June 21, 2018

Phishing Alert: Important Notice / Confidential Document

Attorneys and law firms are popular high-value targets for phishing attacks because they are often repositories of trade secrets and other information for their clients.

What Is Phishing?

Phishing is a technique used by hackers to trick individuals into divulging personal information – like their login credentials – or launching malware to steal broader sets of personal data stored on their computers or connected networks. A phishing attempt typically looks like a valid email from a trusted source, duping recipients into opening the email and clicking on the enclosed attachments or links.

Spear-phishing has the same goal as normal phishing, but the attacker first gathers information about the intended target. This information is used to personalize the spear-phishing attack. Instead of sending the phishing emails to a large group of people, the attacker targets a select group or an individual. By limiting the targets, it's easier to include personal information -- like the target's first name or job title -- and make the malicious emails seem more trustworthy.

A whaling attack is a spear-phishing attack directed specifically at high-profile targets like C-level executives, politicians and celebrities. Whaling attacks are also customized to the target and use the same social-engineering, email-spoofing and content-spoofing methods to access sensitive data. These types of attacks are harder to detect than regular phishing attacks because they are so focused.

Example of a successful attack

In one version of a successful spear-phishing attack, the perpetrator finds a webpage for their target organization that supplies contact information for the company. Using available details to make the message seem authentic, the perpetrator drafts an email to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator. The email asks the employee to log into a bogus page that requests the employee's username and password or click on a link that will download spyware or other malicious programming. If a single employee falls for the ploy, the attacker can masquerade as that individual and use social-engineering techniques to gain further access to sensitive data.

What is the purpose of the attack?

When an attacker sends phishing emails to individuals, often they want to gain access to the victim’s email account by tricking the victim into revealing their username and password. The common practice of reusing passwords across websites, coupled with the trend of organizations using email addresses for user IDs, makes it easier for fraudsters to steal valuable information and exploit it for financial gain. The ultimate goal of these attacks is “wire transfer” or “business email compromise” fraud – one of the fastest-growing schemes over the past several years, according to the FBI. In this scenario, scammers steal money from small businesses in a complicated man-in-the-middle attack on financial transactions.

How to avoid Spear-Phishing Attacks

  • Do not click links in emails: If an organization, such as your bank, sends you a link, launch your browser and go directly to the bank’s site instead of clicking on the link itself. You can also check the destination of a link by hovering your mouse over it. If the URL does not match the link’s anchor text or the email’s stated destination, there is a good chance that it could be malicious. Many spear-phishing attackers will try to obfuscate link destinations by using anchor text that looks like a legitimate URL.

  • Use logic when opening emails: Look for misspellings, poor grammar, generic greetings, and a false sense of urgency. If you get an email from a “friend” or colleague asking for personal information including your password, carefully check to see if their email address is one that you have seen them use in the past. Real businesses will not send you an email asking for your username or password. Contact the sender offline to verify the email’s authenticity, if you’re suspicious.

  • Do NOT open unknown or suspicious attachments in emails.

  • Have smart passwords: Do not just use one password or variations of passwords for every account that you own. Reusing passwords or password variations means that if an attacker has access to one of your passwords, they effectively have access to all your accounts. Every password that you have should be different from the rest – passwords with random phrases, numbers, and letters are the most secure.

  • Enable multi-factor authentication where possible.

  • Frequently update your software: Ensure your anti-virus software is up to date. If your software provider notifies you that there is a new update, do it right away. Most software systems include security software updates that should help to protect you from common attacks. Where possible, enable automatic software updates.

  • Implement a data protection program at your organization: A data protection program that combines user education around data security best practices and implementation of a data protection solution will help to prevent data loss due to spear-phishing attacks. For midsize to larger corporations, data loss prevention software should be installed to protect sensitive data from unauthorized access or egress, even if a user falls for a phishing scam.

  • Watch what personal information you post on the internet: Look at your online profiles. How much personal information is available for potential attackers to view? If there is anything that you do not want a potential scammer to see, do not post it – or at the very minimum make sure that you’ve configured privacy settings to limit what others can see.


Examples of common phishing emails

DocuSign Phishing Emails

Microsoft Phishing Email