chevron-down Created with Sketch Beta.

Law Technology Today

2023

LTRC Roundtable Discussion: Phishing and Email Scams

Debra L Bruce, James Andrew Calloway, JoAnn Hathaway, Lance G Johnson, Allison C Johs, John Simek, and Reid F Trautz

Summary

  • What phishing or scam message have you received that you might have fallen for if you weren't careful?
  • Have any of your clients, employees or vendors been subjects of one of these frauds or thefts?
  • See what our experts say on what technologies and other safeguards could be used by you and your organization to protect against data theft. 
LTRC Roundtable Discussion: Phishing and Email Scams
iStock.com/simarik

Jump to:

Our Panelist:

Debra Bruce  (DB), Jim Calloway (JC), Joann L. Hathaway (JH), Lance Johnson (LJ), Allison Johs (AJ), David Seserman (DS), John Simek (JS), and Reid Trautz (RT).

What phishing or scam message have you received that you might have fallen for if you weren't careful? Please indicate whether it was it by email, phone, text, postal mail, social media or something else.

DB:

  1. Scammers are getting really sophisticated. Last month I received an email from “my bank” with a subject line of “Action Needed: Please confirm activity.” The email included my full name, the last 4 digits of my debit card, and it was emailed to me, so the sender obviously had my email address. It asked whether I had authorized a charge of about $12 on my ATM/debit card. It told me the name of the payee and the date of the transaction. I googled the name of the payee and didn’t find that company online. The email gave me 2 choices: To keep the card active, or to close the current card by clicking to get a new card sent to me. It said, “If you need to speak with us, please call the number on the back of your card.” It also said “We need the fastest way to contact you. It provided a link to sign in and make sure my personal profile includes my mobile phone number. It also included a “Security Tip” saying that my bank (by name) will never ask for my account number or password in an email.  It had small print boiler plate at the bottom with links to the “Security Center” and “Customer Service.” The address that the email purported to come from was <myBank>@fraudalert.<myBank>.com. There were a lot of reasons why the email looked genuine. Two things saved me: 1) I don’t click on email links for anything associated with money, and 2) I almost never use that debit card. I couldn’t figure out how there could have been a charge on that card. I called my bank, and they had no record of that transaction, or an alert sent to me.
  2. Over a year ago I received several voicemail messages over a period of days from my internet, cable and phone provider telling me about a promotion for existing customers. Eventually I answered the phone on one of those calls. The caller was smooth, friendly, and unhurried. He said the offer was based on customer surveys about pricing. They were teaming up with Apple, who is sponsoring some of the cost. He asked me what services I had, and I said “You called me. Shouldn’t you know?”  He then said he would look it up. When he came back, he called me by name and quoted a monthly amount that was in the range of what I thought my monthly bill was. He said the promotion was for 2 years and quoted a rate lower than what I was currently paying. He said that included all taxes and fees and I could cancel at any time. My existing plan had a 2-year period, so that sounded reasonable, too. He answered my questions about how the promotion would impact my existing plan, and he asked if I wanted to add international calling to the plan.I asked how it would affect my security plan. He asked me which plan I was on, naming 3. I didn't know the name of my plan. He said he’s not in that department, but he would check. He came back and said something about me having 13 sensors. I corrected him and said I had 12. He correctly described aspects of my equipment. Somewhat early in the process he had told me I would need to call the billing department to activate the promotion. He didn’t offer the phone number at that time. He also said I would get a prepaid Visa card for $100 for signing up. (My provider did have some deals on its website offering prepaid Visa cards.)

    He confirmed the details of the offer, and he gave me a phone number for the billing department for my convenience. (I never intended to call that number. I would use the billing department number on the company’s website.) He gave me his name and his badge number and said if I had any other questions for him, to call that same phone number and just ask for the Promotions Department. Eventually he said I would need to pay with an Apple prepaid card as part of the co-promotion with Apple. I could go get the card after I registered for the promotion using the promotion code, he had given me.
    When I went to the company website, I couldn't find a number for the billing department. I wanted to check it all out. The company’s legitimate website kept wanting me to deal with its chat bot. I’m guessing the caller knew about that frustration. He knew a lot about the company’s existing service plans that I was familiar with, as well. I was fooled by all the details he gave me, but fortunately I would not move forward without verifying the information independently. I finally got to a human being on the company website and learned that it was an intricate scam.

