Phishing for victims

A lawyer’s email can be both the front door through which clients enter and the back door through which thieves sneak.

Phishing for victims
Illustration: Dushan Milic

A lawyer’s email can be both the front door through which clients enter and the back door through which thieves sneak. Distinguishing them has become increasingly difficult since those initial requests from the rich Nigerian prince desperately seeking help to move money out of the country and the poorly composed missive from a service provider instructing that changes need to be made to an account. You really didn’t have to look too far to see that something in those notes wasn’t quite right.

Enter today’s spear phishing scams. While American analytics company 250ok reports that 91 per cent of cyberattacks begin with a phishing email, a realistic-looking yet sinister email can be the product of a very targeted approach that begins with a breach and is followed by sometimes lengthy surveillance of an individual’s email correspondence. Law firms — targets for the valuable client information they harbour — are also particularly appealing to digital bandits for the trust accounts firms keep to safeguard clients’ money.

A scam in which a Dentons Canada Vancouver associate was tricked into transferring more than $2.5 million of client money held in a trust account to a fraudster’s account in Hong Kong is serving as a reminder to the profession to beware. Details of the ruse were revealed in an Ontario Superior Court of Justice hearing for an advisory opinion in December in which Dentons tried to get its insurer, Trisura Guarantee Insurance Company, to cover the $1.73 million the law firm was unable to recover.

The Dentons Vancouver associate was working on the sale of a property, from which a portion of the proceeds was to be paid to the mortgage holder as the 2016 Christmas holidays approached. Wire instructions were sent on Dec. 28 and the transaction was completed two days later. The following business day, Jan. 3, another email arrived instructing the associate to wire the funds to an international account since the Canadian account of the mortgage holder was being audited. The firm included letters of authorization before the money was wired. It gradually became clear over the next two weeks that the funds had been misdirected. Earlier this year, Dentons also filed suit against the mortgage company in the B.C. Supreme Court to recover the lost money.

Leveraging the human factor has become a more successful approach for cybercriminals than using “brute force” to penetrate accounts, says Daniel Tobok, chief executive officer of Cytelligence Inc. in Toronto. He describes a determined and precise approach in which the criminal infiltrates the inbox
of individuals who can have access to financial accounts.

“They spend an average of 18 to 36 days on the environment, so they can read the emails, they see who you’re talking to, so they understand who you’re going to pay,” he says. Once they identify the right opportunity, they look for the right time, and then the carefully written email is dispatched, as if to continue the conversation thread. “This is a very effective way of stealing money. It’s easier than robbing a bank and you don’t get shot.”

The email may come from a domain name that can be easily mistaken for the legitimate sender — but careful examination will reveal a slight change, the letter “l” in the original email or domain name might become the number “1” in the hacker’s spoofed account.

The Dentons situation highlights the vulnerability of emails and points to the importance of both technical and administrative controls to keeping money and information safe. Part of the deception may lie in social engineering, which is psychological manipulation.

Tobok says his company handles about 50 such situations every month. Hackers can now try millions of passwords in a short period of time, meaning they have greater ability to access email accounts. He says two-factor authentication — in which a combination of two different factors is required to get access, such as a bank card or a cellphone text and a password — has become essential as a basic prevention tool.

“Most people think of hackers as the grab-and-smash characters of the hood. They still have a hood, [but] it’s no longer about grab and smash,” he says. “That’s really where the methodology, the strategy on the side of the threat actors, really changed. That’s the reason why just firewalls don’t work anymore, because firewalls were created for brute-force attacks.

“Social engineering, phishing — that’s really where the criminals are playing today because they realize they cannot fool machines, but they can fool people.”

The challenge, says David Fraser, a Halifax internet and privacy lawyer with McInnes Cooper, is that employees and lawyers travel with mobile devices and working remotely is further accommodated through the now common commercial use of cloud computing. The process further allows for relatively easy remote access for employees using a web browser.

“You might not be able to log in to somebody’s accounting system, you might not be able to log in to their document management system, but there’s always an interface that you can probably find for their email system. Those are kind of invisible doors on the internet to get into a company,” says Fraser.

Disabling access from out of the country can help on the prevention front, particularly from perpetrators looking for easy opportunities.

“The effort that goes into that shows you how lucrative these are,” he adds. Sometimes, “social sleuthing” by figuring out who to target requires no breaches at all. He points to one example in which a perpetrator impersonated someone else to communicate with the comptroller of a law firm to move money.

