Cyber Security: How firms can avoid getting hooked by phishing schemes

By Carl Mazzanti

Last year, a law firm was scammed out of more than $250,000 when an employee received an email that appeared to originate from a client, requesting a transfer of funds owed by the firm to the client. According to a 2023 U.S. Department of Justice announcement, the employee followed the instructions and wired the funds to the specified account. But the email was fraudulent, an investigation later determined, and the wire transfer went to the fraudster instead of the client.

This kind of sophisticated “phishing” attack, where nation-states or organized criminal gangs send fraudulent communications that appear to come from a legitimate and reputable source, is becoming more common, according to a 2023 FBI report. And more law firms, 29% in 2023, up from 27% in 2022, reported experiencing a security breach, according to an ABA report. It’s not a surprise, given the sensitive data, including health and financial records, Social Security numbers, escrow and other information, that many firms possess.

But an experienced cyber security provider can offer solutions to these and other attacks.

The threat landscape is broad and deep. Whether an attacker’s goal is to steal money, gain access to sensitive data and login information, or install malware on a device, every cell phone, laptop, and point-of-sale device connected to a firm’s network can become a potential unsecured entryway. So, an effective cyber security initiative will be structured with a layered approach that addresses issues, including endpoint management and training users in best security practices. Endpoint management focuses on protecting and managing connected devices.

A robust endpoint management strategy will include applying software updates, safeguarding remote access, enforcing password policies, and monitoring devices for possible threats. It will also encompass the firm’s ability to remotely shut down a compromised device. And, at a time when remote work continues to gain traction, the right endpoint management system, along with training, will allow associates, partners, and others to use firm-owned and “bring your own devices” without diminishing security or productivity.

An effective endpoint management system should provide centralized visibility into all devices connecting to the firm’s network and services, especially since such Internet of Things devices as cameras and printers add even more complexity. Visibility tools will let an organization discover connected devices and audit them to determine performance, health, and security status. Best practices also include automating security processes, such as device deployment, patch management, and regular backups, in addition to multi-factor authentication and conditional access.

A comprehensive framework

To provide comprehensive security, firms should consider segmenting endpoints into groups based on such factors as risk level, function, and compliance requirements. With this kind of segmentation, the IT department can apply customized settings and rules to device groups as needed. Additionally, the endpoint management system should integrate with other IT services, like identity and access management, cloud management, and threat intelligence.

Training is another key method of defense. All firm employees who interact with the digital network should be trained to recognize telltale signs of a phishing attempt, such as communications containing a sense of urgency, slight errors in the sender’s email address or URL, poor grammar or spelling, or unsolicited attachments. Firm members, employees, and others should also know how to report a phishing attempt, successful or not, because this will help security IT personnel to counter additional attacks. A firm might offer monthly webinars, combined with online training modules that users complete within a given timeframe. Training formats could consist of interactive games, quizzes, or classroom instruction.

Because an overly technical seminar may bore and confuse users, presenters should deliver training that is both relatable and understandable, with apps or other resources that are easy to navigate. At a minimum, security experts suggest that firms conduct training sessions at least quarterly, reinforced with simulated phishing campaigns.

Cyber criminals are staying on top of their game, but law firms that partner with a cyber security expert services provider can minimize their vulnerability to phishing schemes while maximizing their reputation and client trust.

 

Carl Mazzanti is president of eMazzanti Technologies,  a cyber security and IT support organization based in Hoboken, NJ. The company can be reached at [email protected].