“Amateurs hack systems, professionals hack people.” – Bruce Schneier
What is social engineering?
Social engineering occurs when somebody acts like something that they’re not to get information from you so they can better themselves. We’ve heard a lot of stories that involve law firms and wire transfer fraud.
Common Social Engineering Schemes Aimed At Attorneys
There was a firm in North Carolina and they received a phone call, supposedly, from the bank saying, “We noticed some interesting activity on your account. I just want to verify we’re talking to the right person, what’s your username and password?” That firm gave the person on the phone their bank username and password. The bank said, “We’re gonna send you a code. We just want to make sure that you are who you are – let us know what the code is and then we’re going to talk about the issues with your account.” So instead, unbeknownst to the law firm, the people on the phone actually signed into their bank, initiated a wire transfer, and sent them the code needed for the wire transfer. So the law firm received the code and provided it to the people on the phone, they put it in, and then they went on to just have a fake conversation about what was wrong with their account. At the end, they said it just turned out to be an internal error and everything was fine. And 30 minutes later, the firm finds out that there was a wire transfer that they didn’t know about that they didn’t authorize. And in fact, it ended up being the person on the phone that allowed it all to happen.
This is a very common thing that we’ve been hearing more and more lately and it is a very common social engineering scheme aimed at attorneys.
Another one is, they’ll call you and appear like they are from a nonprofit, and they’ll try to, again, get some sort of wire transfer normally.
And then the final one that’s really, really common is they’ll send emails to you as your client. So it’s actually quite easy to appear to send an email as somebody else. It’s called email spoofing. An eight year old could do it, it’s so easy. They’ll send emails to you as your client, and they’ll say, “Hey, are you at the office? Can we send a wire out today? I’m busy, just go ahead and do it and email me when it’s done.” Anytime you get anything like that from your clients, you will need to put something in place where there’s some sort of two factor authentication. Something as simple as if they email you, you have to talk to them on the phone before proceeding. Having processes in place to combat social engineering is, again, part of that knowledge that needs to happen.
Social engineering is definitely an issue, and attorneys are one of the main people that they’ll go after because you have access to such important information.
Is This Really Happening?
I can tell you that, obviously, there have been claims, and whether they’re funds, transfer funds, transfers, or just hacks into the system to try to get information such as social security numbers, ein numbers, birth date health records of clients, it’s happening all the time, and it happens everywhere. The smaller law firms that don’t have a ton of money to spend on high priced security systems out there, they’re considered low hanging fruit or as I said, the easy targets for cyber criminals so be careful.
In the past five years, banks have spent about $90 billion on guarding against social engineering. They’re making it a lot harder to get into their information.