Avoid phishing scams over the holidays
Fraudsters often increase their efforts over the holidays when key staff may be away and people generally may be more distracted or rushing to get things done before the end of the year. The risk of getting duped could be increased this year with many of us working from home and the usual checks and lines of communication disrupted somewhat. It is a good time to be reminded of the dangers of phishing scams.
Phishing involves the use of an email, text message or phone call that appears to come from a trusted source or institution, vendor or company, but is actually from a third-party impostor. Phishing messages are intended to trick you into giving fraudsters your information by asking you to update or confirm personal or online account information. Personal information and identity theft and/or payment scams are the motives behind most phishing scams. Fraudsters cast a wide net and make thousands of phishing attempts – they only need one or two dupes to make it pay off.
Phishing is also becoming more sophisticated. Fraudsters can conduct research about you through the internet and other means to obtain information unique to you, including your practice area, your clients, and your personal life. A “spear” phishing attempt is a phishing message that is personally addressed to you, will appear to be from someone you already know (such as a senior partner at the same firm), and may include other detailed personalized information.
Fraudsters do their best to make phishing messages look official and legitimate. They will mimic real communications from the company or entity they are supposedly from by using the same layout, fonts, wording, message footers and copyright notices, etc. as official messages. They will often include corporate logos and even one or more links to the alleged sender’s real website.
How to spot phishing messages
Phishing scams work because they are convincing and prey on your trust of the source. If you get a phishing message from a bank and you don’t have an account there, you aren’t likely to fall for the scam. However, if you have an account at that bank, the message may look legitimate to you and you are more likely to fall for the scam. Many phishing messages will include a link or attachment that you are asked to click so you can update your information. After doing so, the webpage or attachment you will see (which will also have text and logos to make it look official) will prompt you to enter your name, account number, password and other personal information – thereby giving it to fraudsters.
- The link you are asked to visit is different from the company’s usual website URL (place your mouse over the link and look at the taskbar in your window to see if the link matches. It should take you to the proper website)
- The main part of the sender’s email address is not the same as the company’s usual email address
- Spelling and grammar mistakes
- A sense of urgency – money has to be transferred quickly without the usual checks and balances
- The promise of receiving money or another big prize.•Anyone asking for money – even if you know them.
Don’t take the bait
Never respond to phishing requests for personal information in the mail, over the phone or online. Most importantly – this is probably the most common way that personal information is stolen – never ever reply to unsolicited or suspicious emails, instant messages or web pages asking for your personal information (e.g., usernames, passwords, SIN number, bank account numbers, PINs, credit card numbers, mother’s birth name or birthday), even if they appear to be from a known or trusted person or business. Legitimate businesses should never send you an email asking to send your username, password or other information to them in an email message. If in doubt, call the company yourself using a phone number from a trusted source. Don’t use the number in the email – it could be fake too!
All staff can be targeted
Educate the lawyers and staff at your firm to make sure they will not fall for a spear phishing scam. Follow firm processes and procedures for the review and approval of financial transactions – and don’t bypass them due to urgent circumstances. Never share confidential client or firm information without being sure it is appropriate to do so by getting confirmation from someone familiar with the file. Be on the lookout for and question any last minute changes on fund transfers or payments.
For more on making sure your firm is on top of cyber security during the pandemic, see Beware of cybersecurity risks during COVID-19 and working from home