What is Social Engineering and What Can Your Law Firm Do About It?
I have a friend who owns a consulting firm with over 100 employees. He and his wife have built this company from the ground up over many years and now their consultants are sought-after experts around the country. Recently, they hired a young, eager employee to help with office management tasks.
Imagine their shock when she came to them and said, “I transferred that $4,000 you requested.”
They had requested no such thing.
After some digging, they discovered that my friend’s email had been compromised, then the hackers targeted a low-level employee with an email that looked like it was from her boss, telling her to transfer $4,000 to a specified account.
Eager to please, she did so and was excited to let them know how efficient she was. Bye-bye $4,000.
It could have been much worse and this company learned a very valuable lesson: they need to train all of their employees (including my friend, who probably gave the hackers access to his email) about social engineering attacks.
Law Firms are Big Social Engineering Targets
As law firms work to strengthen their cybersecurity strategy, industry data proves that phishing and social engineering attacks are the number-one way hackers access your sensitive data.
By definition, social engineering is the psychological manipulation of people to get them to perform actions or divulge confidential information. Therefore, it makes sense that you should educate each of your employees to recognize social engineering tactics.
Cyberattacks often attempt to get the victim’s emotional investment first, and then persuade them to perform the desired action (be it clicking a link, opening an attachment, or complying with a request). To attain this emotional investment, the bad guys constantly use social engineering tactics. Whether it’s impersonating an individual or a brand, using current events, or offering something the victim wants or needs, social engineering is the critical part of an attack that helps cybercriminals achieve their malicious goals.
We’ve already known that 91% of cyberattacks begin with spear phishing (emails that impersonate trusted sources), but data from security vendor purplesec suggests that social engineering is even more pervasively used than phishing, citing that 98% of cyberattacks rely on social engineering.
According to the purplesec data:
43% of IT professionals say they have been targeted by social engineering schemes in the past 12 months
New employees are most susceptible to socially engineered attacks, with 60% of IT professionals citing recent hires as being at high risk
21% of current or former employees use social engineering themselves to gain a financial advantage, for revenge, out of curiosity or for fun
Because of the convincing nature of some of the social engineering tactics used, it’s important for your users to keep their defenses up, realizing that an email isn’t necessarily from who it says it’s from, and that any opportunity offered isn’t necessarily real or sincere in nature. Users that undergo new-school Security Awareness Training are less prone to fall for social engineering, as they are taught to recognize the unmistakable signs that can give away an email’s true intentions, as shown in the infographic above.
Free Phishing Security Test Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Savvy is a licensed provider of KnowBe4’s security training programs and we can give you access to a free phishing security test.
Here's how it works:
Immediately start your test for up to 100 users
Select from 20+ languages and customize the phishing test template based on your environment
Choose the landing page your users see after they click
Show users which red flags they missed, or a 404 page
Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
See how your organization compares to others in your industry
The results show you how you stack up against your peers with phishing Industry Benchmarks. Usually, a firm’s Phish-prone percentage (the number of people prone to clicking malicious links) is higher than you expect and provide great leverage to get a budget allocation for training. Click here to email us for more information or click here to request a quick demo!