Cyber Fraud Prevention Tips for Law Firms

As a part of our fraud, forensics, and litigation support engagements, we work with many IT and cyber fraud specialists. Generally, our clients have an IT department, a recognized outside IT contractor, or a full-time IT staff person with credentials that focus on protecting the law firm’s electronic data from theft. Unfortunately, we have occasions where the answers to our IT questions go something like this, “One of our partner’s brother-in-law’s former roommate’s kid handles our IT system. He works for some big company and does our IT work on the side, he’s really a smart kid”. The reality is, if the Colonial Pipeline can be successfully attacked with ransomware that disrupted the supply of fuel to the entire southeastern United States, your firm is a much easier target, even with the best of IT departments. You may not be aware that your firm’s website provides plenty of information necessary to attempt penetration by cyber-attackers and that the vast majority of cyber-attacks are initiated by email. Remember, the weakest link in your IT system is an employee or partner sitting behind a computer just one key stroke away from a costly disaster. Cyber-attacks are on the rise and be assured that attempts are directed at your firm every minute of every day. While you sleep, cyber-attackers are awake!

The following are common cyber-attack methods that your firm should be aware of, and all employees trained to recognize:

• Phishing – most common attempt using a fraudulent email to give up specific credentials, entice clicking a malicious link, or downloading a malicious file.
• Spear phishing – researching and targeting with a tailored phish to gain access to specific firm accounts.
• Whaling – spear phishing the top by researching and targeting leaders within a firm.
• Smishing – phishing via text includes providing malicious links, impersonating a contact, impersonating a business, or trying to scam a legitimate authentication from the firm.
• Vishing – phishing using a phone call.
• Angler phishing – leveraging employees’ social media accounts with fraudulent notifications and messages to gain access.
• Watering Hole – infecting or hijacking sites that a cyber-attacker knows the firm frequents to steal credentials or propagate malware.
• Pharming – hijacking DNS (Domain Name System) to redirect users to URLs and IPs they did not intend to access. The browser displays the correct URL, but it is actually a malicious site.
• Evil twin – copying or imitating a legitimate wi-fi access point to entice employees/firms to expose their internet traffic to cyber-attacker. A common tactic with public Wi-Fi, i.e., airports, food providers, and hotels.
• SIM swapping – a cyber-attacker will take over a cell phone account by vishing a cell company and getting them to transfer a number to a new SIM card, taking over the accounts of the employees/firm.
• Spoofing – making a call or email that looks as if it came from a legitimate source.
• Credential stuffing – using data from past breaches to try known, exposed email/password combinations previously used by employees/firm on other sites.
• USB attack –malicious utilization of a USB device. This can include providing infected drives or chargers to an employee/firm as a freebie, or intentionally infecting a USB device at one location to infect a Firm location.
• Supply chain attack – hacking a third-party service provider to use its platform to attack its customers. This method was used in the recent SolarWinds cyber-attack.
• RDP attack –using remote desktop protocol access abilities to gain access into the firm’s system. This method was used in the notorious Colonial Pipeline cyber-attack.

If you have not engaged a reputable IT specialist, your firm is especially vulnerable to a computer breach. Basic IT controls help your firm prevent cyber fraud. Important controls include, intrusion prevention (firewall), up to date anti-virus software (endpoint protection), strong password standards and multi-factor authentication, securing wi-fi access, prohibiting employee personal computer usage, prohibiting computer devices brought from the outside without oversight, constant training on suspicious emails and websites, and periodic penetration testing by a cyber fraud specialist.

Here is a quick cyber fraud self-assessment: If some or all of these concepts sound unfamiliar, start today by hiring the right IT professional(s).

About this article: This article was originally published in the Communiqué, the official publication of the Clark County Bar Association, (June/July 2022). See https://clarkcountybar.org/member-benefits/communique-2022/communique-june-july-2022/.

About the author

Mark D. Rich, CPA, CFF has been licensed for 40 years and is Founding Partner of Rich, Wightman & Company.