Too Many Phish in the Sea

Think you're too smart to take the computer-fraud bait? Don't be so sure.

Well, if the fish isn't on your line
Bait your hook and keep on trying
- The Marvelettes, "Too Many Fish in the Sea"¹

It all started with an email from the post office. At least, that's what it looked like. It came from an email address ending with "usps.gov" and it invited the recipient - a California lawyer - to click on an attachment to find instructions for rescheduling a package delivery. "I wanted to see what the package was, so I clicked on [it]."²

Later that day, the lawyer tried to access his firm's bank account. He entered his ID, but then was directed to a page asking for his PIN, rather than the usual password. Then he got a call from a bank employee - at least, that's what the caller said - who noticed that he was having trouble and offered to help. The caller told him to enter his PIN, along with a token number - a code for wire transfers. Then the lawyer found himself at a site saying the page was down for maintenance.

Two days later, the employee called the lawyer and had him enter the information again. After several tries, the employee said it wasn't working, and told him he was locked out of his account for 24 hours.

That, says the lawyer, is "when alarm bells started to go off." Within hours, the lawyer discovered that $289,000 had been transferred from his account to a Chinese bank. "I never thought it would happen to me," he said, claiming that he felt like a "dummy."³

But you don't need to be a dummy for phishers to get your money - and worse. Let's explore the dark world of cyber-crime, and figure out how you can avoid getting hooked.

Phishing in the dark

You and me going fishin' in the dark
- "Fishin' in the Dark"⁴

The lawyer in the example above fell victim to a "phishing"⁵ scheme. The term refers to a scheme using "fraudulent emails and copy-cat websites to trick you into revealing valuable personal information" which is then used "to steal your money or your identity or both."⁶ According to one expert, this particular scheme likely was accomplished by installing a virus to capture the lawyer's keystrokes, and was especially sophisticated because of "the number of steps that had to occur after the victim clicked on the attachment and the timing that had to be so precise."⁷

Not all phishing schemes are so complex. Many simply involve an email that appears to be from a well-known, trusted company. The cyber-wolves are getting better all the time at dressing up their email in the proverbial sheep's clothing. Their emails have the right "look" - an email could, for example, include Apple's iconic logo, familiar Helvetica Neue typeface, and a spare layout with a gray and white color scheme. It might seem to come from a real company employee - the email address or the body of the text might include the name "Tim Cook" - the real CEO of Apple.

Glinting beneath this bait is the hook - the invitation to click on a link that might trigger the delivery of malware to the recipient's computer, or lead to another legitimate-looking page requesting the desired personal information. Like expert fishermen, phishers are skilled at manipulating their lures to get the target to "bite" by suggesting that failure to respond will have dire consequences. The email might indicate that the account is about to be closed, or that fraudulent activity has been discovered, or that a package will be returned to sender.⁸

It only takes a moment to jump at the bait - and find your personal information securely snagged on a scammer's phishing line.

Wolves in law firms' clothing

And I'm gonna use every trick in the book.
I'll try my best to get you hooked
- "I'm Gonna Make You Love Me"⁹

High profile law firms have taken their place beside delivery companies and banks in the phraudster bait box. It's easy to understand why law firms are a powerful lure - it's tough to ignore an email that suggests you have been sued or subpoenaed.

Early this year, a wave of emails purporting to come from major law firms including Sidley Austin and Baker McKenzie hit the Internet. The emails had subject lines like "Your complaint received" or "Notice to appear" - talk about creating a sense of urgency! - and included links that would download keylogging malware if clicked.¹⁰

Phishers have baited their hooks with law firms for some time now - in early 2011, an email from a fictitious "Brian Willmer" of "Willmer Hale Law" - spelling really does matter, it turns out - with the subject line "Commercial Litigation Subpoena," urged recipients to click on a link to determine how to respond to a subpoena.¹¹

Don't get hooked

Tips about avoiding phishing scams often seem as though they come directly from Captain Obvious - they are mostly common sense. But it only takes a momentary lapse of reason to get caught, and that lapse is all the more likely when you are multi-tasking and trying desperately to clear all the dung out of your Augean email in-box. Here are a few basics.

Suspect the unexpected. As one expert noted in the wake of the recent law firm phishing scam, "If you haven't spoken to an attorney at Sidley Austin in three years, are you really expecting an email today?"¹² An email from an unusual source should be handled with extreme caution.

Verify the source. Pick up the phone and call the sender, using a phone number from your address book or another independent source - not one you find in the email.

Do your own typing. Remember that phishers can disguise the true destination of a link - the URL might look right, but clicking could lead to another site altogether. Don't click on a link provided in an email. Instead, type the URL into the web browser yourself or use a previously-created bookmark.¹³

Watch for weirdness. Watch for misspellings (remember "Brian Willmer"?), broken English, or, more subtly, a message with tone or vocabulary that seems "off."

