“Social engineering” is the human side of hacking that does not involve the cracking of passcodes or infiltration of networks. It uses information a bad guy may have gained by, for instance, utilizing a public search engine to find out about a partner, associate, employee or client or even a case or a corporate or real estate transaction, and convincing an individual to click on a malicious (though seemingly bona fide) file directed at them by using accurate information that was easily uncovered from routine Internet searches.
Once the file is clicked, all the external “super” defenses the law firm has put in place, such as firewalls, spam filters and dual authentication, have little chance of stopping the theft. Social engineering is targeted at all levels of a firm from the receptionist, paralegals, accounting staff, lawyers, to even the firm’s information technology professionals. It is the single most effective and actively used method by the bad guys in targeting law firms. It is also the cheapest and easiest to effectuate, thus allowing even low-level crooks to be successful.
Source: New York Law Journal