OSB Professional Liability Fund

Don't Fall Prey to Spear Phishing

November 13, 2017
by Sheila Blackford

You may have heard about the popular tax season IRS scam in which the targeted taxpayers were notified by email they were in serious trouble for tax fraud. The IRS scam is an example of spear phishing: the targeted attempt to steal information. The first step in the spear phishing process is to research and acquire the target’s personal information such as your friends, hometown, and employer. Where could a scammer find this information? Easily by perusing your personal information from the web, perhaps from Facebook. They disguise themselves as trustworthy friends, colleagues, or bosses to acquire sensitive information through a well-crafted convincing email or text message. Your email address is obtained easily on the Internet, for example, from your firm’s website or even the Oregon State Bar membership pages.
You may not have heard there have been two spear phishing attempts targeted at lawyers: one an email advising the target of a discipline complaint, and the other alerting the target to a trust account audit. Both emails were calculated to evoke maximum stress and fear to maximize compliance! These were popular heart-stoppers across the United States.
Spear phishing is hard to resist. The goal is to harvest the target’s personal information so the target will open and click on the attachment. Spear phishing is now the most successful form of acquiring confidential information you otherwise would not disclose to a stranger. These cyber attacks are on the rise. According to a study by Trend Micro, 91% of attacks involved spear phishing, and 94% of these spear phishing emails relied on malicious file attachments in common business programs including Adobe PDF, Microsoft Word, or Microsoft Excel. Spear phishing attempts are examples of social engineering – calculated that the targeted victim would comply with a request that appears to come from the OSB, the IRS, or your boss.
The important thing is to pause and realize that the IRS does not notify you by email, nor would the OSB Client Assistance Office or Discipline notify you without reference to a specific matter. Never respond to emails such as these or click on any attachments, as they likely contain ransomware. It is only natural to want to click on a link or open an attachment in an email purportedly coming from the CAO or Discipline. But the OSB does not send disciplinary emails with generic subject lines, nor does it conduct trust account audits by email.
For more information about scams, see the September 22, 2017 In Practice blog post, “Avoiding Scams: Remain Vigilant” by Jennifer Meisberger. For more information about ransomware, see my August 2016 In Brief article, “Beware Ransomware: Data-Encrypting Software Continues to Extort.”