Law Firms Are Potentially Vulnerable To Phishing Attacks

recent study just published by 250ok, an email analytics company, provides some apparent disturbing news — a whopping 62% of the top 100 global law firms currently fail to achieve the minimum level of email authentication to safeguard law firm staff and clients from phishing attacks.

In its study, 250ok discusses Domain-based Message Authentication and Reporting Conformance (DMARC). According to 250ok: (a) a DMARC reject policy safeguards recipients by requesting that malicious email be blocked from arriving in an inbox, and (b) a quarantine policy requests that such malicious email be placed in a spam-type folder, while (c) no policy at all allows malicious email to go into an inbox. (The study does not explain how an email is determined to be a malicious phishing email on the front end). 

Gone Phishing

250ok states that the DMARC reject policy is the “gold standard” of email authentication because it “reduces the risk of a recipient receiving a phishing email.” The study by 250ok concludes from its examination that only 3% of the law firms evaluated have a reject policy in place.

250ok believes that more must be done, referencing an American Bar Association estimate that almost 25% of law firms of more 500 attorneys suffered a security breach in 2017. And generally speaking, 91% of cyberattacks begin with phishing email, according to 250ok. Moreover, while most consumers are of aware of phishing emails, nevertheless 40% of them feel victim to them in 2017.

Federal Anti-Phishing Efforts

The U.S. Department of Homeland Security has issued a directive to all federal agencies to achieve the DMARC reject policy with respect to phishing emails, and 250ok believes that law firms should do the same.

This is just one study, and it is not clear from the 250ok study exactly the level of attacks suffered by law firms and the harm caused as a result of many of them not having yet adopted the DMARC reject policy. Nevertheless, law firms should do their best based on current knowledge to prevent the penetration of cyberattacks.

Eric Sinrod (@EricSinrod on Twitter) is a partner in the San Francisco office of Duane Morris LLP, where he focuses on litigation matters of various types, including information technology and intellectual property disputes. You can read his professional biography here. To receive a weekly email link to Mr. Sinrod’s columns, please email him at ejsinrod@duanemorris.com with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress