Phishing and Malware Cyberattacks are Directed at Law Firms (and Clients) - So it's Time to Train Employees


No surprises about where cyberattacks are focused as reported recently that about 45% of IT security decision makers are worried about "phishing attacks, and employees clicking on links within email which download malware and email attachments which download malware." In April 2015 Osterman Research issued its "Best Practices for Dealing with Phishing and Next-Generation Malware" that started with these terrible stories about two law firms:

An attorney in the greater San Diego area opened an attachment in a phishing email that he thought was sent to him by the US Postal Service. The attachment installed malware on his computer, and shortly thereafter he found that $289,000 had been transferred from his firm's account to a bank in China.

A law firm in Charlotte, NC transferred $387,000 to a bank in Virginia Beach, VA after it closed a deal. Shortly thereafter, cybercriminals transferred most of this amount to the law firm's bank in Charlotte, which transferred the funds to a bank in New York and then to a bank in Moscow. The victim organization believes it had been infected with keystroke logging software from a phishing email that captured all of the critical information necessary to initiate the wire transfer.

Of course the advice in Osterman's Report is not limited to lawyers, these phishing and malware scams affect all industries. Here a 3 of the 8 key takeaways:

  • Cybercriminals are getting better, users are sharing more information through social media, and some anti-phishing solutions' threat intelligence is not adequate. This makes organizations more vulnerable to phishing attacks and other threats.
  • Users should be considered the first line of defense in any security infrastructure, and so organizations should implement a robust training program that will heighten users' sensitivity to phishing attempts and other exploits.
  • IT and business decision makers should implement best practices to help users more carefully screen their electronic communication and collaboration for phishing and other social engineering attacks.

Without question these cyberattacks will not abate anytime soon, so every employer should be training employees continuously.

The publications contained in this site do not constitute legal advice. Legal advice can only be given with knowledge of the client's specific facts. By putting these publications on our website we do not intend to create a lawyer-client relationship with the user. Materials may not reflect the most current legal developments, verdicts or settlements. This information should in no way be taken as an indication of future results.

Search Tips:

You may use the wildcard symbol (*) as a root expander.  A search for "anti*" will find not only "anti", but also "anti-trust", "antique", etc.

Entering two terms together in a search field will behave as though an "OR" is being used.  For example, entering "Antique Motorcars" as a Client Name search will find results with either word in the Client Name.


AND and OR may be used in a search.  Note: they must be capitalized, e.g., "Project AND Finance." 

The + and - sign operators may be used.  The + sign indicates that the term immediately following is required, while the - sign indicates to omit results that contain that term. E.g., "+real -estate" says results must have "real" but not "estate".

To perform an exact phrase search, surround your search phrase with quotation marks.  For example, "Project Finance".

Searches are not case sensitive.

back to top