Articles
Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

Social engineering: How cybercriminals capitalize on urgency

Making a request seem urgent clouds the fact that the request violates protocol or the norm. 

I was recently approached by a concerned person who wanted me to scrutinize an email received a few days prior. “Does this look like a phishing email? I don’t see any grammatical errors. But it’s asking me to visit this webpage.” We may know what to look for and what to be generally cautious about, but the fact is, social engineering attacks like phishing have taken on a new degree of sophistication that may fool even the most tech-savvy. From wire fraud to the types of scams perpetrated during tax season, it can be hard to know what it’s safe to do online, over the phone, or even over text. 

Social engineering is a term used to describe the types of attacks that take advantage of human vulnerabilities instead of technological ones. Cybercriminals are not always hackers in the traditional sense. In a lot of cases, the cybercriminal relies on the victim to help out by readily giving them the information they want, bypassing the need to go digging for it themselves. The most sophisticated password is rendered useless if it’s simply handed over on request. And very frequently, cybercriminals make it seem absolutely imperative to hand it over.

I would say that urgency is a primary tool of the cybercriminal to manipulate and take advantage of victims. Making a request seem urgent clouds the fact that the request violates protocol or the norm. While individuals are frequently targeted personally, organizations have lost millions to financial scams involving fraudulent wire transfers and criminals posing as authorized representatives. When a request seems urgent and appears to be from the top levels of an organization, the odds improve greatly that the victim will act fast and forego any questions.

Law firm phishing

Many law firms unfortunately become victims of social engineering attacks. Whether it’s a phishing email or telephone or texting scam, law firms are frequent targets of financially motivated attacks. In a previous article, I discussed the dangers of doxxing. Doxxing is the buying and selling of personal information online, often with malicious intent. Social engineering attacks are bolstered by the information cybercriminals gather through doxxing. With each large-scale cybersecurity breach, the odds increase that doxxing-related crime will not only multiply, but will become even more sophisticated and personalized to the victims.

In addition to the kind of attack described above, in which the law firm itself would be the recipient of a fraudulent email, law firms can also be victimized by being presented as the apparent sender. Law firms’ identities are regularly used by cybercriminals to send out phishing emails to the firm’s clients and contacts. Like many wire fraud phishing scams that target the real estate industry, it may appear that a law firm is sending an email to its clients instructing them to provide personally identifying information for the sake of “updating records.” The fact is, a cybercriminal is simply masquerading as the firm with a similar email address and email format. 

So when asked whether something looks like a phishing email, how should you respond? The fact is, even if there are no evident markers indicating that anything is amiss, it still might be a phishing email prompting you to enter personal information or urging you to click on a link. It is always better to act slowly when being requested to do anything in an email, and it’s always best to manually log into your accounts to avoid clicking on links sent to you. 

For organizations and law firms especially, internal cybersecurity training is always critical. Reinforcing policies about the use of personal email accounts is especially important, as is training people with access to confidential information in how to approach email safely and efficiently. In-house training should be supplemented with information sent to clients about potential risks and dangers of email communication and the possibility of social engineering attacks.

 

MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 trials. He is a member of the MN Lawyers Professional Responsibility Board.  

Leave a Reply

Articles by Issue

Articles by Subject