Biglaw Phishing Scam Results In Identity Theft

The mistake was caught by the firm when employees started reporting they were victims of fraud.

onApril 6, 2016 at 2:05 PMApril 6, 2016 at 3:54 PM

phishing We’ve said it before, and we’ll say it again — law firms have to be on top of their cybersecurity. That includes making sure client data is secure (obviously), protecting the firm network from hackers, and educating their employees about best practices. It seems there’s been a breakdown in that last area at one Biglaw firm.

Fresh off of news the firm had been one of almost 50 targeted by Russian hackers, we’ve learned that Proskauer Rose has fallen victim to a phishing scam that has left the personal information of its employees in the hands of criminals.

According to our tipster, firm employees were notified last week that a fraudulent email to the payroll department, purporting to be from a firm executive, resulted in firm W-2s being sent to phishers. The leaked information included the full names and social security numbers for the employees. The mistake was caught by the firm when employees started reporting they were victims of fraud.

Sponsored

Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace

How to best leverage generative AI as an early adopter with ethical use.

From LexisNexis

[S]ome employees had reported that tax returns had been filed in their names by unauthorized individuals in acts of identity theft. [A firm] email requested that anyone else affected report their problem, which resulted in a number of other employees advising that they too had experienced similar tax return fraud.

Yikes. As if tax season wasn’t stressful enough, you might also find out you are the victim of identity theft! Fun times.

Though it is unclear what, if any, proactive steps are being taken by Proskauer to make sure a similar issue doesn’t happen again, they are being responsive to the issue and assisting affected employees and working with law enforcement. The firm responded to our inquiry about the incident with the following statement:

On March 31, we learned that 2015 W-2 tax form information for certain employees was disclosed to an unauthorized third party in response to an email that fraudulently purported to be a legitimate request from one of our senior executives. The information was not obtained through any breach of our information technology systems or information technology security, and the incident bears no relation to recent reports of cyberattacks on law firms. No client or other firm data were affected in any way by this isolated incident.

We have notified law enforcement authorities, and are working with outside advisors and our internal staff to mitigate any potential harm or inconvenience that may be caused to our employees. Among other support, we are assisting all potentially affected employees with appropriate government filings. We also are offering two years of free identity recovery services to all U.S. employees, whether or not they currently appear to be affected.

We are committed to assisting our employees and taking steps to ensure that an incident like this does not happen again.