By Patrick Peterson, founder and CEO of Agari
Picture the scene. Your firm is in the midst of a massive M&A project for a major client. After weeks of work, everything seemed to be going fine – but now something has gone terribly wrong and your client’s deal has fallen through. And, to your abject horror, your firm is now facing accusations of being party to ‘insider trading’ and misusing confidential information.
Investigations reveal a trail of seemingly legitimate emails between a member of your firm and your client, discussing several important and strictly confidential points of the merger.
Closer inspection finally makes it apparent that the emails were the work of an imposter who had stolen your brand and impersonated an employee to trick your client into divulging sensitive information crucial to the M&A deal.
Your firm is cleared of any wrongdoing, but it’s too late. Your client has taken their business elsewhere, feeling they can no longer trust your firm to protect their information, and your reputation is in tatters. And all because of a couple of emails you didn’t even send.
The rising threat of identity theft
The threat of nightmare scenarios like this continues to grow. Cyberattacks are on the rise, and by far the most popular method of attack today is the use of deceptive emails such as phishing. The UK Government’s Cyber Security Breaches Survey 2019 found that 32 per cent of UK business were aware of being targeted by attacks in the last year, and 80 per cent of these incidents involved phishing emails. A further 28 per cent also reported that their organisation had been impersonated by fraudsters over email or online.
Law firms make a particularly lucrative target due to their trusted relationships with clients and the potential to access extremely valuable and confidential data such as intellectual property and the details of M&A activity.
Despite the mounting threat however, our research has found that the majority of the UK’s top 50 law firms lack the capabilities required to identify even the most common techniques such as spoofing.
Why are deceptive emails so dangerous?
The majority of malicious emails we encounter use spoofing to disguise their identity. While there are other more advanced deceptive techniques available, spoofing is both easy and effective, with many companies having little or no means of detecting it.
Attackers will use spoofing to forge the email header so that the message appears to be coming from another domain and email account. This means the imposter’s victims will receive emails that appear to have been sent by “CEO@yourlawfirm.net”, lulling them into a false sense of security.
The good news is that with the right tools, firms can regain control of their brand and prevent fraudsters from impersonating their trusted identity.
Canny criminals will also research both their chosen identity and their intended victim in order to craft a convincing message. Company bios and social media accounts provide a wealth of information that can be used to enhance the deception.
After making their preparations, the criminal will then use the firm’s identity to contact a client and work their way to requesting confidential information such as the M&A scenario outlined before. Another common tactic is to send over a fake invoice to trick the victim into transferring funds into the criminal’s account. A school group in Portland, USA, recently narrowly avoided losing $2.9m to this approach, saved only by the timely intervention of the FBI.
Deceptive emails like these are particularly dangerous because they do not present a threat signature that will be recognised by most traditional email security systems. There is no malware involved and, on the surface, there is nothing to distinguish a spoofed message from the real thing.
How can firms prevent their identity from being stolen?
Law firms have more to lose than most businesses because they are built so heavily around the trust of their clients. Having their clients’ sensitive data exposed in this way would shatter that trust and destroy the firm’s reputation.
The good news is that with the right tools, firms can regain control of their brand and prevent fraudsters from impersonating their trusted identity.
One of the most effective places to start is the free-to-use email security protocol DMARC (Domain-based Message Authentication, Reporting & Conformance). Implementing the DMARC framework will enable a firm to see how their domains are being used in email messages, allowing them to identify misuse by imposters. All legitimate email messages being sent by the firm can then be authenticated, including those sent by authorised third parties such as via mailing services.
A single well-crafted deceptive email has the potential to inflict thousands of pounds of damage to a law firm and, worse yet, leave its reputation as a trusted partner in tatters.
Imposters seeking to spoof the firm’s domain will trigger an alert, and their message will be prevented from entering their victim’s inbox.
Firms can also set policies that will dictate what happens to any emails that fail authentication. These emails can be automatically blocked or, better yet, quarantined for review by the security team. This will allow clients to release emails that are not malicious, as well as learning to what extent they are being targeted by attackers.
What next?
More advanced and determined attackers can use other tactics to reach their victims but having a DMARC protocol in place will rob them of their most widely used deceptive technique. However, using publicly available DMARC records, we have found that of the top 51 law firms in the UK, 16 had no DMARC record at all, while a further 18 had their policy set to “none”, which means it will have no effect on spoofed messages whatsoever.
A single well-crafted deceptive email has the potential to inflict thousands of pounds of damage to a law firm and, worse yet, leave its reputation as a trusted partner in tatters. Firms must act quickly to implement defensive measures such as DMARC that will counter the common deceptive techniques used by criminals and protect their trusted reputation from being used to target their clients.