Most of Australia’s top-tier and mid-tier law firms are well prepared in defending against phishing attacks, Iron Bastion’s new study can now reveal.

Iron Bastion  have assessed Australia’s top one hundred law firms for their use of anti-phishing technology. The details were gathered from various public data sources to determine whether email services were using anti-phishing technology. Iron Bastion can report that 83% of the law firms assessed were protected from email-based cyber threats with anti-phishing technologies.

What Phishing Is and How It Affects Law Firms

Phishing is a global cyber-threat affecting all businesses. A recent report into data breaches showed that over 90% of breaches started with a single phishing email. The 2018 Telstra Security Report found that the most common cybersecurity threat in Australia is phishing, with reports of phishing attacks increasing by 1,178% in 2017 from the previous year.

Australian legal practices have been targeted by both domestic and international crime syndicates. The Law Council of Australia stated that Australian law firms are prime targets for cyber-attacks. In 2017, the New South Wales Law Society and the Queensland Law Society both issued various scam alerts to its members warning of cyber-attacks explicitly targeting Australian law firms through phishing.

Phishing Costs Law Firms Money

Phishing is a cyber-attack typically carried out over email. Cybercriminals aim to trick their victims into clicking a link or attachment, giving away their password, or asking them for money by pretending to be a legitimate online service, client, friend or colleague. Victims of phishing may unwittingly open file attachments containing malware, viruses or ransomware, hand over their passwords to fake websites which look genuine or transfer money to fraudsters believing their boss has asked them to do so.

Pixel-perfect copy of a genuine DocuSign email with a fake hyperlink inside

Merely one stolen password can result in devastating consequences. In 2017, in one of eight reported incidents, a victim in South Australia lost over half a million dollars due to a phishing attack caused by her conveyancer’s negligence in failing to protect against a cyber-attack. The victim thought she was taking payment instructions from her conveyancer, when in fact, she was communicating with a hacker instead. The victim transferred her life-savings inadvertently to the hacker and, the conveyancer is now being sued for negligence.

Cyber-attacks can mean you and your clients are defrauded, have your passwords and payment details stolen, have your data held to a ransom, have your clients confidential information stolen and sold on the dark web, have hackers impersonate you and contact your clients, and have all of your emails and documents maliciously deleted or permanently encrypted.

How Can Phishing Affect Law Firms?

The short-term cost of a cyber-attack includes:

• hackers misdirecting trust money or settlement funds;
• hackers impersonating you and your firm to your clients and emailing them fake invoices, or fake payment directions;
• interruptions to your business operations;
• unexpected expenses related to remediation of your systems, such as hiring security consultants, performing expensive data-recovery, or repairing/replacing systems post-breach; and
• compliance with Notifiable Data Breaches (NDB) scheme legislation meaning data-breaches may need to be reported publicly or you being fined for failing to comply with NDB obligations.

The long-term cost of a cyber-attack includes:

• the loss of your law firm’s reputation;
• loss of case file information;
• the loss of existing and future clients;
• unwanted media attention;
• legal action by your clients for professional negligence and other lawsuits; and
• increased Lawcover premiums.

Key Findings

Our extensive research can reveal that 83% of top-tier and mid-tier law firms already have an anti-phishing technology service in place to protect themselves from phishing attacks. Although law firms rely on a wide range of solutions, almost all chose a cloud-based solution. Of the top hundred firms without any anti-phishing protection, most relied on Microsoft Exchange or Microsoft Office 365, which offers little or no phishing protection.

Finding 1: The Majority of Law Firms are Protected from Phishing

Both mid-tier and top-tier law firms in Australia are using anti-phishing technologies to block phishing campaigns targeting their employees. 83% of law firms assessed were re-routing inbound emails through an anti-phishing service.

Finding 2: Cloud-Based Anti-Phishing Services are Preferred

76 law firms out of the 100 rely on a cloud-based anti-phishing service, rather than self-hosted in their own data centre.