Know a lure when you see it. "Phishing scams rely on greed, curiosity, fear, or a sense of urgency to drive potential victims to action," says tech expert Tony Bradley.¹⁴ An email that threatens immediate negative action unless you act right away can be a near-irresistible lure. The promise of a "hilarious photo of you!" can tempt you (or scare you, depending on what you think you might have been caught doing) to click and see. Don't take the bait.

Above all, avoid the hook. "Don't open unknown file attachments or click on links in suspicious emails, and don't enter your credentials on login pages linked from email messages," advises Bradley.¹⁵

Slow down, be alert to signals of an email scam, and don't let fear or curiosity tempt you into a click you'll regret.

 

Karen Erger is vice president and director of practice risk management at Lockton Companies.

---

1. "Too Many Fish in the Sea," penned by the dynamic duo of Norman Whitfield and Eddie Holland, was performed by the Marvelettes and released on the Tamla label in October 1964. It reached #25 on the Billboard Hot 100.
2. Michael Chen, Sophisticated scam against local attorney nets nearly $300,000, Feb. 18, 2015, 10news.com; see also video clip at http://www.10news.com/news/sophisticated-scam-against-local-attorney-nets-nearly-300000-02182015.
3. Id. See also Debra Cassens Weiss, Lawyer who clicked on attachment loses $289K in hacker scam, Feb. 19, 2015, abajournal.com, http://www.abajournal.com/news/article/lawyer_who_clicked_on_attachment_loses_nearly_289k_in_hacker_scam/?utm_medium=email&utm_campaign=weekly_email&utm_source=maestro&job_id=150220S.
4. This classic fishing song by Jim Photoglo and Wendy Waldman (whose father wrote the themes to Perry Mason and The Bullwinkle Show) was a number one hit for the Nitty Gritty Dirt Band in 1987 and is still in heavy airplay today. It didn't start out as a piscatorial paean, recalls Photoglo. He came up with the melody and played it for Waldman, who "had just finished listening to 'A Prairie Home Companion.' She said, 'Let's write a song about fishing.'… And the first thing I thought was, 'I want to run away screaming, because I love my song.' But she said, 'No, fishing in the dark.' We started messing around with it, and it just happened, you know? We did it for fun. We weren't trying to be like any other song." Dave Paulson, Story Behind the Song: 'Fishin' in the Dark,' The Tennessean, Feb. 28, 2015, tennessean.com, http://www.tennessean.com/story/entertainment/music/2015/02/28/story-behind-song-fishin-dark/24031923/.
5. Does anyone else wonder whether the jam band Phish resents sharing its name with this most egregious of scams? If you know any members of the band - not entirely unlikely in a world where a Blind Melon guitarist morphs into a labor and employment lawyer at Ballard Spahr, LLP - would you mind asking and letting me know? See Jacob Gershman, Blind Melon Guitarist Embarks on New Life as Corporate Lawyer, Wall Street Journal, Dec. 18, 2014.
6. "'Phishing' Fraud: How to Avoid Getting Fried by Phony Phishermen," sec.gov, http://www.sec.gov/investor/pubs/phishing.htm.
7. Michael Chen, supra note 2.
8. SEC, supra note 6.
9. "I'm Gonna Make You Love Me," the lead single from a Motown album entitled Diana Ross and the Supremes Join the Temptations, hit #2 on the Billboard Hot 100 in January 1969. Written by Jerry Ross and Kenny Gamble, it had previously been an R&B Top 20 hit for Dee Dee Warwick (Dionne's sister and Whitney Houston's cousin) in 1966.
10. Claire Bushey, Scammers go phishing using law firms as bait, crains.com, Jan. 9, 2015, http://www.chicagobusiness.com/article/20150109/NEWS04/150109834/scammers-go-phishing-using-law-firms-as-bait.
11. Martha Neil, Malicious Phishing Scheme Targets WilmerHale, abajournal.com, Jan. 6, 2011; see also David Lat, ATL Public Service Announcement: Watch Out for 'Brian Willmer' of 'Willmer Hale', abovethelaw.com, Jan. 5, 2011, http://abovethelaw.com/2011/01/atl-public-service-announcement-watch-out-for-brian-willmer-of-willmer-hale/.
12. Bushey, supra note 10 (quoting Mark Brophy, director of security services and risk management at Chicago-based Keno Kozie Associates) which provides IT services for law firms.
13. SEC, supra note 6.
14. Tony Bradley, Spot phishing scams and don't take the bait, PCWorld.com, Oct. 9, 2014, http://www.pcworld.com/article/2824140/spot-phishing-scams-and-don-t-take-the-bait.html.
15. Id.