Phishing and Malware Cyberattacks are Directed at Law Firms (and Clients) – So it’s Time to Train Employees

12 May 2015 Internet, IT & e-Discovery Blog Blog
Authors: Peter Vogel

No surprises about where cyberattacks are focused as reported recently that about 45% of IT security decision makers are worried about “phishing attacks, and employees clicking on links within email which download malware and email attachments which download malware.”  In April 2015 Osterman Research issued its “Best Practices for Dealing with Phishing and Next-Generation Malware” that started with these terrible stories about two law firms:

An attorney in the greater San Diego area opened an attachment in a phishing email that he thought was sent to him by the US Postal Service. The attachment installed malware on his computer, and shortly thereafter he found that $289,000 had been transferred from his firm’s account to a bank in China.

A law firm in Charlotte, NC transferred $387,000 to a bank in Virginia Beach, VA after it closed a deal. Shortly thereafter, cybercriminals transferred most of this amount to the law firm’s bank in Charlotte, which transferred the funds to a bank in New York and then to a bank in Moscow. The victim organization believes it had been infected with keystroke logging software from a phishing email that captured all of the critical information necessary to initiate the wire transfer.

Of course the advice in Osterman’s Report is not limited to lawyers, these phishing and malware scams affect all industries.  Here a 3 of the 8 key takeaways:

  • Cybercriminals are getting better, users are sharing more information through social media, and some anti-phishing solutions’ threat intelligence is not adequate. This makes organizations more vulnerable to phishing attacks and other threats.
  • Users should be considered the first line of defense in any security infrastructure, and so organizations should implement a robust training program that will heighten users’ sensitivity to phishing attempts and other exploits.
  • IT and business decision makers should implement best practices to help users more carefully screen their electronic communication and collaboration for phishing and other social engineering attacks.

Without question these cyberattacks will not abate anytime soon, so every employer should be training employees continuously.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.


Related Services


California Statute Offers Dramatic Change to Independent Contractor, Franchise-Franchisee Relationships
20 September 2019
Legal News: Distribution & Franchise
AI Ouch! AI Job Interview Law Starting in 2020!
20 September 2019
Internet, IT & e-Discovery Blog
RCE PTA Carve-Out Resumes After Interference
18 September 2019
The Ninth Circuit Expected to Rule that Doctors Can Be Wrong in the Winter v. Gardens False Claims Act Case
18 September 2019
Legal News: Government Enforcement Defense & Investigations
Lacktman, Ferrante Cited in mHealth Intelligence About Ryan Haight Act
19 September 2019
mHealth Intelligence
Vernaglia Comments on AHA v Azar Decision
18 September 2019
MedPage Today
Tinnen Discusses How Viewpoint Diversity Helps Businesses Thrive
18 September 2019
Lach Comments on Launch of New Group
16 September 2019
BizTimes Milwaukee
MedTech Impact Expo & Conference
13-15 December 2019
Las Vegas, NV
Review of 2020 Medicare Changes for Telehealth
11 December 2019
Member Call
BRG Healthcare Leadership Conference
06 December 2019
Washington, D.C.
CTeL Telehealth Fall Summit 2019
04-06 December 2019
Washington, D.C.