PhishingAs Willie Sutton supposedly said, he robbed banks “because that’s where the money is.”  That also explains why law firms and lawyers are increasingly the targets of cyber-intrusion, particularly phishing scams.  Apparently, phishing in legal waters can yield a full net of stolen information.

“Most likely” to take the bait

Verizon’s 2015 Data Breach Investigations Report has found that a company’s legal department is among the ones that are “far more likely to actually open [a phishing] e-mail than all other departments.”

In case you’ve been living under a rock, “phishing” is the attempt to obtain sensitive information fraudulently by means of a deceptive electronic communication that appears to come from a trustworthy source.  (Some link the term to the indie rock group Phish, but according to Computerworld magazine, the term was coined round 1996, with the obvious analogy to the sport of angling using a lure.  Under that view, the “ph” is a nod to an old form of telephone hacking known as “phone phreaking.”)

Shockingly, Verizon found that 23 percent of recipients open phishing messages, and 11 percent click on the fatal attachments.

The Verizon report says that phishing has evolved in recent years to include installation of malware as a second-stage tactic.  And phishing is favored by “state-sponsored threat actors and criminal organizations,” acting with “the intent to gain an initial foothold into a network.”

Factors creating vulnerability

Why are law firms, law departments and lawyers in general among those most likely to take the bait in a phishing attempt?  Several reasons:

  • Lawyers are hungry for clients.  In today’s competitive legal environment, we all want to bring in new business.  That increases the lure of an e-mail that looks like it might come from a prospective client, as some phishing e-mails are designed to do.
  • Lawyers are trusting.  We regularly form relationships of trust with our clients, our colleagues and other lawyers.  So when we believe that we are communicating within such a relationship, we tend to be very open — and respond freely to an e-mail that looks like it comes from that trade group or that bank.
  • Lawyers must work efficiently and under time pressure.  Delivering top client service means that our e-mail systems must be open, and we must be responsive communicators.  Those elements make us more vulnerable to phishing, since we don’t always think before we click.
  • To be honest, we sometimes overestimate our tech skills — humility is not always our strong suit and stopping to ask our IT departments for advice isn’t always the first thing on our minds.

It’s about the competence

We’ve posted before here and here about the duty of competence as it relates to technology.  Following its amendment in 2013, Model Rule 1.1 includes comments pointing to a duty of technological competence, “including the benefits and risks associated with relevant technology.”

Cyber-security for your firm or law department is, of course, a huge competence concern; the Verizon data breach report shines a spotlight on one of the most obvious ways “in” to your systems, and in to danger for your data and potentially that of your clients.

Training is key

Is the answer more training?  Texas lawyer Peter Vogel, over at his information technology blog, suggests so.  And it certainly seems that training pays off.  Anecdotally at least, firms and law departments that give their lawyers formal cyber-security training find that they are less likely to fall for phishing attempts, as measured by firm-launched experimental “challenges.”

Education can never hurt, and it can help immunize your firm or law department from being phished successfully.