Phishing: When One Email Shuts Down Your Law Firm


It can happen.

It almost happened to me yesterday.

I opened up my email and saw one from a familiar sender, but with a strange subject line entry. The body of the email instructed me to remit payment based on instructions in the attached invoice, referring to the information below.

What I saw there was a poor copy-paste job of a local bank’s information page, with a link in the center (written out as a file ending in “.doc”). There was nothing attached, and the email instructed me to view the “attachment.”

Our IT vendor was immediately notified.

But what if I’d clicked on the link?

Phishing may be the biggest Cybersecurity threat to your law firm

No, that’s not hyperbole. Phishing, which is basically any attempt to obtain sensitive information or to lure targets to perform a specific action, is a powerful tool for hackers. Phishing used to be made up mostly of attempts to convince people to provide information such as login credentials, social security numbers, or other personal information. Today, the phishing scam has evolved.

No longer a simple method of attack, phishing scams come in many forms. However, by far the most dangerous to your law firm is the attack that infects your computer with malware. The malware du jour for hackers? You’ve probably heard quite a bit about it recently: Ransomware.


With just one errant click, one infected file opened, a malware infection can enter your law firm’s network. It then really goes to work – it turns out that (at least at this point) they’re not interested in taking your information. It turns out there’s a much faster way to profit from their position – by making you pay to get it back.

In the news this week, a hospital in California was forced to pay $17,000 to hackers who had completely locked up their system (it had been locked for several days – they were literally sending patients to other hospitals!). One law firm in Florida just paid $2,500 to get their data back.

Assuming that paying the ransom actually gets your data back (not a guaranteeand assuming that the hackers haven’t left another virus or malware in your system (also not a guarantee), that ransom doesn’t seem like too much, right? Until you consider not being able to work for 1-5 days while your system is inaccessible. Oh, and telling your clients.

For more information on Ransomware, check out this article.

What are the risks phishing poses to my law firm?

I was curious about how ransomware got into most of these systems. According to an insurance adjuster I spoke to who handles cyber liability claims, 98% of the claims he handled, the infection came in through an email.


Add to that the fact that as many as 23% of people who receive Phishing emails open them, and nearly as many click on links to infected websites or open infected attachments.

In all honesty, in looking at the email that I received yesterday, it’s not hard to understand why. Hackers have learned how to craft messages people are likely to open, oftentimes without even a second thought:

1) The Phishing email came from a recognized contact

The person whose email account was used to send the email was someone I had received emails from before. As a representative of an important organization, they routinely sent out emails to a large list of people and I was used to receiving them.

2) The Phishing part did not use an attachment

Our email system filters are in place to detect malware-laden emails. The biggest problem emails are ones with infected attachments. It’s most likely that this email would never have made it through if the virus was attached. Instead, it was included as a link.

3) The infected link was disguised

It wasn’t disguised well, but it was disguised. If it had just been a link, I’m sure that most people would have immediately discarded it. But the email itself directed me to view a document, and the link was written to look like it was a “.doc” file. Not exactly genius, but definitely a step above basic.

The Telltale Signs of a Phishing Email

Despite being fairly well disguised for a basic phishing email, there were several clues that immediately tipped me off as to the true nature of the email.

1) The topic and the sender didn’t match

The email directed me to pay an invoice from a different law firm contained in what was supposed to appear to be a forwarded email. This organization has nothing to do with paying invoices from other law firms, and it didn’t make any sense, in any case, for this person to be sending an invoice to me.

2) The email was designed to look like a forwarded email, but the subject line did not.

The email actually had an image placed behind its text to make it look like the sender was merely forwarding an invoice. But the subject line of the email didn’t contain the typical “Fw:” text. Now, this is NOT something to base your whole analysis on, but it was something.

3) The “invoice” wasn’t attached

If there is an item attached to an email, it will come as an attachment, not as a link. While you may routinely see things like “.pdf” at the end of an internet link to allow you to view or download a document  stored online, it’s highly unlikely that you’d ever be directed over an insecure connection to a unique document like an invoice.

4) The background of the “forwarded” email was clearly an image

It was fairly well done, but the background of the email, placed behind the text of the allegedly forwarded component of the email, was an image that you wouldn’t normally see. It was supposed to give the impression that the email had been forwarded.

What can be done about Phishing emails?

The most important thing you can do to protect your law firm is train your staff. It might be a little campy to repeat “If you see something, say something” over and over again, but do it anyway. Why? Because most phishing attacks don’t involve just one email.

The one that was sent to my law firm didn’t. Within two hours, at least one other attorney received the exact same email. But by then, we knew about it.

When your staff is trained about how to dealing with phishing emails, two critical things happen: First, they become considerably less likely to click on a link to an infected site or open an infected attachment. Second, they’re much more likely to report the email. Awareness of the threat, and the obligation to report it, is essential.

The best way to make sure that one email doesn’t shut down your law firm is to make sure that your entire firm knows that it can happen.

About the Author

bio 2Brian Focht is a civil litigation attorney and technology enthusiast. In addition to being the author of The Cyber Advocate, he is also the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.