The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Phishing

  • From Vol. 4 No.41 (Dec. 5, 2018)

    Tips from EY’s Forensics Team on Recognizing and Preventing BEC Attacks

    While headlines often feature enormous data breaches and large-scale infrastructure attacks through malware such as ransomware, another kind of cyber attack has been on the rise – sophisticated instances of social engineering known as business email compromise. In this article, we cover the trends and preventative measures for BEC attacks that were discussed by three members of EY’s Forensic & Integrity Services team at a recent webinar. “What we’re seeing in general around cyber attacks is that cyber criminals have moved away from targeting infrastructure alone,” said U.K. partner Ryan Rubin. “They’ve been very successful in targeting individuals and people within organizations. We suspect this might be the number one type of attack in 2018 that people will refer back to, rather than very complex cyberattacks that we also do see in the news.” See also “Multimillion-Dollar Scheme Serves As Backdrop for Lessons on Preventing and Mitigating Phishing Attacks” (Apr. 5, 2017).

    Read Full Article …
  • From Vol. 4 No.15 (Jun. 6, 2018)

    What Lawyers Need to Know About Security Technologies and Techniques (Part Two of Three)

    IT’s important role in implementing a cybersecurity strategy is indisputable, but lawyers need to be at the table too given the risks, including regulatory implications of breaches and the growing possibility of ensuing litigation. With input from technical and legal experts, this three-part series addresses what attorneys need to understand about security technologies and what role they should play. This second installment explores these issues within efforts related to red-teaming, vulnerability scanning and social engineering. Part one addressed the knowledge base needed depending on the lawyer’s role, whether security certification is necessary, and the roles of technology and pen testing in mitigating risk. Part three will cover cloud security and the potential value of hacking back. See also our three-part series on when and how legal and information security should engage on cyber strategy: “It Starts With Governance” (Mar. 28, 2018); “Assessments and Incident Response” (Apr. 11, 2018); “Vendors and M&A” (Apr. 18, 2018).

    Read Full Article …
  • From Vol. 4 No.6 (Mar. 28, 2018)

    Beware of False Friends: A Hedge Fund Manager’s Guide to Social Engineering Fraud

    Cybercriminals are increasingly relying on social engineering to attack corporate systems. Certain types of companies such as hedge funds are particularly vulnerable, given that they typically lack extensive in-house cybersecurity expertise, deal with large sums of capital and have relationships with powerful clients and individuals. Social engineering fraud poses a number of risks to fund managers. Fortunately, managers can mitigate these risks by training employees, instituting multi-factor authentication, adopting verification procedures, limiting user access and monitoring cybersecurity regulations. In addition, managers are increasingly able to rely on insurance to cover social engineering fraud losses. In a guest article, Ron Borys, senior managing director in Crystal & Company’s financial institutions group, and Jordan Arnold, executive managing director in K2 Intelligence’s New York and Los Angeles offices and head of the firm’s private client services and strategic risk and security practices, examine the risks of social engineering fraud, how fund managers can prevent it and how insurance policies can be used to protect against related losses. See also ­­­­“What the Financial Industry Should Know to Recognize and Combat Cyber Threats (Part One of Two)” (Jul. 26, 2017); Part Two (Aug. 9, 2017).  

    Read Full Article …
  • From Vol. 3 No.15 (Jul. 26, 2017)

    Overcoming the Challenges and Reaping the Benefits of Multi-Factor Authentication in the Financial Sector (Part One of Two)

    As hackers phish their way into SMS messages with one-time passcodes or use photos of fingerprints or eye veins to bypass biometric factors, developing effective online multi-factor authentication (MFA) systems is becoming more difficult. Using two or even three ways to establish identity online is particularly significant in the financial sector, where failure to secure the accounts of clients or employees can lead to massive losses. Online authentication factors must not only be secure, but also convenient for the user and, of course, make economic sense. In this first part of our two-article series, we explore the MFA landscape for the financial sector, strategies for ensuring both security and user friendliness, challenges that certain factors present and the means to overcome those challenges. In the second part, we will discuss MFA innovations, including those from the Fast Identity Online Alliance, what regulators expect around the world, and how companies can economically implement an MFA system. See also “Finding the Best Ways to Secure Digital Transactions in a Mobile World” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Multimillion-Dollar Scheme Serves As Backdrop for Lessons on Preventing and Mitigating Phishing Attacks

    Recent criminal charges based on a business email compromise scheme that induced two U.S.-based internet companies to wire more than $100 million to a fraudster’s bank accounts serve as a reminder that any company can fall prey to a phishing attack. Companies must ensure they are doing what they can to prevent becoming a victim. “This case shows there are few limits on the amount of money that you can potentially extract in attacks like this as long as you find a company with those kind of resources and some weakness in its financial controls,” Serrin Turner, a Latham & Watkins partner and former lead cybercrime prosecutor for the Southern District of New York’s U.S. Attorney’s office, told The Cybersecurity Law Report. With input from Turner, we discuss the facts behind the indictment and offer advice on how to prevent and mitigate damages from these types of attacks. See also “Advice From Blackstone and Tiffany CISOs on Fighting Cybercrime” (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    How Law Firms Should Strengthen Cybersecurity to Protect Themselves and Their Clients

    Law firms store a wealth of sensitive and confidential information electronically, making them prime targets for hackers. Not only does weak data security affect business development and client retention for firms, but can result in legal and ethical violations as well. How can firms meet clients' increasing data expectations? How can clients determine how robust their current and potential firms’ systems are? What mistakes are law firms making? John Simek, vice president and co-founder of cybersecurity and digital forensics firm Sensei Enterprises, Inc., answered these and other questions about law firm data security in a conversation with The Cybersecurity Law Report. See also “Sample Questions for Companies to Ask to Assess Their Law Firms’ Cybersecurity Environment” (Jun. 17, 2015).

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Strategies for Preventing and Handling Cybersecurity Threats from Employees

    Not all data breaches stem from trained cybercriminals – in fact, many cybersecurity incidents come from the inside.  They are initiated by an employee’s inadvertent mistake or intentional act.  In this interview with The Cybersecurity Law Report, Holly Weiss, a partner in the Employment & Employee Benefits Group, and Robert Kiesel, a partner and chair of the Intellectual Property, Sourcing & Technology Group, at Schulte Roth & Zabel, discuss: the two categories of internal cybersecurity threats (inadvertent and intentional); specific ways to protect against those threats, including effective training methods and “bring your own device” policies; and the effect of relevant regulations.

    Read Full Article …