Trust is a very good thing, particularly when properly balanced with a healthy bit of mistrust. This sentiment couldn’t be truer then today when the “name of the game” in cybercrime is social engineering. Week by week it seems as if the attacks are becoming ever more sophisticated and more frequently targeted toward very specific victim groups.
For the purpose of this post, I shall consider all the standard safeguards of antivirus software, malware search and removal tools, firewalls, etc. to be a given. While such tools provide an effective layer of security, they fall short in protecting us from ourselves. Given that my interest here is in discussing how to counter the effectiveness of social engineering driven attacks, the focus needs to be on behavior. In short, the best defense to a social engineered attack, it seems to me, is to learn from past attacks and then couple the resulting insights with a healthy dose of social, and yes, professional mistrust.
Although the scam details will differ, as that’s the nature of social engineering, there currently seems to be a common approach toward lawyers. Typically a lawyer is contacted by a potential client via e-mail. Please note, however, that versions of this scam have also occurred over the phone. This potential client will ask for the lawyer’s assistance in the collection of a significant sum of money. The lawyer will usually ask for additional information in order to conduct a conflicts check and in many instances the information provided will check out. Some lawyers go even further and ask for documentation of the outstanding debt and this information may in fact be provided. Shortly thereafter, via an overnight mailing service, a check for a significant amount of money will arrive payable to the lawyer/firm. The “client” will then contact the lawyer expressing an awareness of the check and ask (soon to become press) for a timely disbursement, of course, after the attorney has taken her well deserved share of the proceeds. Those lawyers who deposit said check into their trust account and then forward the funds as instructed may soon be shocked to learn that they have been scammed as the check that came in was a forgery. To make matters worse, the bank will then turn around and debit the trust account for the amount the attorney authorized to be dispersed thereby shorting any other clients who had money sitting in the attorney’s trust account. Not good.
Already this approach has been engineered for and directed toward lawyers who do divorces, conduct real estate closings, and handle collection matters. It will continue to evolve. Beyond just awareness of the scam, what can be learned? There are several valuable lessons. First, an obvious one -- there is a difference between funds being available for disbursement and funds being good. Even though the bank may have said the funds are available, this does not mean that the funds have actually been collected and are therefore good funds. The difference can easily be seven or more working days, which is more than enough time for the scam to run its course.
Less obvious are the trust missteps. It is so easy to assume that the person who is on the phone or sending the email is who they say they are, particularly when names and contact information check out. I take this kind of advice pretty far. Even if one or more parties are in front of you and you know only one of them, check the IDs of everyone. I can tell you the woman accompanying me is my wife, but if you have never met her in person, how would you know for sure? This can be a serious misstep.
One should also check out and confirm the details or specifics of each situation. For instance, get a copy of the court order and confirm that it is authentic. On your own, determine the contact information of the client who is owed the money or is sending the email asking for representation and verify the situation with the company or individual directly. Again, I can give you actual names and addresses and provide a phone number for you to call or a contact email in order to help you verify identities or the situation. If you trust that the number or email address that I’ve given you is accurate, you risk speaking to or exchanging email with an imposter.
Finally, be cautious with other people’s money. The more pressure that is put on you to disburse funds, the more cautious you should be. Always start representation with documentation of the understanding that any collected funds will be held for at least seven business days in order to do all that you can to ensure that the funds are indeed goods funds, and then, hold firm.