AUTHOR
Eli Mattern, Esq. | 2021 – 2024 Member, The Florida Bar’s Standing Committee on Technology

Protecting client’s sensitive information is critical for any law firm. Yet every day our devices and systems are bombarded with attempts to steal, expose, or obtain personal information. This article will help you understand how scammers gain access to your law firm’s information, and more importantly how to protect against it.

Phishing is a type of scam characterized by sending a text or email from a supposedly reputable company or friend. Embedded in the text or email is a call to action, usually to click a link, which could give the scammers access to your secure network or systems.

Often, scammers will use emotionally triggered storytelling to entice you to click a button. They may say that your account has been hacked, or a credit card was declined, or that they have a client for you.

If you suspect that you are looking at a phishing email, take these steps first:

• Look at who the email is from. If the URL does not comply with who you would expect, it’s probably spam. Many times these URL’s can be tricky. For example, someone may send an email from service.paypal@outlook.com. Paypal would not send an email from an “@outlook.com” email address, so you can identify this email as a fake.
• Hover cursor over link. All email systems allow you to move your cursor over the hyperlink text and in the bottom left corner of your computer screen you can view the URL that the text will take you to. If you receive an email that says it’s from PayPal, then the link should take you to their site. Links to unidentifiable sites are a tell-tale sign that you’re looking at a scam.
• Report it. Send the phishing email to the Federal Trade Commission’s Anti-Phishing Working Group at reportphishing@apwg.org.

In addition to investigating actual phishing emails, you can protect yourself and your accounts by additional security measures, like using multi-factor authentication.

Phishing is one type of social engineering scam. Social engineering is the use of deception or manipulation to gain unauthorized access to personal data. Another type of social engineering scheme is spear-phishing. Whereas phishing is characterized by sending large batches of emails emulating a recognizable company, spear-phishing schemes are generally much more tailored to the person.

Scammers use social engineering and research to target a specific person or set of people in a spear-phishing attack. For example, scammers may follow a person on social media or look up their biography on a website. Using publicly available information, the scammer could send a well tailored baiting email. It could propose signing up for a free service, coupon, ebook, or anything else that the person would be interested in.

People are particularly susceptible to spear-phishing and other tailored social engineering based frauds because we are all busy and prone to getting excited about things we like. Who wouldn’t want to sign up for a free trial of dog biscuits for our favorite fur baby? But in doing so, you may have inadvertently exposed your sensitive information to a scammer.

While email is the most common form of phishing attacks, look out for these same types of scams through text messages and on social media accounts. Messages from LinkedIn can contain links to harmful websites just as much as an email can. If you are wary of the messages at all, it’s better to err on the side of caution.

So, what happens if someone clicks a phishing link? Address it immediately. Contact your IT team, or a cyber security specialist. (Also see I’m Hacked, Now What? and other LegalFuel articles.)

One final point about scams is that a system is only as secure as its weakest link. Everyone in a law firm can be attacked, and everyone is vulnerable. It’s imperative that every member of the firm, from the most senior partner down to the summer intern understands what is at stake and how to protect the firm against attacks. Providing regular cyber security training can help people recognize phishing and spear-phishing and thwart the exposure of sensitive information. Keep in mind that phishing schemes can make a person feel embarrassed to come forward, that is why regular training is important. Each law firm needs to not only empower employees to identify risks, but also feel comfortable communicating concerns. Avoiding cyber issues only makes them worse.

While this article focuses primarily on email attacks, scammers can also use social engineering over the phone and in person. Remember at the end of the day, protecting a client’s information is a lawyer’s number one priority. The LegalFuel site offers comprehensive CLEs and articles on cyber security to help you protect your law firm from intrusion. At the end of the day, remind yourself and your colleagues, “When in doubt, throw it out.” No email, text, or message is worth compromising your client’s privacy or your firm’s reputation.

ABOUT THE AUTHOR
Eli Mattern is the CEO and General Counsel of Wiedza Creations, a software development company in Orlando, FL. She’s an active member of The Florida Bar, focusing her expertise on the intersection of law and technology.

This LegalFuel publication is intended for educational purposes only and does not replace professional judgment. Statements of fact and opinions expressed are those of the author individually and, unless expressly stated to the contrary, are not the opinion of The Florida Bar or its committees. The Florida Bar does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information published. Any feedback should be provided to the author.

VIEWS AND CONCLUSIONS EXPRESSED IN ARTICLES HEREIN ARE THOSE OF THE AUTHORS AND NOT NECESSARILY THOSE OF FLORIDA BAR STAFF, OFFICIALS, OR BOARD OF GOVERNORS OF THE FLORIDA BAR.