Social engineering, a tactic that exploits human psychology rather than technical vulnerabilities, poses significant risks to organisations and individuals alike. For legal professionals, understanding these risks is crucial, not only for advising clients but also for safeguarding their own practices.
So how does it work? In a nutshell, social engineering involves manipulating individuals into unwittingly divulging confidential information or performing actions that compromise security. Whilst we may hope that as individuals and organisations we wouldn’t fall for these tricks, the increasing sophistication and manipulation of these techniques is something that law firms can mitigate against.
Common techniques legal professionals should be aware of include:
Phishing: attackers attempt to deceive individuals into providing sensitive information, such as usernames, passwords, or credit card details, by pretending to be a trustworthy entity. This is typically done through email, but can also occur via text messages, social media, or other communication platforms.
Pretexting: a technique where an attacker creates a fabricated scenario, or pretext, to manipulate a target into divulging sensitive information. For example, an attacker might call an employee, claiming to be from the company’s IT department, and say they need the employee’s login credentials to fix an urgent issue. By creating a sense of urgency and legitimacy, the attacker can trick the employee into revealing confidential information.
Baiting: a tactic where an attacker entices a target with a promise of something enticing to lure them into a trap. This often involves offering free items, downloads, or access to something desirable, which, when accepted, leads to the compromise of the target’s security.
Tailgating: The act of an unauthorized person following an authorized individual into a restricted area. This tactic exploits the trust and courtesy of employees who may hold the door open for someone they assume has legitimate access. Once inside, the intruder can gain access to sensitive information or systems. This method relies heavily on the social norms of politeness and can be surprisingly effective when utilised on us polite Brits!
For legal professionals, the implications of social engineering are multifaceted. Breaches can lead to significant financial losses, reputational damage, and legal liabilities. Firms may face lawsuits from clients whose sensitive information was compromised, and regulatory penalties for failing to protect data adequately.
Case Study: The UK Energy Firm Incident
In March 2019, a UK energy firm’s CEO received a phone call from someone who sounded exactly like his boss instructing him to transfer £243,000 to a Hungarian supplier. Using AI software criminals had in fact created a voice that perfectly imitated the energy firm’s German parent company boss. So convincing was the call that the CEO immediately transferred the funds having been convinced the money would be reimbursed right away. The money was moved to the supposed Hungarian supplier, before being swiftly disbursed across Mexico and other overseas locations.
Still under investigation, this incident underscores the effectiveness of voice phishing (vishing) and the importance of robust verification processes.
Case Study: SharePoint Phishing Scam
A more recent example in April 2021 involves a sophisticated phishing scam targeting Microsoft SharePoint users. This dangerous phishing fraud was specifically designed to target home workers using cloud-based software.
In this scam, attackers sent legitimate-looking SharePoint alerts to employees, prompting them to click on a link to access shared documents. Ac carbon copy of a typical SharePoint email, the link took users to a phishing site from where it could siphon off their credentials.
The specific amount of data lost in the 2021 Microsoft SharePoint phishing scam has not been publicly disclosed. However, the scam was extremely successful in compromising user credentials, providing access to sensitive information and causing significant data breaches.
So how can law firms mitigate the risks of social engineering? Start with education and training. Once understood, many social engineering attacks are easily recognisable and the more training staff have, the more switched on they will be to recognising attack attempts.
It’s also essential to review and strengthen verification protocols. Implement strict procedures firmwide for financial transactions and sensitive information requests. This will ensure that staff members do not instantly comply with requests from supposed senior team members, as seen in the energy firm incident.
Review your IT strategies. Don’t be afraid to question your IT team on their approach to social engineering. Advanced email filters, multi-factor authentication and other new technologies are constantly evolving to help reduce the risk of successful attacks.
And finally, ensure all your legal safeguards are in place. Ensuring compliance with data protection regulations and having clear policies for incident response can mitigate legal repercussions, should the worst happen. By taking these measures firms can protect themselves and their clients from the potentially devastating consequences of social engineering.