Risk Update

(Security Week) Email Edition — Spoofed Law Firms, Cyber Scams & New Tools

Posted Dan Bressler

I’m always grateful to receive word from readers (don’t be shy & remember to tell your risk friends to sign up). Even more so when those notes include interesting updates. So a tip of the hat to Simon Chester at Gowling WLG for sending in this interesting story “about” Linklaters … which sparked a good amount of additional reading, lead up to: Security Week.

Linklaters Impersonated in Fake Job Posting Cyber Scam” —

  • “A scammer has been posing as Linklaters’ director of human resources in an attempt to con job seekers out of $1,500, in the latest example of a cyber scam affecting a top law firm.
    A report released by the Solicitors Regulation Authority (SRA) reveals that documentation misusing the ‘Linklaters LLP’ name is being used to advertise a fake ad to become a “Data entry professional” at the firm.”
  • “A Linklaters spokesperson said the firm alerted the SRA to this issue as soon as it became aware of it and also alerted clients with a note on its website. The Magic Circle firm’s name, as well as a fake partner, have now been used in three scams this year – also reported by the SRA.”
  • “Earlier this month, the SRA issued a warning after fake emails claiming to be from Michael Bates, the U.K. managing partner of Clifford Chance, were sent to members of the public. Last year, Herbert Smith Freehills had scam emails falsely attributed to it… And Simmons & Simmons had a similar situation, with emails claiming to be from corporate partner David Parkes that talked of unclaimed inheritance.”

A difficult risk question — How to prevent bad actors from attempting to fool with a bit of fraud? Particularly when recipients aren’t paying close attention to email domains (or domains are spoofed)?

I was not aware of some technology that firms are employing (or being asked to) to combat this type of thing, at least when a common standard is established with clients. The latest edition of The Orange Rag offered some timely education: “Clients demand DMARC is set to reject” —

  • “Clients are increasingly demanding that law firms have fully implemented email authentication protocol DMARC before they send them instructions.DMARC is a protective barrier for a firm’s email correspondence, sheltering staff and clients from the most common form of cyberattack, phishing.”
    “While no cyber solution is a silver bullet, DMARC is a global industry standard widely recognised as essential to protecting an organisation’s email, brand and reputation. It does this by preventing third parties from impersonating email domains.”
  • “Government bodies in both the UK and US, as well as a number of financial institutions and major corporates, understood to include Lloyds, are ramping up the pressure, however, by telling law firms they must reach ‘reject’ or risk losing their business.”

Thematically related and also interesting: “Nearly all 2020 presidential candidates aren’t using a basic email security feature” —

  • “Three years after Russian hackers targeted and breached the email accounts of Hillary Clinton’s presidential campaign, nearly all of the upcoming 2020 presidential candidates are still lagging in email security.”
  • “New data out by Agari confirms just one presidential hopeful — Democratic candidate Elizabeth Warren — uses domain-based message authentication, reporting, and conformance policy — or DMARC.”
  • “Agari said only 16 percent of the 500 world’s richest companies reject or quarantine unvalidated email — up from two years ago when just eight percent of the Fortune 500 were using DMARC.”