JC: Text messaging scams are the easiest to fall for because you are more on guard when working as opposed to being out and about. One of my sophisticated co-workers almost fell for the newest PayPal scam when she received a message that $649.00 had been successfully transferred and there was a phone number to call if this was an error. Since we are cautious about links, she almost called the phone number. I assume every communication I received from a stranger referencing PayPal is a scam. If a message concerns you, log into PayPal the normal way, not using any information or link in an email.

JH: The typical scam messages I might have fallen for if I hadn’t thought twice were those that gave the appearance as though they are coming from within my organization.  These have occurred in everyday emails.

LJ: Most of the phishing scams come in by email, and they have gotten much better in the last couple of months. The most tempting one was an email with an HTML attachment (RED FLAG!) that purported to be a bill for online advertising thru a company I did not recognize.

AJ: I can’t think if anything specific, but I know there have been a couple that I came close on. Usually those were by email; I typically don’t answer the phone if it is a number that I don’t recognize. On social media, I only click on links that come from reputable sources, and I generally ignore, delete, and/or block texts from numbers I don’t recognize.

DS: Late night phone call during a deposition trip where I was asked for credit card verification and provided an answer.

JS: Cybercriminals are extremely resourceful and clever. Artificial intelligence is being used to improve our cybersecurity products but is also being used to improve phishing attacks. Phishing emails are greatly improved with very few (if any) spelling or grammatical errors. Recently, we received a particularly good phishing email. The message appeared to come from Microsoft with a request to update your email account. You were requested to scan the included QR code to update your account information within the next 7 days. Otherwise, your account would be disabled.

A few things to note about phishing email. 1) A well-known brand (Microsoft) was impersonated. According to Proofpoint’s 2023 State of the Phish report, 44% of recipients think the email is safe if it appears to come from a familiar brand. 2)You really don’t know where a QR code is going to take you. 3) You had to act quickly (7 days). 4) You feared that your email account would be deactivated.

RT: Many people in our office recently received an email containing a PDF purporting to be my organization’s new ChatGPT policy. That is such a hot topic that many people quickly clicked the attachment only to find it was a tempting test put out by our IT staff. Lesson learned!

What clever trick have you heard about that someone else got fooled by and that you want to warn others about?

DB: Most of us have heard about or received calls from someone pretending to be a friend or family member in trouble. One guy called me, starting the call with “Hi Grandma.” I don’t have any grandchildren, so I just toyed with him as he told me of his financial woes until he hung up. An acquaintance, however, got a much more insidious call purporting to be from her daughter. She swears that it was in her daughter's voice. With all of the videos and detailed information that people put on social media, combined with the capabilities of AI, scammers now have sophisticated ammunition to take advantage of unwary folks. I expect that a scammer could find someone listed on a law firm website and download their voice from a webinar, CLE program, YouTube or Instagram video to get someone to provide sensitive information.

JC: The romance scams initiated by sending a text message to a random phone number are new and scary. If they get a response, they apologize in a very friendly manner and then try something like “you seem very nice” to strike up a conversation, hoping it turns into online love and then a little financial assistance. We see lonely people falling for this one. Alert your friends and relatives about this expanding scam.

LJ: None that anyone will confess to.

DS: Nothing particular comes to mind. However, phishing emails that appear to come from trusted contacts have caught a number of people I know.

JS: It’s an “oldie but goodie” – The Windows Defender Scam. You end up navigating to a website that has code to pop up a Microsoft security screen with a Windows Defender warning stating that “Access to this PC has been blocked for security reasons.” There is a very helpful toll-free number to contact Windows Support. Calling the number gets you to a Microsoft Support imposter. They will want you to grant them remote access to your computer in order for them to “fix” your security problem.

RT: The more urgent-sounding the email, the more patience you have to have to review each component of the email thoroughly before acting on it.

Have any of your clients, employees or vendors been subjects of one of these frauds or thefts? If so, what can you share to help others stay safer?

DB: Train your employees about the scams and phishing attempts to get access to the firm’s computers, software, passwords and accounts. Do not make any disbursements or refunds from settlement checks, retainers or other sums received from new clients or opposing parties until you can absolutely verify that the payment deposited is legitimate and has cleared through your bank. Be sure that you can communicate with the new client in person or by video and verify their credentials, contact information and location. Quite a few law firms have allowed the new client to pressure them into acting quickly by describing some urgent aspect of the transaction. Seeing that the deposit showed up in the firm’s online account, the firm paid out the settlement or purchase price (or whatever fits the scammer’s story) to the other party. A few days later the firm learned that the check or cashier’s check or other payment was bogus and didn’t clear.

