Email Security Blog

Brand Impersonation Attacks on Law Firms Harm Clients and Cost Millions

Armen Najarian April 24, 2019 Brand Protection

Imagine this scenario: you call your high-profile client on your way into the office to check in and see if they’re ready to make the multimillion-dollar down payment on a new property. They tell you they wired it yesterday, following your email instructions. But you never sent them an email.

Now you have to tell your client that that email didn’t come from you. Except that it did—or at least from someone using your email address. And now that someone has your client’s money.

A similar real-life scenario ended with embarrassing headlines and a malpractice lawsuit against one New York attorney, whose clients were tricked into wiring nearly $2 million to a Chinese hacker. The suit was quickly settled, but the lesson was clear. Attorneys must protect their client communications—including email, which is increasingly under attack.

Law Firms are High-Value Targets for Email Imposters

Wire fraud is one of the fastest-growing email scams that targets attorneys, other legal professionals, and their clients. Real estate wire fraud, including email impersonation scams, cost US victims $56 million in 2017. And it’s not the only damage cybercrooks can cause if they impersonate you and your colleagues via email.

The Texas Lawyers’ Insurance Exchange warns that law firm scammers impersonating attorneys are sending clients bogus login links for Office 365 and other third-party services. Once criminals steal the login credentials, they can see their victims’ email accounts, including banking, shopping, and social media information.

Even worse, impersonation scammers don’t limit themselves to active domains. Abandoned domains pose a huge security risk to law firms. Hackers can snap up domains that lapse after a rebranding or merger. Then they can use the forgotten email accounts to target clients for wire fraud scams and data theft. They can also hijack attorneys’ social media and professional association accounts. That’s a big reputational risk.

Despite these high stakes, many firms are vulnerable to impostor attacks and the negative press and lawsuits that can follow. The solution is easy: implement DMARC authentication for owned domains.

Law Firms Lag in DMARC Implementation

DMARC is advanced domain protection that allows your IT and security teams to see who has access to your domains, identify unauthorized users, and reject email messages sent by intruders from your domains.

For your past, current, and prospective clients, this means that unauthorized email from your legitimate domains will never hit their inboxes. They’ll never click on an unauthorized link or open a malicious attachment sent by a cybercriminal using your name—safeguarding them from identity theft, misdirected funds, and more. And saving your firm from bad press and a costly lawsuit.

After a federal mandate requiring DMARC implementation, the United States federal government quickly adopted the standard and enforced strict DMARC policies on most executive-branch domains. Now, law and other sectors need to catch up. According to industry reports, as of May 2018, only 3 of the top 100 law firms worldwide had DMARC policies set to the strictest policy.

Making it worse, sixty-two percent had no published DMARC policy at all. Those firms are not able to stop unauthorized emails going out from their domains, or even see who is sending email from their domains—legitimate or otherwise. That lack of control and oversight is a liability firms can’t afford.

Protect Your Firm’s Clients and Reputation

DMARC is the single most effective way to protect your clients from brand impersonation attacks via email. Implement it on your firm’s active and unused domains. You can also protect your clients by renewing old domain registrations in perpetuity, especially after a merger or acquisition, and closing old email accounts as partners and other legal staff leave the firm.

You can also combine DMARC with AI-driven tools and real-time threat intelligence to keep impostors from reaching your clients from lookalike domain—all it takes is a cybercriminal changing a lowercase “l” to an uppercase “i” in your email domain to successfully trick your clients.

Together, these tools and best practices help your firm keep your clients’ trust. And they can keep email impersonators from dragging your firm into the headlines and into court.

Learn about how Agari can help protect your firm with our Solutions for Legal Services.

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

March 4, 2022 Jessica Ellis

Top Social Media Threats Targeting the Retail Industry

Social media threats targeting enterprises more than doubled last year. Attacks on the retail industry specifically…

Woman-shopping on cell phone

November 30, 2021 Mike Jones

It’s the Most Wonderful Time of the Year… for Cybercriminals

The holiday season is upon us, which means it’s also the busiest time of the…

Agari Blog Image

May 12, 2020 Chuck Holland

Hosted DMARC: Accelerating Protection Against Email-based Brand Jacking Scams

The coronavirus pandemic is shining a spotlight on the importance of hosted Domain-based Message Authentication,…

Agari Blog Image

April 16, 2020 John Wilson

Romance Scams and Business Email Compromise in the Time of Coronavirus

As cybercrime gangs exploit COVID-19 to target the lonely, victims (and their banks) could get…

mobile image