Looking to get into hacking? Forget Ashley Madison or the State Department. Corporate legal departments are the easiest targets. That's the lesson from a new report on data breaches released by Verizon recently. The report, which examined threats to data security across industries, looked in part at responses to 150,000 phishing emails.
Phishing is a form of email fraud where messages appear legitimate in order to steal sensitive information. For example, a phishing email may disguise itself as a message from a bank, asking for your account information, or an update from H.R. telling you to install a new, secretly malicious, program. And corporate lawyers love them! In-house legal departments were more likely than any almost all other groups to fall for phishing emails' tricks.
In-House Attorneys Fail Cybersecurity 101
Phishing is common, according to Verizon's 2015 Data Breach Investigation Report. Phishing attempts account for over 20 percent of "significant threat actions" over the past year, the report found. And phishing can have serious consequences. During the recent State Department hack, Russian hackers were able to infiltrate the White House's computer systems through a simple phishing email. Phishing has become the go to method for state-sponsored cyber-espionage, according to the data breach report. Over the past two years, two-thirds of cyber-espionage incidents used phishing tactics.
Lawyers aren't the only ones to get tricked by phishing scams. Twenty-three percent of recipients open fishing emails, the report found, and a shocking 11 percent open attachments. Legal departments, along with communications and customer service offices, had the highest rates of opening phishing emails, though the report didn't give hard numbers. A professional responsibility blog, The Law for Lawyers Today, explained the high rate as a result of lawyers' desire to respond quickly to clients and overestimation of their own tech skills.
Learning to Avoid Cyber Threats
The Verizon report isn't the first to call out in-house attorneys for their lack of cybersecurity skills. A survey of directors, board chairs, and CEOs released in May found that top brass were unlikely to consult their legal departments on cybersecurity risks. Now we know why.
A vigilant eye -- and good filtering software -- can stop many phishing emails in their tracks. Checking URLs can help lawyers avoid suspicious emails, making sure they're not being directly to blankofamerica.com, for example. Grammar and spelling mistakes are generally more common in phishing emails. And of course, emergency calls for you to reveal personal information should always be met with skepticism.
Lawyers should feel free to test out their scam-spotting skills. If you think you and your colleagues are too smart to fall for a phishing email, designing a fake phishing email isn't too hard to do.