Not knowing or understanding the cybercrime risks your law firm faces puts you at a disadvantage against cyber criminals who know exactly what they’re doing. But wrapping your head around the lingo used to talk about the topic can be tricky.
Cybercrime terminology is complex and it’s constantly changing and evolving. Knowing the meanings behind key terms can make cybercrime easier to understand and prevent.
Key Cybercrime Terms
The following are some of the biggest threats currently facing professional businesses such as your firm:
Phishing – Phishing is a common type of online fraud through email. The term is pronounced like fishing and that comparison can be helpful for understanding how the scam works.
Just as a fisherman casts a line near a group of fish and waits for a single bite, a cybercriminal rolls out a mass email campaign and waits for someone to respond. A phishing attack’s appeal is designed to be general enough to get a response from anyone in a targeted group.
Phishing attacks are often transactional, promising something in return for your response and providing a convincing reason for you to respond, such as a contest prize or a security check. Requests can ask for login credentials, passwords, credit card numbers, security codes and more.
The danger of phishing is that the requests are often quite similar to legitimate requests from people and organizations you regularly do business with.
To reduce your risk of falling for a phishing scam, double-check who you are interacting with before providing any private information.
Vishing – Vishing is a type of phishing scam that involves phone calls. The term comes from a combination of “voice” and “phishing.” Even though phones are much older than email, vishing scams are a relatively new phenomenon.
Cybercriminals know that many financial institutions have started using phone calls to notify customers of problems with their online banking accounts and are taking advantage of the situation.
The difference between a legitimate call and a vishing scam is subtle. A vishing scam will ask for security information like passwords and pins that a real bank informing a customer of a problem will not ask for.
Make sure never to give out sensitive information to an unverified caller. If in doubt, hang up and call your bank directly.
Smishing – Smishing is a newer form of phishing involving texts to phones or messaging apps. The term comes from the combo of the “SMS” text technology with “phishing.”
Smishing can be dangerous because messages often include a website link for you to visit or a phone number to call. Often the scammer is impersonating a financial institution and the website or phone number supplied will be fraudulent.
To avoid smishing scams, ignore any unsolicited messages requesting you to supply data, call a number or perform a specific action.
Pharming – Pharming is a sophisticated type of cyber attack that redirects web traffic from a legitimate website to a fraudulent one.
A combo of the terms “farming” and “phishing,” this scam works by installing malicious code on a user’s device. The attack may use an email or text message to deliver the code, but does not involve a direct request for information.
After a device has been compromised, the user will be redirected to a fake site whenever they attempt to access a legitimate one. By entering your login credentials or payment info on the fake site, you will be providing it to the cybercriminal.
To reduce the risk of a pharming attack, keep devices up to date, use strong passwords and invest in antivirus protection.
Malware – Malware, short for malicious software, is a piece of software intentionally designed to cause harm to a computer, a network or a user.
Malware can cause computers and networks to run slowly or break. It can also be used to create privacy and security vulnerabilities that can be exploited by hackers.
Pharming code is one example of malware. Ransomware is another.
Protecting against malware can be difficult. Avoid visiting unfamiliar websites, clicking suspicious links and downloading unsolicited attachments that can be used to install malware on your device and network.
Ransomware – Ransomware is a type of malware that involves a demand for ransom. This is a particularly dangerous type of cybercrime and unfortunately, it’s become very common.
Ransomware works by installing malicious code on a computer or network when you download an infected email attachment, click a malicious link or visit a fraudulent or compromised website. The software is programed to lock up the files on your device and display a screen with instructions for paying a large ransom with the promise of returning your files.
Unlike phishing, which casts a wide net, ransomware tends to be targeted to specific businesses in industries with valuable private data, such as law, medicine, etc. Paying the ransom offers no guarantee your files will be returned and past attacks have ended with data being publicly exposed.
To protect against ransomware, it’s important to train for awareness, secure your computers and network, avoid actions that could download malware and create regular, redundant backups of all your data and store it separately from your primary systems.
BEC Scam – BEC stands for “business email compromise” and it involves the use of targeted email communications to defraud a company.
BEC scams are common and sophisticated, targeting businesses that routinely make or receive payments online. Businesses that work with foreign suppliers and other businesses abroad are also targeted.
