6 Ways to Defend Against Email Impersonation Attacks

Email impersonation attacks are on the rise, and law firms are feeling the pain.

Not only that, but attackers have started bypassing low-level staffers and climbing the ladder to reach partners, managers and C-level executives.

Those are some of the findings from a recent survey of IT professionals.

“Flip through the latest headlines on any given morning, and you’ll see the harsh impact of email impersonation attacks,” writes Roberto Torres for Mimecast, the online security company that conducted the survey. “Reading up on the latest threats almost feels like checking the weather. In the previous 12 months alone, 67 percent of organizations said they saw the volume of impersonation attacks increase, and 73 percent of attack victims experienced a direct loss.”

An impersonation email is a form of phishing that masquerades as a known and trusted individual or company. A species of impersonation attack is Business Email Compromise (BEC), also known as CEO fraud.

“The BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totaling over $3 billion,” according to the FBI.

Read the 2019 State of Email Security Report here.

Email is Front Line of Cyber Wars

Email is the largest single attack vector on the planet, according to Mimecast. The war is being waged on multiple fronts. All types of email - inbound, outbound, and even internal communications – are vulnerable.

“Email attacks are on the rise and they’re not just affecting the bottom line,” reports Mimecast. “They’re also causing disruption for the team members responsible for preventing them. With the strong likelihood of losses, it’s no wonder confidence is taking a hit. And because these highly-targeted attacks can tend to focus on key, C-level personnel, they can be incredibly embarrassing for victims. Suddenly the spotlight is no longer on their outstanding professional portfolios but instead on the negative actions of an employee or, worse yet, an executive of the company.”

Here are some numbers from 2018:

• 61 percent of businesses (not just law firms) believe it’s likely or inevitable that they’ll be attacked.
• 88 percent experienced email spoofing of business partners or vendors in 2018.
• 94 percent suffered a phishing attack.
• 54 percent say the volume of email-borne attacks is rising.

Law firms and other professional service providers were a top target in 2018, with 66 percent of attacks directed at this sector.

Six Ways to Protect Your Firm

1. Recognize that human error is your greatest threat. “You might have an incredibly talented, diverse group of professionals at your organization,” says Mimecast. “But cybersecurity’s dirty little secret is that no matter how skilled your employees are, they still usually represent your biggest risk. Research shows that human error ranks even higher for cyber risk than software flaws and vulnerabilities.”

2. Emphasize awareness. Start by sharing the 2019 State of Email Security Report at your next staff meeting. Discuss areas of vulnerability. Report suspicious incidents immediately. Post signs: Think Before You Click.

3. Conduct training. Options abound. Schedule a group session with an IT security team. Ask employees to take a cybersafety class. Take an online quiz or watch an interactive video. Circulate a printed list of safety tips.

4. Keep talking. Effective cybersecurity training must be frequent, continuous and evolving.

5. Know the enemy. “Seeing where your biggest threats are coming from is pivotal in preventing a serious business attack,” says Mimecast.

6. Have a cyber resilience plan. The four dimensions of cyber resilience include: 1. Threat protection 2. Adaptability 3. Durability 4. Recoverability.

A final tip: obtain cyber-liability insurance. Contact Lawyers Insurance, the endorsed provider of the NC Bar Association, to learn how you can protect your firm.