Employees Present Cos.' Biggest Cyber Risk During Pandemic

By Ben Kochman
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Employment newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (August 21, 2020, 8:19 PM EDT) -- The cyberattack on Twitter that unfolded after a staffer unwittingly sent login data to a hacker, and a recent campaign targeting the Israeli defense industry with phony job offers, are the latest examples of how a company's cyber defense relies on choices made by its employees.

Both last month's hack on the social media giant and the spree of cyberattack attempts on Israeli aerospace and defense firms are illustrations of what cybersecurity experts call "social engineering," a blanket term for a variety of psychological manipulation tactics that aim to lure employees into divulging sensitive data.

Social engineering is commonly used in phishing attempts, and criminals have ramped up such attacks during the COVID-19 pandemic, posing as trusted officials from the IRS, the Centers for Disease Control and Prevention and the World Health Organization, U.S. financial regulators warned banks last month.

Pretending to be someone else is also a common tactic used in what are known as "business email compromise" attacks, in which hackers use a variety of methods to pose as someone's co-worker — including by using "spoofed" forgeries of company email addresses — and ask the employees to send funds via wire transfer.

Attackers in such cases prey on employees' innate desire to help teammates or coworkers, making it essential for companies to combat this tendency by spending time and money to train their workers about how to handle such unsolicited requests, attorneys say.

"Even organizations with the strictest security can be vulnerable when there are people involved, as people are inherently susceptible to these attacks," said Anthony Valach, counsel in the digital assets and data management group at BakerHostetler.

Lawyers who respond to data breaches say that they were already dealing with a rise in cases involving phishing emails and other social engineering tactics even before attacks spiked again amid the unprecedented shift to remote work during the pandemic. But with more employees working remotely, verifying that a request for information is legitimate now takes a little more effort.

"We've seen a lot of what we've always seen, but the risk is exacerbated in the work-from-home environment," said Brenda Sharton, global chair of Goodwin Procter LLP's privacy and cybersecurity practice. "Folks should be on high alert. If you can't walk down the hall and check with a person [about a request], you're more likely to fall for that type of scheme."

In Twitter's case, 17-year-old Graham Ivan Clark gained access to the company's customer service systems after convincing a Twitter IT employee that he was a co-worker in the same department who needed the employee's login credentials, according to Florida state prosecutors.

Clark and two accomplices used that access to carry out a cyberattack that resulted in identical messages about a cryptocurrency scam being posted by the accounts of some of Twitter's most high-profile users, including Barack Obama, Joe Biden, Apple, Bill Gates, Elon Musk, Uber and Kanye West, authorities say.

Meanwhile, Israel's Ministry of Defense announced earlier this month that a group of nation-state-backed hackers had posed on LinkedIn as recruiters at international aerospace and defense giants like Boeing and BAE, offering employees in the Israeli sector jobs that didn't exist in a bid to get them to turn over sensitive financial and security information about the companies.

Israeli authorities denied that the attacks were successful, but the security firm CyberSky claimed the campaign had infected "several dozens of companies and organizations in Israel and globally," blaming a cybercriminal gang linked to the North Korean government.

Law firms, themselves a common target of hacking attempts, are not immune from such ruses.

Mark Sangster, vice president for industry strategies at the cybersecurity firm eSentire, said his company saw evidence in 2019 of cybercriminals posing as law students at "prestigious schools" to recruit senior law firm partners as "mentors."

"Once the relationship was established, the attackers sent a MS Office document to their target and asked that they complete the survey so the law student can receive academic credit for the work," Sangster said.

The documents, stolen from the law schools that the attackers had claimed to have attended, were loaded with malicious software that activated if their targets clicked on them, Sangster said.

Another common tactic used by social engineering attackers is creating phony websites that mimic government institutions or other authorities. Earlier this month, for example, the Financial Industry Regulatory Authority warned member firms of a new "imposter" website that had registered the domain name, with an extra "n."

"It is possible bad actors could leverage the domain to send fake emails including those with imbedded phishing links or attachments containing malware," the regulator warned companies, advising them to delete all emails that included links to the fraudulent site.

Data breach incident response attorneys say the most effective way to at least slow down the rate of successful social engineering attacks is training employees on how to combat their natural inclination to solve problems and help co-workers quickly, and taking extra steps to make sure they are truly communicating with a fellow employee.

"Although the tactics and techniques have become more sophisticated, these attacks nearly always start with unsolicited contact," said Kevin Scott, a counsel at Bryan Cave Leighton Paisner LLP who helps run the firm's hotline for data breach victims.

"A good way to defeat this would be to have a rule saying that when IT calls you and says they need your assistance, hang up and call back the known IT number," Scott said. "Attackers are always trying to prey upon the urgency of the situation, but it's essential to break that connection and say, 'Wait, let me call you back.'" 

--Editing by Breda Lund.

For a reprint of this article, please contact

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!