called Trend Micro, has named spear phishing emails as one of the top areas for threats not only to individuals but to companies and their network. Because when you do spear phishing and someone replies they are providing personal information and the sender is simply doing what we used to see years ago, it could even be the days of the Music Man where they're just trying to get the recipient, your client, your staff member, to feel confident and comfortable with them. And then that's when they act. So it's really important to understand that while fish is healthy for your diet, phish and phishing aren't healthy for your computers, your clients, your friends or your family. I'm Dan Segal. You've been listening to the Legal Tech Podcast.

Today's topic:

Don't eat the phish. The podcast is sponsored by Integrated Technology Services LLC and the law offices of Daniel J. Siegel LLC. You can find us at Techlawyergy.com, T E C H L A W Y E R G Y dot com and Daniel J. Siegel dot com D A N I E L J S I E G E L dot com. Thank you again for listening. We hope you enjoyed today's edition of the Legal Tech podcast.