BEC scams are dangerous because these fake emails appear to come from a trusted sender, such as a CEO, VIP or regular contact. Small differences in the sender’s email address are often the only clue something is amiss.
Protecting against BEC scams requires careful attention to email sender addresses whenever financial requests are involved. Always confirm wire instructions and change requests by another secure method such as a phone call before proceeding.
EAC Scam – EAC stands for “email account compromise” and it’s very similar to a BEC scam.
In a BEC scam, a hacker impersonates a trusted email contact using a similar but fake sender address. But in an EAC scam, the hacker actually takes over control of a legitimate email account and uses it to commit fraud.
EAC scams typically target CEO and VIP email accounts for takeover, then send their subordinates urgent messages requesting help logging into a financial account or processing a payment transfer.
To protect against EAC scams, it’s a must to have transaction verification processes in place and train employees to stick to the rules for every transaction no matter what requests a sender makes.
DDoS Attack – DDoS stands for “distributed denial of service” and is a type of very sophisticated attack targeting specific businesses, often for geopolitical reasons.
Like some malware attacks, a DDoS attack can slow down computer systems and networks and cause them to break. It works by sending a high volume of automated requests over the internet, exceeding the target computer system’s ability to cope with the requests.
DDoS attacks are dangerous because they often target vital infrastructure, manufacturing and communications businesses.
Businesses with critical computer systems can take steps to minimize their risk from DDoS attacks by working with a cybersecurity expert to protect their network.
Funds Transfer Fraud – Funds transfer fraud is a kind of targeted online wire fraud, involving the misappropriation and theft of large sums of money.
Funds transfer fraud happens when a cybercriminal inserts themselves into communications facilitating a transaction involving large sums of money. Examples include mergers and acquisitions, real estate transactions, legal settlements, retirement disbursements and more.
This scam is dangerous because of the sums of money involved and the considerable difficulty getting the funds back, especially when they are quickly wired overseas.
To protect against funds transfer fraud, it is imperative to follow current best practices, focusing on training, following set procedures and verifying everything.
Social Engineering – Social engineering is a frequently used tactic by cybercriminals. It involves trickery, deception or psychological manipulation to facilitate online attacks, scams or fraud.
Cybercriminals often use social engineering as a first step to convince business owners and employees to divulge sensitive information such as passwords or security procedures that can then be used to hack a computer or network.
Phishing, malware, ransomware, BEC scams, funds transfer fraud and more all typically start with social engineering tricks.
The practice can be difficult to protect against if you’re unprepared, so awareness and training is key. By knowing what to look out for and consistently following guidelines and procedures set by your company, you can reduce your risk of becoming a victim of social engineering.
Other Cyber Terms to Know
While not specific types of cybercrime, the following cyber terms can also be helpful to know and understand:
Cyber Incident – A cyber incident is a broad category of cyber events that has two important characteristics: it can negatively impact your business and it requires a speedy response from your IT professionals. Incidents may or may not be intentional or malicious.
Cyber Breach – A cyber breach is a subcategory of cyber incident that involves the bypassing or overcoming of your company’s cybersecurity protections. A breach means your private data may have been exposed to unauthorized parties. While a cyber breach is almost always intentional, it is not necessarily malicious. Nonetheless, every breach requires action from your security professionals.
Cyber Attack – A cyber attack is another subcategory of cyber incident that is both intentional and malicious. Some cyber attacks start with a breach that overpowers your company’s defenses to view, alter or steal your private data. Other attacks are simply designed to damage your computer or network systems. Like a breach, a cyber attack is a significant event that calls for rapid response.
Cyber Response Plan – A cyber response plan is a formal business plan created to safeguard your business and minimize the risk of cyber incidents. Without a plan, you may risk delays or make mistakes that worsen a cyber attack and increase your liability. Steps to create a plan can be found here.
Cyber Insurance – Cyber insurance is a type of insurance specifically designed to protect businesses against the risk of cyber incidents, including costs such as loss of income, legal expenses, regulatory fines and penalties, privacy breach notification expenses and more.
NYC Bar members can access tailored Cyber Liability protection with Lockton Affinity’s CyberLock Defense. CyberLock Defense coverage even includes expert guides and resources that can help you plan ahead to protect your firm and reduce the risk of experiencing a cyber incident and the need to file a claim.