Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyFeaturesCybersecurityTechnology Media and Telecom

Phishing for Whales with Spears

By Eli Nussbaum
November 01, 2018

While most people like to think of themselves as email-savvy, email scammers are highly sophisticated and constantly evolve their methods to increase their success rates. Successful attacks include convincing innocent people to give up sensitive information or even actively transfer funds out of their organization. What you thought was protecting you in the past is likely no longer sufficient.

There's no question that email has revolutionized the way we operate; it's hard to imagine ever operating without the ease and speed of communication that email enables. Unfortunately, for all of its convenience, email has opened the door to serious security threats that include viruses, malware and fraud. Phishing scams have become a widespread problem — you'd be hard pressed to find anyone who hasn't been on the receiving end of a phishing attempt. Because email is something we all use every day, it's become a favorite tool for those who are looking to gain illegal access to our business systems and sensitive information.

It's vital to continuously adapt security measures as threats evolve. Failing to prevent a breach can be devastating to your firm's reputation and finances. While the bad guys only have to be successful one time, we have to be successful every time. There is good news though: There are things that firms can and should be doing to minimize their risk and increase the likelihood that an email breach will be stymied before it succeeds.

|

Defining the Attack

At their core, all phishing scams are email attacks that attempt to steal sensitive information or obtain unauthorized access to systems. Attackers typically send out massive amounts of email with the intention of succeeding with only a small number of their recipients. Ordinarily, attackers attempt to pass themselves off as a person or entity known to and trusted by the recipient in order to trick the recipient into unquestioningly complying with their malicious request. The hope is that the emails prompt victims into clicking on links or logging into accounts to reveal or change their credentials. This process grants the sender illegal access as the link directs the victim to a webpage under the attacker's control.

Spear-phishing and whaling are more nuanced versions of this attack involving background research, preparation and a defined target. As opposed to a blanket phishing email campaign, spear-phishing is a more directed attack with the focus on one person or organization. Through a bit of due diligence the phisher tailors the attack to the intended recipient(s) in order to increase the likelihood of hooking someone. Often the email attack vector is supplemented with dummy webpages, email addresses and voicemail accounts. Whaling is the same concept, but the attacks are directed at CEOs or other C-suite members (or their support staff) with the intention of a bigger windfall.

It's tempting for small and midsize firms to believe that they're not big or important enough to be the victims of cyber attacks. In reality though, smaller firms are at no less risk than their larger counterparts. Phishing is a numbers game — attackers want to reach as many people as possible to improve their odds. It takes little effort on their part to send countless emails. Small and midsize firms can even be better targets because they often lack the budgets, infrastructure and training that the big firms have in place to defend against these attacks. In addition, smaller firms may be pursued if they service the actual intended targets of the cyber attack. It is important to keep in mind that attackers are looking for the weakest link; law firms and third-party vendors, without proper protective measures, are often just that.

|

What to Look For

Phishing scams are not always easy to spot, and cyber attackers work diligently to fool us. One well-worn technique is to represent the message as from a legitimate known sender. Historically this meant that attackers forged the sender's address (not materially different from using a false return address on a snail mail envelope). This ruse was easily revealed with a simple reply to the sender and only allowed for a single, one-way, communication — either the recipient clicked the infected email attachment or link or they didn't.

This has evolved into phishers using domain names that look like the impersonated party. For instance, in using www.BANKOFAMER1CA.com they are betting that most people are too busy to notice that the “I” in the address is actually a “1.” This concept has further evolved with spoofed addresses now almost impossible to distinguish from the real ones.

By taking advantage of Unicode, attackers can use homographs — words that look correct but are in fact comprised of characters from foreign alphabets — to create addresses that look identical to the English address. For example, using a combination of Cyrillic and other alphabets, hackers can create an address that appears to read as www.chase.com, but isn't. When fake links become imperceptible, context and security measures are even more important.

While it will never be possible to spot every advanced phishing scam that shows up in your inbox, there are certain signs or red flags that should set off alarms. Even little things like tone, spelling and grammar can tip you off to an email that isn't actually from the person claiming to be sending it. Attachments can also be a huge red flag — if this person never or only rarely sends you attachments and you're not expecting anything, ask some questions before clicking on anything. If an email seems out of context or has an unexpected sense of urgency, that's another good sign that something might be wrong. Phishers will often review the mailbox of a compromised account before crafting their next attack, and we have seen them hijack conversations mid-thread as they pivot onto their next target.

While your conversation may have been legitimate when it started, a sudden shift can indicate that it's been taken over by someone with nefarious intentions. Another sign is if the sender is suddenly traveling or too busy to communicate and directs you to deal with a third party.

|

How to Avoid a Breach

Even though hackers are constantly trying to figure out new ways around your system, that system needs to be as secure and up-to-date as possible at all times. Every firm needs good perimeter defenses — all email traffic should be scanned and approved before entering the network to reduce the likelihood that phishing emails get to their recipients. Many modern email filters now replace links and attachments with placeholders that allow for advanced scanning and the ability for the system to refuse access should it later determine that the link/attachment is a threat.

In addition to this basic security requirement, firms should:

  • Ensure that malware and anti-virus programs are a standard part of their infrastructure.
  • Require complex passwords and regular password changes to keep email accounts more secure.
  • Use two-factor or multifactor identification to go a step further toward preventing hijacked email accounts due to compromised credentials.
  • Implement mobile device management (MDM) to tighten control on devices and access.
  • Implement browser controls to ensure that Internet browsers call out addresses and links that are leveraging foreign languages to spoof legitimate organizations.
  • Implement Advanced Threat Protection tools from Microsoft or Cisco.
  • Consider implementing SIEM (security information and event management) and IDS/IPS (intrusion detection and prevention system) tools to help detect and prevent system intrusions by outsiders.
  • Teach your employees what to look for and how to handle potentially suspicious emails.

Educated users make up the greatest tool you have in your arsenal for fending off phishing attacks. It is crucial to have annual training with frequent reminders of the seriousness of the threat and to update everyone on the newest scams being perpetrated. Teach your employees not to open attachments or click on links if they aren't part of an ongoing business endeavor. Teach them to be on the lookout for subtle signs that an email seems off and to thoroughly examine any email that requests something important.

|

Conclusion

Diligence is crucial to stopping cyber attacks before they start. Built-in tools can go a long way toward detecting spam, but tomorrow there will be a new trick and your employees are your first line of defense. For users to have a hope of spotting an attack, they need to understand the types of attacks, how they work and what the bad guys are trying to get at.

Cyber attackers are relentless with ever-changing strategies and attack methods. You may not be able to always stay ahead of the game, but that doesn't mean that you can't take significant steps to prevent attacks from succeeding. With the right combination of understanding, regular training and security countermeasures in your arsenal, you'll be prepared when an attack comes. Taking action today can prevent you from being the next cybersecurity victim tomorrow.

*****

Eli Nussbaum is a managing director at Keno Kozie Associates. He joined the firm in 1998 as part of its Y2K audit team. Nussbaum then became a full-time engineer, holding every position within the department before taking on an account management role. During his tenure with Keno Kozie, Nussbaum has focused on physical, virtual and cloud infrastructure design and implementation for both infrastructure and client environments.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.