Phishing is on the rise. According to our most recent report, Fighting Phishing: The IT Leader's View, 84% of organizations were phishing victims last year – a 15% increase from 2021.
Many of the affected organizations were hit with financially-motivated attacks: 59% were hit with ransomware, while 44% suffered from payment scams. According to IT leaders, 66% of all payment scams in their organizations resulted from business email compromise (BEC) attacks. The FBI's Internet Crime Report reveals that BEC scams made over $1.8bn in 2020 – that’s more than any other type of cybercrime.
We spoke to IT leaders across multiple industries. This article focuses on respondents from the legal sector and how they’re reacting to phishing.
Why cybercriminals target legal organizations
Our research reveals that legal organizations are at a higher risk of phishing threats than average. Statistics show that 47% of legal organizations had credentials stolen, compared to 42% overall. Legal organizations are also more likely to pay the ransom requested by cybercriminals – 21% of legal organizations have paid a ransom, compared to 17% overall.
Legal organizations' susceptibility to phishing attacks has become particularly apparent in recent years, given the significant increase in the volume of data managed online in response to Covid-19. In addition, the pandemic has significantly increased the amount of pressure faced by IT leaders in the sector. Most staff have had to rapidly transition to working from home, while systems have been stretched to accommodate a volume they were never intended for.
Legal technology advancement is another challenge that law firms face in cybersecurity. Each year, new applications for managing client legal data, constructing contracts, obtaining signatures, invoicing clients, or filing court documents are developed. While it's better for overall productivity, it also means more accounts, data, passwords that need management, and new ports of entry for a cybercriminal.
But cybercriminals were targeting legal organizations long before the pandemic, and there are several key reasons why:
Firms manage confidential information
Legal work often involves managing sensitive information that requires a high level of confidentiality – including medical, legal, and acquisition data. By gaining access to this information, cybercriminals have a significant amount of leverage when forcing companies to pay a ransom.
Threat actors exploit interpersonal relationships
In addition, the secure interpersonal relationships that legal organizations create with clients make them prime targets for exploitation. Cybercriminals often begin emails with low-commitment questions such as "how was your weekend?" and "do you have a few minutes for a chat?" to test an organization's security and identify weaknesses before launching the actual attack. If they don't get the answer they're looking for, they'll move on, but even experienced professionals can fall for the bait.
Attackers leverage public contact information
Lawyers are also more likely to have their contact information available online than other sectors, making it easier for cybercriminals to target them directly if security protocols aren't in place. Secure email gateways (SEGs) are designed to monitor emails sent and received. Their purpose is to prevent spam, phishing attacks, malware, or fraudulent content. However, these are not working as effectively as they should: 53% of legal organizations say that their SEGs require too much admin, compared with 47% of organizations overall.
Consequences of phishing attacks for legal organizations
Phishing threats can lead to devastating consequences for legal organizations. The constant consequence of virtually every phishing incident is financial loss. Legal organizations suffer from the loss of funds directly transferred by people who have fallen victim to cybercriminals and non-compliance fines imposed by regulatory bodies.
Following a phishing attack, law firms often cannot continue operating as usual. Targeted systems must often be taken offline completely, leading to a substantial decrease in productivity. These attacks also cost firms time and money to investigate and remediate the situation.
For example, in September of 2020, New York-based law firm Fragomen, Del Rey, Bernsen & Loewy, became victims of a possible phishing attack. The attack involved an unauthorized third party accessing driver's license numbers and other personally identifiable information (PII), putting them at risk of identity theft. As part of their remediation efforts, the law firm provided one year of free credit monitoring to all affected individuals.
Undoubtedly, one of the most devastating consequences for organizations is the damage to their reputation. Despite attempts to hide that they have been the victim of a phishing attack, investor and customer confidence typically drops significantly. Regaining this confidence is not easy, and many organizations do not manage to recover.
How can legal IT leaders respond more effectively to phishing threats?
For law firms and all other industries being targeted for phishing attacks, AI-based email security solutions could be invaluable security control. Machine learning (ML) tools help prevent successful incidents and significantly reduce the total impact of an attack. IBM's Cost of Breach Report estimated that AI solutions could cut the cost of a breach from $6.71 million to $2.9 million on average.
While training and traditional defenses are often effective against weak phishing threats, they often fail to protect teams from falling victim to more complex social engineering attacks that are becoming more popular across the legal sector. It is becoming increasingly apparent that a more robust solution is required.
Solutions such as Egress Defend augment training with ‘real-time teachable moments’, flagging potential phishing attempts and reduce the chances of people falling victim to attacks. Once an email has been flagged, Defend educates people in real time through banners and coaching on why the email was flagged as dangerous.
Defend can determine every sender's authenticity and even detect when cybercriminals use compromised accounts on authenticated domains. That goes well beyond the standard analysis provided by SEGs.
The ultimate goal is to bring attention to phishing when it is most relevant to someone’s day-to-day role, protecting organizations from attacks while encouraging teams to feel as if they are being educated instead of policed.