By Doug Striker bio
You know that old saying, “The only guarantees in life are death and taxes?” To that pithy, depressing phrase, I’d like to add “death, taxes, and phishing.”
Yes, I believe that phishing is and will be forever a part of our human experience because criminals know we are suckers. And no matter how many people I can train and turn into savvy, discerning email users, there will be another sucker born every minute. (Another pithy, depressing cliché.)
In a nutshell: phishing is the cause of the greatest hacks we’re facing today. And unless we all stop emailing, it ain’t going away.
I don’t plan to stop emailing. Do you? Nah. So, phishing is going to remain part of our lives. The question is, what are you going to do to protect yourself and your law firm from it?
Ransomware is so last year
Cybercriminals use phishing as the gateway to any number of criminal activities. Last year, it seemed that ransomware was their favored attack. This year, it seems that they want our store of passwords.
According to a March 2, 2018 Dark Reading article,
“Password theft is increasing overall, a sign of attackers shifting their goals and strategies, Shi explains. Ransomware was big last year; this year, password stealers are appearing in phishing emails, browser extensions, and other programs as criminals hunt login data.
“It’s all part of a broader trend of sneaky spearphishing and targeted attacks, he says. Usernames and passwords grant access to multiple systems and applications a particular user is attached to, as well as social media sites and contact lists to fuel future attacks.”
These criminals want access to our bank accounts, our shopping accounts, our healthcare accounts, our credit card accounts… with our passwords, they can take us down. And how do they get our passwords? By phishing our email accounts and getting us to click on nefarious emails.
The latest attack targeted Microsoft 365 users and came disguised as emails from the IRS. Very timely given that tax day is around the corner. The Dark Reading article I referenced above also states:
“Examples of this tactic include files named “taxletter.doc” and phrases like “We are apprising you upon the arisen tax arrears in the number of 2300CAD.” The use of popular file types like Word and Excel, which are globally known and used, further ensures victims will fall for it.
“Today’s documents are far more active … you’re putting in a lot of content, media, links,” says Fleming Shi, senior vice president of technology at Barracuda, comparing this threat with phishing attacks of the past. “Bad guys are leveraging the dynamic, active manner of the documents today to weaponized their files.”
In other words, the bad guys are making their emails look and act like legitimate emails that we get from trusted sources. They include Word and Excel documents (which are encrypted with malware) to make everything more recognizable and comfortable for their targets.
And they are using tax day, a typically nervous, frustrating time for 99% of U.S. citizens, to play on our vulnerabilities. But don’t be fooled! The IRS would never email you questions about your taxes! In fact, the IRS itself is proactively trying to help people avoid these scams. Their website includes the following content:
“The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.”
The site goes on to explain how you can report the phishing attempts to them directly.
What can I do to protect myself from phishing?
While it would be nice if we could somehow block phishing emails and only allow legitimate emails to hit our networks, we’ve all learned that such hard-core tactics end up blocking real emails (in the law firm industry that means “real work”) and it creates a false sense of security for email users.
The hands-down most effective way to protect yourself and your law firm (and your clients) from phishing attacks is to educate your entire firm to recognize, isolate and report suspicious emails. In other words, you need ongoing security awareness training, and this training should include:
- Continuously updated phishing templates that mimic the very latest attacks
- Phishing templates that you can customize
- Phishing campaigns that you can release at the press of a button
- Reportable results down to individual users
- Training materials to support in-person and online (LMS) learning
I’ve studied many security awareness training companies and I like KnowBe4 best because I think it offers the best content for law firms, makes the trainings as easy as possible on administrators, and it works.
The KnowBe4 simulator enables you to create compelling, fake emails, push them out to your firm, track the people who are vulnerable, and educate everyone to be more astute when they click. Here’s how it works:
- Upload your users to the system
- Launch a baseline phishing test using any number of templates
- Using the results from that phishing test, launch targeted trainings to help your employees be more discerning clickers
- Every month, send out another phishing campaign
- Track improvements down to individual users over time
Conclusion
Are you worried about your firm’s vulnerability to phishing attacks? Then, time is of the essence. Arrange to educate your entire firm on how to identify and report suspicious emails.
Doug Striker is Chief Executive Officer of Savvy Training & Consulting, a provider of legal software training solutions. As a former Chief Operating Officer of a prominent law firm, he specializes in helping firms acquire the software platforms they need, training staff for maximum workflow efficiency, and enhancing continuity and bottom-line results.
