Email Security Blog

Brand Impersonation Attacks on Law Firms Harm Clients and Cost Millions

Armen Najarian April 24, 2019 Brand Protection

Imagine this scenario: you call your high-profile client on your way into the office to check in and see if they’re ready to make the multimillion-dollar down payment on a new property. They tell you they wired it yesterday, following your email instructions. But you never sent them an email.

Now you have to tell your client that that email didn’t come from you. Except that it did—or at least from someone using your email address. And now that someone has your client’s money.

A similar real-life scenario ended with embarrassing headlines and a malpractice lawsuit against one New York attorney, whose clients were tricked into wiring nearly $2 million to a Chinese hacker. The suit was quickly settled, but the lesson was clear. Attorneys must protect their client communications—including email, which is increasingly under attack.

Law Firms are High-Value Targets for Email Imposters

Wire fraud is one of the fastest-growing email scams that targets attorneys, other legal professionals, and their clients. Real estate wire fraud, including email impersonation scams, cost US victims $56 million in 2017. And it’s not the only damage cybercrooks can cause if they impersonate you and your colleagues via email.

The Texas Lawyers’ Insurance Exchange warns that law firm scammers impersonating attorneys are sending clients bogus login links for Office 365 and other third-party services. Once criminals steal the login credentials, they can see their victims’ email accounts, including banking, shopping, and social media information.

Even worse, impersonation scammers don’t limit themselves to active domains. Abandoned domains pose a huge security risk to law firms. Hackers can snap up domains that lapse after a rebranding or merger. Then they can use the forgotten email accounts to target clients for wire fraud scams and data theft. They can also hijack attorneys’ social media and professional association accounts. That’s a big reputational risk.

Despite these high stakes, many firms are vulnerable to impostor attacks and the negative press and lawsuits that can follow. The solution is easy: implement DMARC authentication for owned domains.

Law Firms Lag in DMARC Implementation

DMARC is advanced domain protection that allows your IT and security teams to see who has access to your domains, identify unauthorized users, and reject email messages sent by intruders from your domains.

For your past, current, and prospective clients, this means that unauthorized email from your legitimate domains will never hit their inboxes. They’ll never click on an unauthorized link or open a malicious attachment sent by a cybercriminal using your name—safeguarding them from identity theft, misdirected funds, and more. And saving your firm from bad press and a costly lawsuit.

After a federal mandate requiring DMARC implementation, the United States federal government quickly adopted the standard and enforced strict DMARC policies on most executive-branch domains. Now, law and other sectors need to catch up. According to industry reports, as of May 2018, only 3 of the top 100 law firms worldwide had DMARC policies set to the strictest policy.

Making it worse, sixty-two percent had no published DMARC policy at all. Those firms are not able to stop unauthorized emails going out from their domains, or even see who is sending email from their domains—legitimate or otherwise. That lack of control and oversight is a liability firms can’t afford.

Protect Your Firm’s Clients and Reputation

DMARC is the single most effective way to protect your clients from brand impersonation attacks via email. Implement it on your firm’s active and unused domains. You can also protect your clients by renewing old domain registrations in perpetuity, especially after a merger or acquisition, and closing old email accounts as partners and other legal staff leave the firm.

You can also combine DMARC with AI-driven tools and real-time threat intelligence to keep impostors from reaching your clients from lookalike domain—all it takes is a cybercriminal changing a lowercase “l” to an uppercase “i” in your email domain to successfully trick your clients.

Together, these tools and best practices help your firm keep your clients’ trust. And they can keep email impersonators from dragging your firm into the headlines and into court.

Learn about how Agari can help protect your firm with our Solutions for Legal Services.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

July 24, 2019 Armen Najarian

BIMI Moves Forward as Google Commits to Pilot Program

BIMI is going big time like never before—and brands won't want to get left behind.…

Agari Blog Image

April 9, 2019 Armen Najarian

BIMI Adoption Grows as Marketers Realize Its Value

With competition soaring and email-based brand impersonation scams skyrocketing 11x since 2014, your most important…

Implementing DMARC

March 26, 2019 Rob O'Connor

Protecting our Clients from Email Spoofing: Our DMARC Journey

This post originally appeared on the Armadillo Blog and has been lightly edited for clarity.…

Bank Security

March 21, 2019 John Wilson

Email-Based Bank Impersonation Scams Hit Where It Hurts Most

We all know that phishing attacks came fast and furious. Timed and tailored for maximum…

Email Security Healthcare

January 24, 2019 Armen Najarian

Healthcare Brand Impersonation Scams Targeting Consumers Can Cost You Millions

Memo to hospitals and healthcare providers: A growing number of phishing scams are targeting consumers—including…

mobile image