Lawyer checking phone and seeing email

Phishing attacks towards law firms double since 2018

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

More than two-thirds of people in the UK believe they have been targeted with phishing attacks in the last six months.

Darlington-based IT firm Bondgate encourages organisations and individuals to increase their awareness of phishing attacks after a recent study showed 68% of respondents believed to have been phished in the last 6 months.

The nationwide study found that very nearly a quarter of respondents, 23 per cent, had noted a significant increase in the number of phishing emails they received over the previous six month period.

The poll revealed that phishing incidents were never just singular events, the number of multiple attacks was quite staggering.

Of those who recognised being phished at least once, 41 per cent attested to having received as many as 10 phishing emails in the last six months.

16 per cent of them, one in six, found up to 25 fraudulent emails in six months.

While nine per cent found up to 50 phishing email attempts, 16 percent believed the figure to be even higher.

Some of the most targeted firms lie within the legal sector, as they often contain large quantities of sensitive, and thus valuable, data.

Social engineers have been stepping up their offensive game recently, and legal firms have been feeling the pressure.

In 2019 the Solicitors Regulation Authority (SRA) of England and Wales had to issue scam alerts regarding fraudsters using details of SRA regulated firms and solicitors. And they haven’t had to do this just once or twice. Before the third week of September was over, 81 separate alerts of fraudulent emails have been issued. A 50% increase over the same period in 2018.

Some of the emails use completely made up identities, such as the recent “Brett H Baughman” of Baughman & Associates, who informs the recipients they are entitled to the sum of “2.6 million pounds” after the death of a third party.

A casual search reveals that neither Brett nor his associates are regulated solicitors. In fact, they don’t even exist.

More convincing examples come in the form of payment diversion requests. A recent example claimed to be from Maurice Muchinda of Shoosmiths LLP. The emails, sent from “maurice.muchinda@shoosmithes.co.uk” to clients of the firm asked for payments to be sent to an unknown third party account and included the details of how to send the money.

This is a far more convincing example, Maurice Muchinda is indeed a regulated employee of Shoosmiths LLP. The only difference here is that the nefarious emails have been sent from “shoosmithes.co.uk” rather than “shoosmiths.co.uk”, adding an extra “e” in the false domain and hoping the client would not notice.

The SRA believes the client’s computer may have been compromised, the malicious actor then intercepted the conversation between the two parties and attempted to extract funds from the client.

The increase in the rate of attack is yet another indication that security awareness training is becoming an organisational necessity. With firms from all sectors requiring further training of their staff, enabling increased diligence to spread to the clients as well.

Sadly, many victims can be completely unaware that they have been the victim of a phishing attack and don’t always appreciate the dangers of opening what might appear to be a legitimate email and clicking on what is in reality a malicious link or attachment.
As a result, all kinds of sensitive data could be being posted for sale to criminals operating on the dark web in a matter of minutes.
Such attacks are growing in sophistication and range from targeting individuals to gain sensitive information, such as passwords and account details, to so-called whaling – where cyber criminals target senior management of a company, often with devastating effects.

Gary Brown – MD, Bondgate IT

This continues to underline the very real need for a culture-shift towards more security awareness training which has a proven track record of reducing cyber risk. It’s time to make a change for the better.