Phishing Attacks Use Bar Complaints and HIPAA Audits as Bait
Attorneys have access to sensitive information and large sums of money, and although they are experts in many areas, they are seldom on the cutting edge of new technology. It should come as no surprise, then, that a growing number of email scams are targeting attorneys and other similar professionals. By mirroring an email from a state bar, legal organization, disciplinary board or government entity, these scams take a narrower focus that scatter-shot emails offering a free cruise or a one-in-a-lifetime deal with a Nigerian prince.
This brand of phishing uses a victim’s trust (or sometimes fear) of an institution as a way of influencing that person to download a malicious attachment, click on a malicious link, or transmit sensitive information to a third party. While some phishing emails remain easy to detect, others have begun displaying an incredible attention to detail. “Spoofing”, a phishing tactic that involves the technical manipulation of the email header or IP address so that it appears to have been sent from a trusted source, is especially difficult to counteract.
The two examples below illustrate the targeted nature of newer phishing attacks and the level of sophistication they employ, but also present an opportunity to educate attorneys on what they can do to avoid becoming a victim.
Bar Complaint Scam:
Officials from state bars across the country continue to warn of fraudulent emails purportedly conveying notice of a disciplinary complaint. Attorneys in Alabama, California, Florida, Georgia and Nevada reports receiving the phony emails as early as last summer, but emails have continued to surface through 2017. A variant of the scam appeared in Florida alleging a past due invoice rather than a bar complaint, but the details have remained more or less the same.
Like most phishing attempts, the email appears to have originated from a trusted source, whether it is the state bar, bar association, or even the attorney general’s office. It includes an urgent call to action, typically a response within ten days, and prompts the recipient to download an attachment or follow a link to view the relevant complaint or invoice. Following these instructions, you may have guessed, triggers the introduction of malware onto your system.
This malware may directly extract data from your network, but with the growing frequency devices are instead infected with ransomware which encrypts the recipient’s hard drive. Only upon paying a fee, subject to strict, time-sensitive instructions, will the device by decrypted and restored. Failing to comply leaves your data unusable and likely compromised.
