'Phishy' emails
Training staff to spot suspicious emails can combat Friday afternoon fraud, says Vanessa Crawley
Cybercrime has dominated the headlines recently with the WannaCry ransomware causing global healthcare, telecommunications, and banking services, among other businesses, to grind to a halt. With security experts still picking through the fallout, law firms and others will be on high alert for follow-up attacks. ‘Friday afternoon fraud’, or phishing, is one such intrusion which is becoming much more commonplace and sophisticated.
While the advancement of technology has created many opportunities and boosted the economic climate, it has also opened up serious risks to businesses, including cybercrime. Phishing has caught many businesses out and cost them money. Law firms are by no means immune to this threat.
Phishing is a term used to describe the process whereby fraudsters contact victims (e.g. a staff member) often by email, pretending to be a trusted source and inviting users to disclose sensitive information; installing malicious software on users’ computers; or stealing personal information from their computers.
Phishing scams can be well thought out by fraudsters and some target law firms (and other businesses, including banks) and tend to attack in two stages. Stage one involves receiving an innocuous email, possibly even from a contact, which, once opened, downloads malware to the user’s computer which can spy on the computer’s activity. Stage two then sees the user receive an internal email which looks very genuine and convincing asking for a money transfer or authorising the transfer of money.
Phishing criminals are becoming more sophisticated, which means such scams are harder to detect and are happening more regularly. To tackle this risk it is essential that law firms and businesses become vigilant and implement training for all members of staff – not just for the accounts team – to spot suspicious emails and make appropriate checks to determine whether they are genuine.
It is easy to check whether emails are genuine – a phone call to the sender should verify whether they sent the communication. Phishing emails tend to be written badly and should raise eyebrows if the email has ‘supposedly’ come from a professional company. Also, if you regularly correspond with a third party or an internal staff member (who the phishing criminal is claiming to be), you will have an idea of the tone and language of their emails. If you receive something that does not ‘sound’ like them, you should contact them to verify.
All communications that require a money transfer should be verified. For example, speak with internal staff members to confirm whether such a transfer is required, and if so, search the name of the company on the internet for their correct contact details and ask them to confirm their bank details. Having a good software system in place may also assist you in the verification process and block any phishing emails.
Taking small measures like these can also help law firms stay compliant with data protection and privacy laws. Every business has a duty to keep personal data and information secure, therefore robust systems and thorough training should be implemented to avoid becoming a victim of cybercrime.
Vanessa Crawley is a corporate solicitor at SA Law
