The Risk Manager, Fall 2016
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an email. They take the form of a message, allegedly from your bank or an online retailer you deal with that suggests your account has been compromised or that payment is overdue. Phishing scams are usually bulk emails sent to large numbers of people. Even if only two or three per cent of recipients fall for them, hundreds or even thousands of people can be victimized. (LAWPRO Magazine, Lawyers’ Professional Indemnity Company, “Serving Indigenous Clients” (Vol. 15 no. 1).
Phishing Risk Management:
Don’t reply to email, text, or pop-up messages that ask for your personal or financial information. Don’t click on links within them either – even if the message seems to be from an organization you trust. It isn’t. Legitimate businesses don’t ask you to send sensitive information through unsecure channels.
The “spear” in spear phishing alludes to the fact that messages are targeted to specific individuals. Spear phishing messages are more convincing because they are personally addressed, appear to be from someone you already know, and may include other detailed personalized information.
Educate the lawyers and staff at your firm to make sure they will not fall for a spear phishing scam. Follow firm processes and procedures for the review and approval of financial transactions – and don’t bypass them due to urgent circumstances. Never share confidential client or firm information without being sure it is appropriate to do so by getting confirmation from someone familiar with the file. Be on the lookout for and question any last minute changes on fund transfers or payments. (LAWPRO Magazine, Lawyers’ Professional Indemnity Company, “Serving Indigenous Clients” (Vol. 15 no. 1).
Phishing attacks directed specifically at senior executives and other high profile targets within businesses appearing to be sensitive business matters. Often come in the form of subpoena, customer complaint, or executive issue. (Wikipedia)
A legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. (Wikipedia)