What law firms need to know about phishing and smishing

What Law Firms Should Know about Phishing and Smishing

Phishing attacks are on the rise. According to Retruster, phishing attempts have increased by 65% in the last year. If that’s not scary enough, if you fell for a phishing scam once, you are more likely to be targeted again. And, according to The SSL Store, around 86% of all phishing accounts target a U.S. business. Then, we have smishing. Smishing is relatively new. It involves the use of SMS (texting). Norton Security classifies smishing as an emergent threat to cybersecurity. It’s a form of phishing that aims to trick recipients into giving up their personal information through text.

With consumers and law firms relying more on technology to remain in contact, the internet, emails, and text messages can become a source of fear. What can law firms do to protect their credentials as well as help their clients understand how they can recognize whether the law firm is trying to contact them?

In this article, law firms will learn how to recognize phishing and smishing, how they can protect themselves, and how they can educate their clients on these cyberattacks and what clients should do if they have questions about whether they think the law firm really needs certain information from them.

How to Recognize a Phishing or Smishing Attempt

While those involved in these sorts of fraudulent schemes certainly work to update their tactics to avoid deception, there are some specific hallmarks that do not change. For example, the email or text message appears to come from a:

  • Bank or other financial institution (that you may or may not have ever conducted business with)
  • Credit card company (even if you don’t have a credit card issued from them; which can seem even scarier if you don’t since it immediately induces fear that you’re now a victim of identity theft)
  • Social network
  • A utility company (which, again, may or may not be one that you’ve ever had an account through; and if you haven’t, you immediately begin to wonder if someone stole your identity)
  • A cable company or a streaming company (rinse and repeat about whether you may or may not have ever had an account with them and wondering if someone could be using your identity)
  • Amazon or another online shopping site
  • A website domain provider (especially scary when you think there’s something wrong with your website)

The language used in the message is meant to scare you into immediately giving up some sort of personal information. They either want you to click a link that will take you to a knock-off website (that looks similar, but often has some tell-tale signs such as poor spelling, poor grammar, or the web address doesn’t take you to what you know is the official domain of whomever the sender pretends to be) or they want you to open an attachment (which, by the way, is never a good idea to do; and legitimate emails from Netflix about needing to update your payment info will never ask you for your credit card, your password, or include an attachment). They may say or include:

  • You’ve had too many log-in attempts and need to reset your password. Pro tip: If this is in an email, pay attention to the email address as well as the header information in the email. Fake emails will obviously not have the right email address. It may not end in the right domain. Instead of .com, you may see the wrong domain ending. For example, we all know that Netflix ends in .com and not .hk (Hong Kong). In the header information, you may be able to see other revealing information such as where the email originated from.
  • The sender states they noticed suspicious activity in your account. We recognize this is scary, but do not click anything especially if you have no way to verify anything. Watch for spelling errors, the use of the wrong name or “Hello Dear,” grammatical errors, and always review the email address as well as the header information of the email.
  • Your told that there’s a problem with your account or that your payment didn’t go through. It’s an alarming email to receive and it can cause you to click on something without thinking about it. Remember, though, that phishing and smishing attacks are increasing. Take a deep breath and consider whether you do have an account and then look for the signs to help you determine whether the message may be legitimate. While more and more banks do offer SMS alerts about fraud and payment issues, you will know it is them because of the number it comes from. Watch for grammatical issues as well as misspellings. If it’s an email, review the email address and email header. But wait to do anything with it.
  • You might get a fake invoice. This can be very distressing for clients. This is why it is imperative that you make it clear to clients that you will only send out invoices in one particular way. For example, you’ll only send out invoices on a specific day of the month and it will go out through your practice management software and it will be available for pickup through the secured client log-in. Also provide information to your clients about how to spot a phishing or smishing scam: poor grammar, misspellings, improper email address, and asking for information that no one from your law firm would never request of them, such as their user name and password.
  • You’re told to make a payment immediately or to provide your log-in credentials. No legitimate business will require you to provide your debit or credit card information or your user name and password through an email. We all know that secured payment processing exists for a reason.

What Should You Do If You’re Not Sure It Is a Phishing or Smishing Attack?

Around Christmas, I received an email from my bank informing me that someone has used my debit card to try and send over $3,000 to an inmate in California (I don’t know any inmates in California), tried to buy $500 in sporting goods online (I had no history of using that account for the purchase of sporting goods, particularly online), and had used the card in a location about 45 minutes away from me to buy $37.56 in gas and then another purchase at the same gas station in the amount of what appeared to be a 44 ounce soda. I knew I never used the card in that town. But, in the past, I also received some “Hello dear” emails pretending to be this particular bank.

However, I knew I signed up for fraud alerts by email and the email also said something specific: we tried to reach you by phone and couldn’t.

They couldn’t reach me because I had recently changed my phone number (about two days previously). I scrambled around for about five minutes and looked everywhere for that card. I asked my husband. He had given me the card the night before. I took it with me (didn’t use it) when I drove our middle son to the grocery store. Our middle son had a cast on his foot from an on-the-job injury and couldn’t drive. He lives on his own. My thought was the card fell out of my pocket and I obviously didn’t notice and didn’t lock my car. Someone saw it and took it. I have one other unproven thought about it that I’ll keep to myself.

I called the bank. I went through the security questions and also updated my phone number. Turned out, that someone did indeed get ahold of my card and that they had reached out to me by email. So, why did I tell you that story? To say that if you honestly aren’t sure whether the email you received from what appears to be someone you do business with is real, call the organization and ask. Do not click on a link. Do not reply to the email. Oh, and if I replied to the email, it would have said no-reply@bank…

What You Should Do If You Get a Phishing or Smishing Email or Message

Do not respond to it. Remember, if you’re not sure if what you received is legitimate, pick up the phone and call the company the email or text is supposedly from. You can forward emails to reportphishing@apwg.org and also register a complaint with the FTC. If you received a smishing text, you can forward it to 7726 (SPAM). Many banks, credit card organizations, and other legitimate companies who essentially have their identities stolen have phishing teams that you may also be able to send the emails over to for review.

If you click a link or open an attachment, immediately scan your computer using your anti-virus. Ensure that you also have a good anti-virus software on your cell phone as well. A VPN may also help protect your mobile devices from phishing and smishing attempts as well.

How Law Firms Can Help Their Clients Understand Phishing and Smishing Dangers

While you cannot fully protect your clients from the dangers posed on the internet, you can be a vital source of information to help them understand phishing and smishing dangers. If you send out a newsletter, you can explain the very basics of phishing and smishing, the dangers associated, and the things your law firm will never ask them to provide through email or text. If you use practice management software, explain that they can reset their own password as well as make their payments and update their payment methods through the portal. And, most importantly, that if they ever have any questions about an email or text that they think may be from your law firm, pick up the phone and call. That is, without a doubt, the best way for the client to know for sure whether you’re trying to contact them!

Leave a Reply

Your email address will not be published. Required fields are marked *