Skip navigation

The Summer of Phish: Fraudulent Bar Association Emails Target Lawyers

Phishing email campaigns have targeted lawyers across the country this summer, claiming that they have unpaid bar dues and discipline complaints, some stating “Past Due Invoice” in their subject lines to urge attorneys to open them.

The American Bar Association (ABA)’s Division for Bar Services suspects that the senders are finding email addresses to target through state bar websites, including Nevada, Florida, Georgia and Alabama.

The emails are signed by the presidents of state bar associations, with links to download malicious software. In Florida, the emails were reportedly serving up ransomware, specifically, variants of Cryptolocker according to the IT Operations Manager at The Florida Bar as reported in AbovetheLaw.com. CryptoLocker is a type of ransomware that encrypts files on a Windows machine, demanding that a ransom is paid before decrypting them.

The attackers also spoofed a webpage to look like the state bar association’s website, which appeared similar except for typos and content inaccuracies, according to the ABAJournal.com.

Most states will not send discipline proceeding documents via email, sticking to snail mail to send news. Earlier this year, a “biglaw” firm reported that they fell victim to a phishing campaign that targeted their payroll department. The biglaw firm sent employee W2s to the criminals, leaking names and Social Security numbers for employees. As a result, many law firm employees found themselves victims of identity theft and tax fraud.

“Biglaw” is an industry term for the largest, full-service law firms that specialize in each category of legal work, including mergers and acquisitions, banking and high-stakes corporate litigation - clearly major targets for criminals.

Information Security for Lawyers to Protect Client Data

In general, all lawyers are high-value targets for online criminals, as they have troves of confidential client, business transaction and case information. They also just have regular employee data, including personal, financial and health insurance information, like any other company.

The security practices of law firms have become a business differentiator, prompting retail, financial and other clients across diverse industries to thoroughly vet a law firm’s information security operations before contracting with them.

As for standards to follow, the AmericanBar.org recommends the FTC’s Safeguards Rule under the Gramm-Leach-Bliley Act, known as the Standards for Safeguarding Customer Information.

The American Bar also recommends that larger firms follow standards published by the International Organization for Standardization (ISO), including the ISO/IEC 17799:2005, Information Technology—Code of Practice for Information Security Management and ISO/IEC 27001:2005, Information Technology—Security Techniques—Information Security Management System—Requirements.

Prevent Phishing and Protect Against Malware Infection

Other ways that law firms can reduce the risk of malware infection is by ensuring their users, devices and applications are trusted. Using two-factor authentication to prevent password-stealing phishing attacks from turning into successful breaches of your client data is one way to ensure your users are trusted.

Simulating a phishing attack can also give your IT department, system administrator or security officer insight into who is at greatest risk of falling for a phishing email.

Phish Data

Ensuring trusted devices is possible with an endpoint solution that checks every device before allowing it access to your applications, giving administrators the option to warn and block any outdated devices until they’re updated. Since malware and other exploits often rely on outdated operating systems, plugins like Flash and Java, and browsers to spread from devices to your systems, you can get visibility and stop malware infection before it happens.

Finally, you can ensure trusted applications by customizing your own policies and controls to only allow users to access the applications needed to do their job, and nothing more. This reduces the scope of risk if one user’s credentials are compromised, limiting the number and sensitivity of applications that an attacker can log into, as well as the data they can steal.

Learn more about new threats and how to protect against them in Duo’s 2016 Trusted Access Report: The Current State of Device Security Health, and visit our Legal page to learn more.

Thu Pham

Thu Pham

Information Security Journalist

@Thu_Duo

With seven years of experience in tech and information security, Thu covers timely news events, contextualizing security information to make it easy to understand.