NY AG Warns Law Firms About Phishing Scam

Dec. 1, 2016, 4:59 PM

New York’s Attorney General Eric Schneiderman issued a warning on Wednesday about a phishing scam in which hackers pose as representatives from his office and target attorneys.

In Schneiderman’s press release , he quotes a phony email in which the hackers suggest a complaint has been filed against the recipient’s law firm.

“My reaction to this is it’s just another slight variation of sort of a longstanding phishing scam,” said Timothy Blank, head of Dechert’s data security and privacy practice group. “The only difference is that it pretends to come from the attorney general but it would take you half a second to figure out it’s a fraudulent email.”

Blank did not receive the email but said he would have caught it as fraud immediately based on the weird salutation, ‘Dear Bar Member,’ the email address from an outlook account and a half-dozen other factors.

Although such phishing scams have been around for years, he said they continue to exist because they are cheap and succesful.

Ronald Sarian, general counsel of eHarmony, spoke about the subject at the Big Law Business Summit in Los Angeles earlier this year. He spoke of one instance in which eHarmony discovered a phishing scam.

“Our accounting department got an email which purported to be from Neil Clark Warren who is the CEO and Chairman of the board of the company... and it said, ‘I’m doing a salary review, can you please send me the W2s for all the employees.’”

[Full video below, with Sarian phishing comments at 28:00]


The goal of such emails is to trigger the recipient to click a link or open an attachment through which the hacker can gain access to the server, and any sensitive information on your computer such as credit card data and social security numbers.

“The fact is that 99.9 percent of the people that receive these recognize them as garbage, but if you send enough of them you’ll find somebody to click on it,” said Blank.

These phishing scams have helped fuel a black market for bulk email address. For instance, when Yahoo was hacked this summer, as many as 500 million email accounts may have been stolen.

“When you read about these massive data bareaches, and it’s like well they only got email addresses, they didn’t get my credit cards numbers,” said Blank. “That may be true, but then your email address then gets sold on the black market.”

He added, “If you have a million or 50 million email addresses, even if you get 1/10 of one percent, that’s something.”

Laura Jehl, a co-leader of Sheppard Mullin’s privacy and data security group, described phishing scams as almost “incessant.”

“The AG warning doesn’t say what kind of malicious software is installed when the recipient clicks on the link, but it’s most likely ransomware, which encrypts the recipient’s files and demands payment to unlock them. I have seen recent statistics indicating that more than 90% of phishing emails contain links that install ransomware,” Jehl said by email, noting she did not receive the email.

The AG lists more tips for beating phishing scams on his press release. The full text of the email below:

From: The Office of The State Attorney Date: Wed, Nov 30, 2016 at 10:37 AM Subject: The Office of The State Attorney Complaint To: Bar Member

Dear Bar Member:

A complaint has been filed against your Business.

Enclosed is a copy of the complaint which requires your response. You have 10 days to file a rebuttal if you so desire.

You may view the complaint at the link below.


Rebuttals should not exceed 15 pages and may refer to any additional documents or exhibits that are available on request.

The Office of The State Attorney cannot render legal advice nor can The Office of The State Attorney represent individuals or intervene on their behalf in any civil or criminal matter.

Please review the enclosed complaint. If filing a rebuttal please do so during the specified time frame.


The Office of The State Attorney

To read more articles log in.

Learn more about a Bloomberg Law subscription.