Spotting email compromise in law firms: users vs. technology

Posted by Gemma Sirett on August 14, 2019

The legal sector presents the perfect playground for cyber attackers, with sensitive data waiting to be exploited and the reputations of law firms waiting to be destroyed. Diversion fraud, spear phishing, phishing and social engineering are all very real threats currently facing law firms. To combat these threats, law firms need to move away from placing the burden of spotting cyber attacks on employees, and instead use sophisticated detection engines and threat intelligence sources to transform their email security and threat protection.

Repeating past mistakes

While no business wants to risk damaging their reputation, it is particularly critical for the legal sector. Law firms only have one chance to protect their reputation before clients lose confidence and take their business elsewhere. From intellectual property to personal data, the value of information held by law firms is high, making them a big target for any cyber criminal. In reality, though well-protected FTSE 100 companies are tempting prey, their legal representatives provide equally rich rewards and are, unfortunately, likely to be easier to breach.

Companies are increasingly aware of cyber threats, but many in the legal sector are still focusing their defence efforts on their employees, which isn’t a good place to start. Commonly heard phrases such as ‘users are the weak link in cyber security’ are prompting rigid user training programmes, in the hope they will give employees the skills they need to spot a potential cyber attack, saving the firm from the resulting repercussions.

With other messages highlighting that over 70% of cyber attacks start with email, it’s easy to see why companies start to believe that user training in how to spot malicious emails and social engineering attacks is the best approach to take – especially when law firms have been scarred by past incidents of email-based diversion fraud, where clients have transferred payments to criminals rather than law firms. That’s a situation no law firm wants to be in.

Realistically, companies cannot risk their business reputation and base their security posture on the assumption that employees will never make a mistake; especially employees who are up against the clock. Fraudulent emails are sophisticatedly designed to fool users, so how can a company assume that no user will ever act on a fraudulent email that landed in their inbox?

Risking liability

Relying on users to spot malicious emails is not a strategic approach. Of course, it’s still important for users to be aware of security issues, but they cannot be expected to identify malicious emails without being given sufficient information. This simply sets users up to fail.

On top of this, there are also liability concerns. While the majority of diversion fraud emails have followed the impersonation model, where a criminal masquerades as the law firm to entice a client to send funds to alternative bank details, firms must also consider business email compromise, where the law firm is compromised and the email actually comes from the firm’s own system. In the former case, the client/law firm relationship is strained, to say the least, but the law firm is not liable. For the latter, however, a law firm would be liable and would be likely to incur the associated costs, as well as facing the consequences of reputational damage.

Removing the burden

Phishing, spear phishing, social engineering and diversion fraud cannot be ignored by law firms – these threats are very real and won’t disappear any time soon. Whether it’s hard-pressed solicitors or administrative staff, law firms cannot expect employees to carry the weight of identifying these threats, essentially plugging the gaps in unsuitable cyber security strategies. Having users as the first line of your defence is flawed, and arguably even lazy. Law firms need to treat email as the serious cyber security risk that it is, and put appropriate security measures in place.

Email security and threat protection can be transformed by the use of multiple sophisticated detection engines and threat intelligence sources. Fraud detection and content checking in real time automatically highlight phishing and social engineering techniques; removing the burden from users and leaving technology to do its job. Furthermore, technology enables potentially concerning emails – such as those attempting to harvest credentials, mislead users or spread malicious elements – to be automatically flagged, meaning users can make quick, informed and confident decisions as to whether the email should be trusted.

With such sophisticated technology available and a growing threat landscape that shows no signs of slowing down, there is no need for – and no excuse for – putting the burden on users when it comes to mitigating email compromise. It’s time for law firms to make a change and appropriately protect themselves from incoming cyber attacks.