Educated Users Are the Best Defense Against Phishing And Ransomware

By Eva Lorenz 

Ransomware has been an ongoing threat to law firms for years.[1] Once impacted by this form of attack, law firms struggle with issues such as how to pay ransom, which often requires some form of cryptocurrency (e.g., bitcoin). Alternately, if the firm elects not to pay the ransom, the issue becomes how to provide continuous service to its clients while staff cannot access important files from a down computer network.

While ransomware is a more recent threat compared to other forms of malware, the delivery vehicle used for such attacks has been around for decades. Most ransomware attacks start with a phishing email. Prior to ransomware, most phishing emails captured account credentials that attackers then repurposed for spam attacks. But with the advent of ransomware, attackers found a more lucrative outlet for their “creative” ideas. Studies predict there will be a ransomware attack on businesses every 14 seconds by the end of 2019, and by 2021, it’s projected that attacks will increase to every 11 seconds.[2] Educating users not to click on phishing emails is more important than ever and is a critical first step in preventing ransomware attacks. But what is the most effective way to train users to avoid the 1.5 million new phishing sites that are created each month?[3] In addition to regular security awareness training that explains how to pick a strong password, companies should amend their training to include phishing awareness.

Phishing emails have come a long way from the old days—when typos were standard and bad English reigned supreme—and it’s important that companies, including law firms, now step up users’ training on how to spot these “improved” phishing attempts. Graphics, such as the one below, can highlight the most common phishing tactics and provide users with basic awareness.

Familiarize users with how to determine the target for a hyperlink, understand URL domain information, and differentiate between a legitimate link for companyA.com and a (likely) malicious link leading to companyA.com.ransom.com. As in traditional social engineering attacks, ransomware relies on a sense of urgency, hoping that users in their haste will miss some of the suspicious components in the phishing email. It’s important that users understand that an attempt to quickly answer an email before leaving work may cause an interruption that lasts hours or days.

Since phishing emails have become so prevalent and attacks have become more sophisticated than in the past, many companies have begun augmenting staff training with in-house phishing campaigns. Companies, such as phishingbox.com or knowbe4.com offer a variety of templates that can be easily deployed and provide follow-up metrics. If an in-house phishing exercise seems too technical, IT service companies often offer such social engineering exercises for a fee. Law firms can pick an appropriate campaign, such as an Amazon-based email to coincide with “Prime Day,” and provide a user list to target; the IT service company provides the rest. Reports show relevant metrics, especially when several campaigns are run. As with security awareness, repetition is key for training users and minimizing the risk that they will respond to actual phishing emails—and, therefore, for preventing potential ransomware from finding a target in your firm.

No matter how prepared to handle phishing emails a company feels, ransomware may still find its way into the network. It’s essential that preparation take several forms. Good backups are the recommended solution to recover from ransomware. Since affected servers may stay encrypted if an organization opts out of paying the ransom, having good, recent backups will allow a company to switch to an older data set and continue work with minimal data loss. In addition, to minimize business interruptions from ransomware or other types of security incidents, it’s important for companies to have incident response procedures in place that outline not only external communication procedures—such as a website message during an outage—but also how backups will be restored and what will happen to affected servers and laptops.

As with any process that requires quick reaction, preparedness is key. Regularly updating the firm’s incident response procedures and properly training staff in incident response and how to spot indicators of phishing are steps a law firm can take now to minimize the risk of falling victim to ransomware and causing a prolonged business outage.


[1] B. Ambrogi, “Ransomware Attacks Hit Three Law Firms in Last 24 Hours,” LawSites (blog), February 1, 2020, https://www.lawsitesblog.com/2020/02/ransomware-attacks-hit-three-law-firms-in-last-24-hours.html.

[2] S. Morgan, “Global Ransomware Damage Costs Predicted To Reach $20 Billion (USD) By 2021,” Cybercrime Magazine (online) (October 21, 2019): https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/.

[3] “Nearly 1.5 Million New Phishing Sites Created Each Month,” Webroot.com, September 21, 2017, https://www.webroot.com/us/en/about/press-room/releases/nearly-15-million-new-phishing-sites.