JC: Your boss will not email you from an email address you’ve never seen asking you to buy $1000 worth of gift cards and pay from your personal account. These messages periodically target bar associations, non-profits, and other groups.

JH: I am aware of several lawyers who have accepted clients virtually who presented with credible facts, only to take the matters and spend considerable time in discovery with eventual resolution, followed by wire transfers of money, remittance of two-thirds to their client, and then recall of the wire transfer due to its fraudulent origin.

AJ: I know quite a few people who have been hurt by these scams. The first thing to check is always the email address where the message originated from – often you can tell from the email address that the message isn’t legitimate. For example, the message might come from a different address than the name on the message, or the email comes from what looks like a personal email address rather than the email address of the company it purportedly comes from. I have also been known to Google “[name of company] scam” when I’m not sure if an email is legitimate. I also recommend going to the website of the company the email is purportedly from to transact any necessary business (i.e. make payments, etc.) or to check if the website lists the same issue that is described in the email message, rather than clicking on links in email messages that you’re not sure of. Use a VPN rather than going on public wifi networks, especially in places like airports or hotels.

I personally know of several law firms that have been victims of ransomware attacks. Some have been more protected than others. These hackers are sophisticated, and they have a lot of resources. Many of them have their own websites that “advertise” which companies and law firms they have hacked. Multiple off-site backups and cyber insurance are becoming non-negotiable must-haves for law firms. Hire a company to test your system and try to get in. But be prepared that with all of these precautions, you may get hacked anyway. Put a plan together now for how you will respond.

JS: We have had several clients and friends fall for the Windows Defender scam. This type of scam counts on your initiating the phone call to the fraudster. The solution is not to call and just close the browser window.

RT: It can happen to anyone within a firm or company so always be careful and keep training staff to minimize fraud and theft.

What technology or other safeguards do you or your organization use to protect against data theft and ransomware?

DB: Antivirus and malware protection software, remote backups, restrictions on who has access to passwords, complex passwords stored in a hopefully reliable password manager, password protected files for sensitive information, data storage in law practice management software with companies with far bigger budgets and security sophistication than a small firm can manage.

JC: Spam filters help but are imperfect. Our IT Director asks us to forward her screen shots of suspected scams or malware. She then checks to see if anyone else has received it and sometimes will do a firm wide email if it is something new.

JH: We use a third party to do email filtering of spam and phishing attacks, and a separate third party for endpoint protection.  For perimeter protection, we use a firewall appliance. In addition to this, we use a service to gather daily monitoring of user login anomalies as well as quarterly comparative network and security assessments for internal and external vulnerabilities.

DS: Use VPN when appropriate. Carry cyber insurance.

JS: One of the “must have” technologies is to have some sort of endpoint detection and response (EDR) solution, also marketed as managed detection and response (MDR) or extended detection and response (XDR). EDR solutions monitor the activity of a device and take action when there is suspicious and outside of the norm activity. There are several EDR/MDR/XDR solutions that are very affordable even for the solo and small firm lawyer.

We have been using SentinelOne for many years as have our clients. It includes features such as blocking activity consistent with ransomware attacks, automatically removing the device from the network to prevent lateral spread, and even rolling back the device to a known good state prior to data being encrypted. SentinelOne also includes support from a SOC (Security Operations Center).

In addition, you should also consider having a SIEM (Security Information and Event Management) solution to help analyze, detect, and take action for security threats in your environment. A SIEM processes the massive amounts of data from system and security event logs in an automated and intelligent manner.

Don’t forget about the simple things either. You should be implementing multi-factor authentication (MFA) everywhere you can as well as applying any software or firmware updates as soon as possible. There really is no excuse for failing to apply patches or using MFA since both are free.

RT: We use Barracuda and KnowBe4 as our primary user facing tools.

Do you do training for employees to protect against such risks? If so, how often?

DB: Yes, I have in the past, and I extend reminders if I see unwise behavior, work with someone new,  or learn of new risks. Nevertheless, I think people can be our biggest risk. I urge clients to use the client portal for sensitive information, but still receive emails from them with information that I would not send by email. By the way, could it be argued that a lawyer’s ethical duty to supervise employees and associates reporting to them can trigger an obligation to conduct such training? Or at least the obligation to preserve a client’s confidential information.

