Mark Bassingthwaighte, Esq.

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, the
nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the
company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.

For the sake of your clients, I hope you, and every other person who works at your firm, know full well what phishing attacks are and at least the basics of how these email attacks can be thwarted.  If not, it’s way past time for everyone to come up to speed, and I strongly encourage you to do so posthaste!  Here’s why.  Phishing attacks also occur in the text messaging space.  This type of scam is called smishing.  Think SMS phishing.  Just as with email, cyber criminals are applying social engineering tactics to text messaging and it’s a serious threat.

Smishing is particularly problematic because people are more inclined to trust a text message than an email and are less aware of the security risks surrounding text messages.  Basically, what happens is cyber criminals obtain phone numbers that have been exposed as a result of a data breach, or they use web crawlers to gather numbers from social media sites, or they may even just use a random number generator.  Then they start sending out text messages trying to trick recipients into clicking on a link or calling a number as they attempt to capture login credentials or have the recipient unwittingly download a malicious app.  Making matters worse, the number the text message appears to originate from can be a spoofed phone number, meaning it appears to be coming from a reputable source when it actually isn’t.

In order to help you and everyone else at your firm from becoming yet another victim of a smishing attack, here are a few tips that can make a world of difference if taken to heart.

1) Remember smart phones are computers.  They need to be protected with a security app just like all your other computers.  If you don’t already have a reputable security app running on your smart phone, get one now.

2) Don’t trust text messages that attempt to get you to reveal sensitive information, especially if the text contains a portion of your credit card or bank account number.  This kind of information can be obtained as a result of data breaches and is sometimes used to try to convince recipients that the text is legitimate when it actually isn’t.

3) Always log in to any online accounts through your phone’s browser or through a company’s mobile app that has been previously installed.  Never click on an unexpected link in a text to start the log in process.

4) If the text appears to be coming from a reputable company, but still seems suspicious, call the company’s customer service number after looking it up on the official company website.  If they confirm that it’s not from them, just delete the text.

5) Treat text messages with the same level of suspicion that should be in play with email, particularly ones that try to play with your emotions.  In other words, stop and think before you click on any links or provide any information.  If you let your emotions get the best of you, you risk enabling the download of a malicious app or you’ve just turned over sensitive information to someone who definitely doesn’t have your best interests at heart.

6) Don’t reply to suspicious texts even if the text itself says “text stop” to stop receiving messages.  If nothing else, replies confirm that the phone number is an active number and more smishing attempts will surely follow.

7) Always be on the lookout for similar tactics in platforms like What’s App, Facebook Messenger Instagram, and the like.

8) And finally, use a VPN.  VPNs can help spoof your actual location which may make it easier to spot a few text scams that rely on their appearing to be from a local number.  In addition, by encrypting your data stream, even if your phone is, or eventually becomes, infected with a malicious app, the scammer may be unable to obtain anything of value because the data stream is encrypted.

To learn more about ALPS Lawyers’ Malpractice Insurance, please visit