The main benefits of cloud-based anti-phishing services over on-premise services are:

• easier implementation, meaning no need for complicated changes to the IT infrastructure;
• lower cost maintenance meaning no need to hire expensive consultants or staff to implement and maintain services; and
• higher reliability and scalability.

Finding 3: On-Premise Solutions are Irrelevant

Only 10 law firms out of the 100 law firms chose to buy a physical anti-phishing appliance, rather than subscribing to a managed service.

The Total Cost of Ownership (TCO) of physical appliances is typically highercompared to cloud-based products. Apart from the one-off purchase of the device, various hidden subscription fees may still be involved in the lifecycle of the appliance.

Furthermore, on-premise solutions also attract additional costs such as expensive consultants, professional training, routine maintenance works and costly on-call support outside of the regular business hours.

Finding 4: A Wide Variety of Anti-Phishing Vendors are in Use

When it comes to anti-phishing vendors, there is no majority consensus within the legal sector as to a definite vendor to choose. Law firms rely on a wide variety of vendors. The only apparent commonality between the most popular services is that they are all cloud-based.

The most popular service was Mimecast (36 instances), which was closely followed by Symantec (13) and MailGuard (8).

As for the on-premise solutions, Cisco IronPort (5) and Symantec Messaging Gateway (2) were the most popular choice. However, the absolute number of these technologies is negligible.

Finding 5: Only a Small Minority Are Not Prepared

We were pleased to see that only one in ten law firms had no anti-phishing service at all. Meaning that 10% of the law firms assessed have not protected their employees from cyber-attacks which arrive by emails. The most frequent email service left exposed was Microsoft Exchange, closely followed by the cloud-based service Microsoft Office 365.

Interestingly, two out of the hundred law firms choose to go with a basic email service provided by their web hosting provider and internet service provider (ISP), respectively. We have no information on how these services perform compared to sophisticated anti-phishing technologies or even regular spam filters.

Hackers using phishing as their method of attack will take the path of least resistance and choose law firms they know to have no anti-phishing protection. As the most of the top hundred law firms we assessed are protected by advanced anti-phishing technologies, hackers using the same method as we have can easily evaluate which law firms are protected and which are not. The real danger is that hackers will go after easy targets with no protection, where their phishing campaigns are more likely to succeed.

Conclusions

Iron Bastion’s report indicates that top-tier and mid-tier firms in the legal sector in Australia recognise the sheer scale of phishing threats, and have taken action to protect themselves.

The majority of the law firms assessed (83%) were protecting their staff from phishing threats with the use of anti-phishing technology. A small fraction of these firms preferred to host the anti-phishing service themselves (10%), the majority (90%) chose to go for a cloud-based solution instead. Only one in ten firms we assessed had no protection at all.

Hackers are likely to target firms which have no anti-phishing protection as they can easily assess which firms are utilising anti-phishing technology and which are not.

Anti-Virus and Anti-Spam is not Anti-Phishing

Anti-phishing technologies are different from traditional anti-virus software and email anti-spam filtering. Neither built-in spam filters (Office 365, G Suite) nor previous generation anti-spam services feature advanced anti-phishing techniques. Hence these technologies leave firms unprotected from today’s cyber-threats.

Anti-phishing services, on the other hand, meticulously analyse the entire content of the inbound emails. Algorithms – supported by Machine Learning, Artificial Intelligence (AI) and Threat Intelligence networks – look for the specific red flags of phishing attempts, such as typical wording and text semantics, invalid digital signatures, and poor sender reputation. File attachments are also analysed in safe environments for known and unknown threats, and embedded hyperlinks are modified to perform real-time analysis (and block) any malicious URL when the recipient clicks on them. These technologies are only available in anti-phishing services that are specifically designed to protect organisations from phishing threats.

For more information, please visit Iron Bastion see their range of services and solutions.