Rick Borden Discusses Growing 'Spear-Phishing' Cyberthreat
"Spear-phishing" – a cyberscam in which a target is induced to reveal confidential information or transfer money by a hacker impersonating, via email, someone the target knows – is a growing concern for law firms, particularly those whose practices involve initiating monetary transactions on behalf of clients.
Rick Borden, Partner and Chief Privacy Officer, discussed with The Legal Intelligencer how cybercriminals execute these attacks.
"A lot of time, quite literally, the email [system] has been compromised," he said. "What that means is that [the hackers] are in the middle of a conversation. They're watching it. Sometimes you get an email that looks like it's from a similar place as someone you know and sometimes they've gotten that person's credentials and they're actually sending emails from a valid email address."
Rick went on to explain that the vast majority of spear-phishing scams are aimed at inducing a target to wire money, as opposed to gaining access to confidential information. However, guarding against an attempt to induce a fraudulent wire transfer requires significant legwork.
"Any wire that's going to be initiated for any reason has to be verbally confirmed," he said, adding, "You need to confirm everything. I don't care if it's inconvenient. I don't care if it slows the deal down. You don't trust anything that comes off the email or a fax."
He continued to explain that defending against spear-phishing attempts by blocking unauthorized access to email servers in the first place is simply not a realistic solution.
"The information security people I know would say you have to assume that [hackers] are in the system and that they're going to get in in some way or another," Rick said. "The goal is to try to prevent them from getting to places that are sensitive."
Read the full article. (subscription required)
If you would like to receive additional news alerts, event notifications, or correspondences pertaining to this and other industry-specific topics, please sign up by visiting the Contact Us page. Be sure to provide your contact information, including email address, and list the areas of practice or industries for which you would like to receive information.
This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation with any specific legal question you may have.