Ian Hu, counsel for claims prevention and practicePRO at Ontario legal insurer LawPro, says the average cost of fraud is double that of any other claim and typically ranges from $200,000 to $400,000. And many of those frauds are perpetuated through a few different approaches, all turning on the penetration of email with ever increasing sophistication.

Once access to email conversations is achieved, the hacker patiently watches until they see the opportune moment to pounce. “They will wait and wait. . . . When the issue resolves and there’s money to be put into the account . . . the hacker, posing as the client, will send an email to the lawyer saying thanks for doing a great job, can you send the funds to this account . . . which is not the client’s account, it’s the hacker’s account.”

Another scenario LawPro sees is the email that appears to be coming from a colleague, often at around the lunch hour or just before a long weekend, simply asking if you happen to be around. The fictitious colleague will then explain that they’re not in the office but they need to transfer money quickly and then request help. A legitimate email from a colleague can also serve as a cloak through which a virus is passed, meaning that links and attachments from otherwise trustworthy accounts must also be scrutinized.

And the old bad cheque scam continues, although with a bit of a digital twist. A potential client arrives via email, instead of in person, hands over trust money through a bad cheque and then suddenly needs to get the money back because of an emergency. The scammer tries to get the lawyer to withdraw the money from the trust account before the bank has a chance to clear the cheque, often using holidays as buffer time.

The lawyer’s responsibility, adds Hu, is to double check everything, which includes scrutiny of the email address, and confirming the transaction through conversation and not relying on email alone. LawPro keeps a running list of known hacker handles, which are often used in bulk for a short period of time, and encourages lawyers to do a quick search at avoidaclaim.com if they have any suspicions. The insurer also posts newsletters on practicepro.com, including a recent one entitled “New lawyer cyber dangers and how to avoid them.”

Attacks on law firms are increasing in intensity and approaches, says Rob Walls, information technology manager at Vancouver-based Boughton Law, who is on the board of the British Columbia Legal Management Association and is past regional liaison and a member of the International Legal Technology Association. “I would say that at least half the law firms get poked by things every once in a while, possibly more. Some of them may not be aware that they are being hit by things.” But, he adds: “You can do a lot to make sure you’re not as juicy a target.”

Software at Boughton allows for the continual scrutiny and testing of links and webpages that arrive via email. While the firm of about 130 people, including about 50 lawyers, has a technical staff of four, an external firm is employed to monitor traffic 24/7 live to look for patterns, verify domains of emails and check server sources.

But the focus ought not to be solely on the software and the technical preventions; regular training will help staff understand the ever-changing threats to which they may be vulnerable. Boughton also conducts simulated attacks and annual interactive sessions for employees. Ensuring that staff is diligent about following policies and procedures is necessary to avoid the scams built on social engineering. The key, says Walls, is preparing for the unknown threats. “You don’t really know what the next big danger is going to be.

“When you get right down to it, I think people are going to have to get used to slowing down a little bit when we’re working on things,” he says. “It’s difficult, particularly in law, because there’s so much that’s time sensitive, but as you can see, if you make the wrong decision, if you cut that corner and don’t do that final check, disaster can strike.”

As for Dentons, attempts to reclaim the lost money continues through the legal action, but Canada region general counsel David Goult says none of Dentons’ systems or data were compromised in the fraud. He says the scam at the Vancouver office occurred when the mortgage company’s computer system was breached, providing fraudsters with access to the details and timing of the real estate transaction. Dentons, he adds, devotes substantial resources to fraud awareness and prevention, including mandated training to ensure its own systems aren’t compromised.

“We have regular training on an annual basis for all of our personnel . . . on these kinds of risks, these kinds of dangers that are out there,” he says, such as phishing and other schemes. “As fraudsters change and develop and modify their methods, we change and modify our training.

“Every organization has been aware that there are phishing schemes out there, so you want to be very careful before you open an email with an attachment, unless you’re very, very sure it’s secure.”


Cybercriminals target law firms

Law firms have been targeted for money and information. A 2018 American Bar Association survey reports that 23 per cent of firms have been hacked at one time or another. Here are some of the more dramatic breaches:
• Panama Papers is considered on of the largest-ever leaks of financial records from accounts based in offshore locales from the global law firm of Mossack Fonseca, which subsequently closed.
• Dark Overlord, claiming to have thousands of documents obtained from law firms involved in 9/11 claims, threatened to make them public if money wasn’t paid.
• Oleras, based in the Ukraine, threatened in 2016 to target nearly 50 law firms involving documents revealing information about pending corporate deals.
• DLA Piper was targeted by a ransomware attack that took down phones and computers at the firm’s offices in multiple countries.