A growing number of email scams are targeting small law firms, due to attorneys' access to sensitive information and data. This type of phishing mimics an email from a reliable third party, such as a legal organization or disciplinary board — a far cry from yesterday's scams promising a once-in-a-lifetime opportunity with a Nigerian prince.

In the recent edition of PROfessional Counsel, CNA Risk Control Representative Matt Fitterer details two examples that illustrate the targeted nature of these new phishing attacks, and how firms can implement phishing awareness training for their employees to help them avoid becoming victims of these email security scams.
 

Bar Complaint Scam
   

In this example, an email appears from a presumed trusted source, such as the state bar or attorney general's office. It includes a call to action that must be completed quickly to avoid legal ramifications, such as to download an attachment regarding a disciplinary complaint. 

However, when these instructions are followed, malware is introduced into the firm's network. The malware may extract the firm's data or infect devices with ransomware, which encrypts the recipient's hard drive. Failure to comply results in vulnerable and compromised data. 

This type of scam is becoming more and more common. Attorneys in Alabama, California, Florida, Georgia and Nevada have reported this activity. The scam capitalizes on attorneys' fears of receiving a bar complaint. Nevertheless, this fraudulent email offers some telltale clues that can warn the recipient, such as:
  

• Lacking letterhead or formatting that typically accompany an "official" email
   
• Misspellings
   
• Vague descriptions of the rebuttal process
   
• A sender's address that isn't quite right: For example, the name of the sender is the "Office of the State Attorney," but the sender's email address is com.department@outlook.com
   

If attorneys or staff members at your firm receive a bar complaint email, they should avoid answering any call to action before confirming the email's authenticity. When confirming authenticity, be sure to use an independent phone number listed on the organizations website, rather than the number or the link provided in the suspect email.
 

HIPAA Audit Scam
  

Another phishing scam exploits attorneys are unfamiliar with the most recent regulations and procedures surrounding the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA,  attorneys may be subject to HIPAA compliance in their roles as potential "business associates." An unknown number of emails styled as official letters from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) are being sent under the guise of OCR's HIPAA Privacy, Security and Breach Notification Audit Program.

This cyberattack asks the recipient to follow a link that appears to lead to a government website, but in actuality leads to a non-government website marketing cybersecurity services. This scam has seemingly little effect, but if attorneys fall for it today, they may fall for similar phishing tactics with far more serious consequences tomorrow.

While this HIPAA scam appears legit, it offers one fraudulent sign: The fake URL ends in ".us" instead of ".gov." If your firm receives an email from the OCR, contact the OCR directly for verification.
 

Best Practices
 

In order to raise awareness before a cyberattack occurs, firms should consider developing these five strategies in order to educate their employees about phishing attacks:
 

1. Keep antivirus, web browsers and email software updated
    
2. Routinely back up your hard drives on a separate independent server or hard drive
    
3. Exercise caution with email links and attachments by hovering over the link or attachment to display the actual file name and type
    
4. When in doubt, contact the sender directly through an independent number not listed in the suspect email
    
5. Create an open culture within your firm that rewards employees' disclosure of potentially falling victim to a scam in a timely manner
    
6. Educate and test your support staff.
    

As an attorney, you have the duty to your business and your clients to be familiar with the warning signs posed by phishing attacks. To learn more about protecting your firm against scammers, download Matthew Fitterer's article in CNA PROfessional Counsel: "Phishing Attacks Use Bar Complaints and HIPAA Audits as Bait."