JC: The standard used to be annual training. Now that seems too long. Formal training two or more times each year seems best. Interim reminder emails to the firm when new scams are attempted against the firm or a new scam is exposed helps keep these threats top of mind.

JH: Employees go through virtual training on the various cybersecurity risks they may be presented with, and how to identify them.  Testing occurs by producing random phishing and other emails.  If the employee “takes the bait” they are required to engage in further cybersecurity training.  The training occurs on an as needed basis as determined by our IT Department.

JS: The short answer is yes. Security awareness training should be given at least once a year. Twice a year is even better given how fast the security landscape is changing. Check your cyber-insurance policy as most will require at least annual training.

RT: We have annual training but those who click on KnowBe4 tempting emails have some additional training too.

What concerns do you have about how artificial intelligence may provide more tools for fraudsters?

DB: As mentioned above, I worry that it will get easier to impersonate “trusted” people using their voice, image, writing style, etc. There have already been incidents where someone spoofing a boss’s email directs an employee to provide information or execute some other action desired by a fraudster. How much easier will it be if the fraudster can call the employee and give instructions in the boss’s voice?

JC: We will soon see ultra-personalized scams and malware communications, as AI harvests much of the data available about a target online to assemble a custom attack. Imagine a college student who attended a party receiving a text the next day that says “Hey it was nice to meet you at Bob’s BBQ party. I took a great pic of you, Cindy and Barbara [friends who attended the party]. Here’s a link if you’d like to have the picture.” The personalized content could likely cause recipients to lower their guard.

LJ: I am presuming that fraudsters have already integrated AI into their systems for devising the most tempting phishing content.

AJ: Artificial intelligence, to me, is the greatest upcoming threat. We have already heard about people being scammed by telephone calls that they thought were family members in trouble because artificial intelligence was able to re-create their family member’s voice on the telephone. With all of the video content being created now and all of the photos that are posted online, the technology is already out there that can make it seem as if you are having a conversation with someone on video, but it is all artificial intelligence. Rest assured that the scammers will be taking full advantage of it.

DS: Too may to list.  AI can and will provide more tools for fraudsters.

JS: As previously mentioned, AI is used for prevention of attacks as well as helping to facilitate successful ones. It’s a back-and-forth battle that has no end in sight. The attacks are getting more and more sophisticated with the use of AI. For now, the best advice is to be suspicious - always.

RT: The emails are more personal and contain more personal information gleaned from the internet to make you curious and click on them. We have to be even more vigilant.

What event, educational item, or news headline helped flip the light on for your firm or organization to take phishing emails and scams more seriously?

DB:

  1. The heartbreaking news stories of small law firms being swindled out of hundreds of thousands of dollars, such as this one described in the ABA Journal in 2022: https://www.abajournal.com/news/article/wells-fargo-didnt-have-contractual-duty-to-catch-scam-check-that-cost-law-firm-nearly-200k-judge-rules .
  2. The highly publicized email hacks of political figures.
  3. The story from a friend about receiving an email from the boss to send money to an account. The friend almost did it, but fortunately contacted the boss to ask a question about it first.
  4. The frequency with which I receive fairly obvious scam emails seeking to hire my legal services when a simple review of my website would reveal how off base the request is.
  5. My own personal experiences are described above.

JC: Seeing good and competent lawyers lose hundreds of thousands of dollars to scammers.

LJ: I got a phone call from a guy who represented that he was a cop and had a warrant that I had missed jury duty. If I only I got him some gift cards …. I called the local police dept and tried to set up a meet with him at the courthouse (where my bar group was having its meetings). The fake cop was a no-show, but phone scams became real for the first time.

AJ: I can’t say that there has been one single event or headline that changed things for me. But the sheer number of spam telephone calls and emails, along with the rapid pace of artificial intelligence, for me, has combined to make me even more cautious than I was before. We can only hope that some smart “good guys” come up with ways to combat these scams or make them more difficult to execute.

DS: For me, it is mainly bar activities where, for instance, I will be serving on the newly formed ABA taskforce on AI

JS: As a cybersecurity company, we’ve always taken phishing email and scam seriously. As for our clients, the “light bulb moment” is normally when they have a security incident or someone they know does. There is something compelling about being up close and personal.

RT: One was learning just how many law firms large and small were getting scammed, the other was obtaining a cyber liability insurance policy that comes with certain minimum tech and training requirements. Both were good reasons to up our game.

    Authors