Defending against evolved e-mail phishing attacks


by Jill Schumacher, Caldwell Boudreaux Lefler PLLC, and Adam Schumacher, C.I.S.S.P., FlightAware, LLC
As one of the oldest technologies developed for the internet, email was not designed with security or privacy in mind.  By default, there are no mechanisms to validate the identity of either the sender or the recipient of an email, nor are there any protections to prevent anyone who intercepts a message from viewing its contents.  Despite these inherent weaknesses, email remains the de-facto standard in the business world.  Email is critical to any lawyer’s practice.  Lawyers must be cognizant of the vulnerabilities within email because a lawyer’s failure to recognize an exploitation of the vulnerability can harm the lawyer’s client. 
In 2013, the Iowa Supreme Court affirmed a decision of the Iowa Supreme Court Attorney Discipline Board to suspend the license of an attorney who convinced several clients to loan money to another client who had come to the attorney with “documents purporting to evidence that [the client] was the beneficiary of a large bequest from his long-lost cousin in Nigeria.”  See Iowa Supreme Court Attorney Discipline Bd. v. Wright, 840 N.W.2d 295, 297 (Iowa 2013).  The client had informed the lawyer that the client needed to pay $177,660 in taxes owed on the inheritance of $18.8 million for the inheritance to be released.  Id.  In pursuing the inheritance, the lawyer communicated with people the lawyer believed were representatives of the Central Bank of Nigeria, African Union, as well as the President of Nigeria.  Id. at 298.  While the Supreme Court Attorney Discipline Board found the lawyer in question violated several ethical rules, the board withdrew its allegation that the lawyer assisted a client in conduct the lawyer knew to be illegal or fraudulent based on the Board’s view that the lawyer “clearly believed in the legitimacy of [the client’s] inheritance.”  Id. at 300.
            Hopefully most lawyers would recognize the elements of a basic phishing scheme that has been widely publicized, but as people become more cognizant of old phishing schemes, the attacks evolve and become more sophisticated.  Sophisticated attackers forge emails to look like legitimate messages from known, trusted organizations or individuals.  Rather than taking on the identity of a Nigerian prince, for example, an attacker may take on the identity of a law firm partner and e-mail an associate a mundane question: “Are you in the office?”  Often the attacker is able to forge the address and name of the partner because there are no security mechanisms inherent in email systems to prevent this type of impersonation. 
After engaging the associate in this example, the attacker might ask for confidential documents relating to a client or business partner, or as has been increasingly common, request funds be wired to a third party.  These more sophisticated attacks are more difficult to spot as the attackers rely on weakness in email systems to fool victims into believing they are communicating with a known and trusted individual.  An individual who suspects this type of fraud can confirm whether a message is authentic by contacting the sender using another communication channel, such as telephone or SMS.  It should be standard operating procedure to validate requests for money transfer, payments, sensitive documents, or data that come via email.  Sometimes phishing emails include an attachment like a word document or a pdf to download.  While these documents may appear legitimate on the surface, they often contain hidden viruses or other malware designed to surreptitiously infect your computer.  Again, it is important to verify via some other mechanism that the email really is legitimate before opening any unexpected attachments.  Finally, some phishing scams entice you to click on a link that will either take you to an infected site or a fake one designed to steal your credentials or other sensitive data.  No matter what the link text says, you should validate that the domain the link will take you to is legitimate.  Many times, hackers simply use compromised domains that clearly don’t match what the link says, though more sophisticated phishing attacks will use domains that look very similar to the target, but are actually misspellings or use similar looking characters like the number 1 substituted for a lowercase “l.”  Some mail clients will show you the real destination if you simply hover over the link with your mouse.  Alternatively, you can often right click on the link, select “copy link location,” and paste it into a text document to inspect.
More sophisticated tools to combat email identity fraud include technology like S/MIME (Secure/Multipurpose Internet Mail Extensions) or PGP (Pretty Good Privacy) that allow the sender to cryptographically sign the message and thus provide a mechanism for the recipient to validate that the email really did come from the person it claims.  This works in much the same manner https does for websites.  When you load a site like https://www.google.com and your browser marks the certificate as trusted, you can be reasonably confident you are really visiting google and that only you and google can see the information transferred between you. 
Unfortunately, there are a number of barriers that have hindered the widespread adoption of these security technologies.  Both S/MIME and PGP require that each individual user acquire a certificate or encryption key and then must configure his or her mail client properly to use them.  It also requires the recipient’s mail client to support them and the recipient to know how to check that she has received a valid message.
No matter how sophisticated our technological security measures are, ultimately the security of any computer system relies upon people.  Phishing attacks are so successful because they exploit weaknesses inherent in email systems and the trust that people have in those systems.  As a lawyer, it is critical to be aware of how these threats work and what countermeasures can help prevent falling victim to the next phishing attack.