They may not fall for an advance fee scam from an emailer claiming to be the widow of a Nigerian prince, but law firms have their issues with social engineering, too.
An early case hit a Connecticut personal injury law firm in 2008. They received an email, apparently from an attorney in North Carolina who said she was attempting to settle a debt a Chinese company owed a company based in Connecticut.
It appeared to be a straightforward collection issue. The director of the Chinese company signed a retainer agreement with the Connecticut law firm, sent them a $200,000 check drawn on Wachovia Bank, and subsequently instructed the law firm to wire payment to a South Korean bank, which they did.
The problem was this: the North Carolina attorney, the Chinese metallurgical firm, and the Connecticut company were all real, but none of them knew anything about the matter. They had, in fact, been impersonated, and the $200,000 check was bogus. The Connecticut law firm was out the money. The social engineering attack was complex, convincing, and played out over a couple of weeks.
That was unusual ten years ago. Unfortunately today it's more common. Social engineers going after bigger phish do their homework and tailor their messaging for plausibility.
You might think that people as accustomed to dealing with the crooked timber of humanity as attorneys would be forearmed against most forms of fraud. But social engineering can be surprisingly persuasive.
Law firms and other professional companies with similar responsibilities—one thinks of accounting firms—would benefit from a review of their policies.
They would also benefit from realistic, interactive security awareness training for their partners, associates, and staff tailored to the kinds of scams they're too likely to encounter. The ABA Journal has the story: http://www.abajournal.com/news/article/nigerian_prince_email_scam_2.0_how_to_avoid_falling_victim_to_social_engine