iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Breaking news and updates daily. Subscribe to our Newsletter
At least five global law firms with an active presence in the Australian market have been targeted in a recent business email compromise scam.
Editor’s note: This story originally appeared on Cyber Security Connect’s sister brand, Lawyers Weekly.
It is understood that Allen & Overy, Clifford Chance, Dentons, Herbert Smith Freehills and Hogan Lovells are among the vast number of law firms that were targeted by the business email compromise (BEC) group Crimson Kingsnake recently. Dentons declined to comment after a request made by Cyber Security Connect’s sister brand Lawyers Weekly, and the others did not respond prior to deadline.
BEC attacks are a form of targeted phishing whereby cyber criminals impersonate employees and try to scam individuals and/or businesses out of money, goods and/or valuable information.
According to the Australian Cyber Security Centre’s Annual Cyber Report 2020–21, BEC attacks cost Australian organisations approximately $81 million during a 12-month period. Further, the Australian Competition and Consumer Commission (ACCC) received 11,395 reports of BEC attacks in the first half of 2022, costing businesses $12.3 million.
This particular BEC group, Crimson Kingsnake, is understood to have impersonated law firm employees, asking the recipient to approve overdue invoice payments.
The members of Crimson Kingsnake would pose as lawyers, including those in high-up executive roles, to trick and intimidate individuals into providing payment for services that were supposedly provided to them a year ago.
Abnormal Security was the first to raise the alarm on Crimson Kingsnake activity back in March this year. The San Francisco-headquartered software company identified 92 domains linked to the group.
There are certain tactics Abnormal Security said it has observed when it comes to the Crimson Kingsnake group targeting law firms.
First, Crimson Kingsnake email subject lines often contain language such as “overdue”, “unpaid”, “outstanding”, or “final notice” to create a sense of urgency and importance with the recipient, Abnormal Security said.
When a first attempt is made but not successful, Crimson Kingsnake will often try again and introduce a secondary party into the email, posing as someone in an executive position, for the purpose of intimidating the recipient more.
“There are a few things organisations can do to reduce their chances of falling victim to impersonation attacks, like those we’ve seen with Crimson Kingsnake,” Abnormal Security said.
“First and foremost, it’s imperative to prevent social engineering emails from reaching employee mailboxes. To accomplish this, organisations should adopt more modern email security solutions, like a behavioural AI-based, context-aware platform.
“By using software that analyses email identities and content, social engineering attacks can be blocked before employees have the opportunity to engage with them.”
If these attacks do end up in an inbox, Abnormal Security said it’s imperative that there are robust procedures for outgoing payments in place.
“Organisations should have a process for validating that money is getting sent to the correct recipient, particularly for these high-dollar invoices. And security awareness training is imperative, as employees should know to carefully consider sender addresses, especially when an email asks them to share sensitive information or send a payment,” the group said.
The Australian Cyber Security Centre (ACSC) also has recommendations and procedures in place should organisations find themselves being targeted, such as reporting the attack to authorities via ReportCyber.
Next, the ACSC said it’s important to check your account security and secure any compromised accounts.
“Notify contacts and relevant third parties: alert other employees and clients. Certain businesses have mandatory reporting obligations with regards to customer data breaches,” the ACSC said.
“Seek assistance defending your online brand: domain names are your internet mail address and your online business identity. If your company has been impersonated, reach out on ReportCyber.
“Contact the email provider: if someone is using an email service to impersonate you (like Gmail or Outlook.com), report this to the provider.”
Be the first to hear the latest developments in the cyber industry.
