Phishing, Spear Phishing, and Whaling: Protect Yourself and Your Firm

There’s no question that email has revolutionized the way we operate. In fact, it’s hard to imagine ever practicing law without the ease and speed of communication that email enables. Unfortunately, for all of its convenience, email has opened the door to serious security threats that include viruses, malware, and fraud. Phishing scams have become a widespread problem—you’d be hard pressed to find anyone who hasn’t been the recipient of a phishing email. Because email is something we all use every day, it’s become a favorite tool for those who are looking to gain illegal access to our business systems and sensitive information.

While most people like to think of themselves as email-savvy, email scammers are highly sophisticated and constantly evolving their techniques in order to increase their likelihood of a successful breach. What you thought was protecting you in the past is likely no longer sufficient. It’s vital to continuously adapt your security measures as threats evolve because failing to prevent a breach could be devastating for your firm. Furthermore, while the bad guys only have to be successful one time, we have to be successful every time. There is good news though: There are things that firms can and should be doing to minimize their risk and increase the likelihood that an email breach will be stymied before it succeeds.

Understanding the Types of Phishing Scams

At their core, all phishing scams are email attacks that attempt to steal sensitive information or obtain unauthorized access to systems. Attackers typically send out massive amounts of email with the intention of committing fraud against a small number of their recipients. Ordinarily, attackers attempt to pass themselves off as a person or entity is known to and trusted by the recipient in order to trick the recipient into unquestioningly complying with their malicious request. The hope is that the emails prompt victims into clicking on links or logging into accounts to reveal or change their credentials. This process grants the sender illegal access as the link directs the victim to a webpage under the attacker’s control.

Spear-phishing and whaling are more nuanced versions of this attack involving background research, preparation, and a defined target. As opposed to a blanket phishing email campaign, spear-phishing is a more directed attack with the focus on one person or organization. Through a bit of due diligence, the phisher tailors the attack to the intended recipient(s) in order to increase the likelihood of success. This may include setting up dummy web pages, email addresses, and voicemail accounts. Whaling is the same concept, but the attacks are directed at CEOs, CFOs (or their support staff), or large organizations with the intention of a bigger windfall.

It’s tempting for small and midsize firms to believe that they’re not big or important enough to be the victims of cyber attacks. In reality, though, smaller firms are at no less risk than their larger counterparts. Phishing is a numbers game—attackers want to reach as many people as possible to increase their likelihood of success. It takes little effort on their part to send countless emails. Small and midsize firms can even be better targets because they often lack the budgets, infrastructure, and training that the big firms have in place to defend against these attacks. In addition, smaller firms may be pursued if they service the larger organizations that are the actual intended targets of the cyber attack. It is important to keep in mind that attackers are looking for the weakest link; law firms and third-party vendors, without proper protective measures, can fit that bill just fine.

What to Look For

Phishing scams are not always easy to spot, and cyberattackers work diligently to fool us. One well-worn technique is representing themselves as legitimate known senders. Historically this meant that they forged the sender’s address (in the same way that USPS paper mail messages can have any return address attached). This ruse was easily confounded with a reply to the sender; it only allowed for a single, one-way, communication—either the recipient clicked the infected email or link or they didn’t.

This evolved into phishers using domain names that looked like the impersonated party. For instance, using, they are betting that most people are too busy to notice that the “I” in the address is actually a “1.” This concept has since evolved further with spoofed addresses now almost impossible to distinguish from the real ones.

By taking advantage of Unicode, attackers can use homographs—words that look correct but are in fact cobbled together using foreign alphabets to create addresses that look identical to the English address. For example, using a combination of Cyrillic and other alphabets, hackers can create an address that appears to read as When fake links become imperceptible, context and security measures are even more important.

While it will never be possible to spot every advanced phishing scam that shows up in your inbox, there are certain signs or red flags to be on the lookout for. Even little things like tone, spelling, and grammar can tip you off to an email that isn’t actually from the person claiming to be sending it. Attachments can also be a huge red flag—if this person never sends you attachments or hasn’t in a long time and you’re not expecting anything, ask some questions before you click on anything. If an email seems out of context or has an unexpected sense of urgency, that’s another good sign that something might be wrong. Phishers will often review the mailbox of a compromised account before crafting their next attack, and we have seen them hijack a conversation mid-thread as they pivot onto their next target.

So while your conversation may have been legitimate when it started, a sudden shift can indicate that it’s been taken over by someone with nefarious intentions. Another sign is if the sender is suddenly traveling or too busy to communicate and directs you to deal with a third party.

Training Is Key

Teaching your employees what to look for and how to handle potentially suspicious emails is the greatest tool you have in your arsenal for fending off phishing attacks. It’s crucial to have annual training to frequently remind users of the seriousness of the threat and to update them on the newest scams being perpetrated. Teach your employees not to open attachments or click on links if they aren’t part of an ongoing business endeavor. Teach them to be on the lookout for subtle signs that an email seems off and to thoroughly examine any email that requests something important. Diligence is crucial to stopping cyber attacks before they start. Built-in tools can go a long way toward detecting spam, but tomorrow there will be a new trick and your employees are your first line of defense. For users to have a hope of spotting an attack, they need to understand the types of attacks, how they work and what phishers are trying to get at.

Recommended Security Measures

Even though hackers are constantly trying to figure out new ways around your system, that system needs to be as secure and up-to-date as possible at all times. Every firm needs good perimeter defenses—all email traffic should be scanned and approved before entering the network to reduce the likelihood that phishing emails get to their recipients. Many modern email filters now replace links and attachments with placeholders that allow for advanced scanning and the ability for the system to refuse access should it later determine that the link/attachment is a threat.

In addition to this basic security requirement, firms should:

  • Ensure that malware and anti-virus programs are a standard part of their infrastructure.
  • Require complex passwords and regular password changes to keep email accounts more secure.
  • Use two-factor or multifactor identification to go a step further toward preventing hijacked email accounts due to compromised credentials.
  • Implement mobile device management (MDM) to tighten control on devices and access.
  • Implement browser controls to ensure that internet browsers call out addresses and links that are leveraging foreign languages to spoof legitimate organizations.
  • Consider implementing SIEM (security information and event management) and IDS/IPS (intrusion detection and prevention system) tools to help detect and prevent system intrusions by outsiders.

Cyber attackers are relentless, and their phishing strategy is ever changing. You may not be able to always stay ahead of the game, but that doesn’t mean that you can’t take significant steps to prevent attacks from succeeding. With the right combination of understanding, regular training and security countermeasures in your arsenal, you’ll be prepared when an attack comes. Taking action today can prevent you from being the next cybersecurity victim tomorrow.


Check Also


Virginia’s New Data Protection Law

The new law signals an increased need for adaptability in privacy compliance.