Just another day at the firm. The case was settled, with a $500,000 payment to be made to the approved settlement administrator. The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions. Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated. Poof – gone in an instant.
Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions. But how did the bad guys know precisely to whom and when to send the phony email, and exactly what to say? Was it from publicly available information in the court file? Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator? Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials?
Business email compromise (BEC) is a growing threat for businesses generally. Reports of BEC incidents to the federal Financial Crimes Enforcement Network (FinCEN) have doubled from 2016 to 2018, with the dollar amounts rising nearly threefold, from $110 million monthly in 2016 to over $300 million monthly in 2018.
But BEC is only one of many potent threats to law firm data security. Here are some high-profile examples from the news:
Continue Reading Law Firm Data Security Threats
Being a CISO is a tough gig. The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small. But the perception still lingers that the Chief Information Security Officer (or her InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response. For some CISOs, it may feel like 
As technical security improves, human security vulnerabilities are increasingly in the bulls-eye. For a fresh look at social engineering, and how best to defend against it, there’s no better source than a hacker. So, I reached out to Cliff Smith, Ethical Hacker & CISSP at 
It’s 4:20 p.m. on Friday. You’re looking forward to meeting your friends soon for happy hour at the local bar. Your boss is on vacation, and you’re caught up for the week. All is well. As you take one last look at your email, you see a message has just arrived from one of your suppliers – marked URGENT. The supplier is ranting about why you didn’t send payment for last month’s invoice to the right bank account. They’ve contacted your boss, who they say was irate at being disturbed while in Madrid on vacation, and who told them to contact you personally for immediate resolution. They helpfully provide the correct bank routing information and demand the payment be made today. Your authority for wire transfers ($1M) will easily cover the request for $250,000, with change. The invoice amount sounds about right, you know the supplier, your boss is already upset, it’s Friday, and so you wire the funds.
A swarm of zombies, led by Byte Walkers, surges inexorably onward to penetrate a massive perimeter wall by force and stealth. Sounds like Game of Thrones, right? Instead, this is our cyberthreat reality. And in an ironic twist that would make George R. R. Martin blush under his beard, it’s now painfully real for 
I always look forward to Verizon’s annual Data Breach Investigations Report. Verizon dropped the 
Sorry to revive ugly memories of last fall’s vituperative presidential campaign, in which 
As the calendar year turned there were several great 