Sign up for our free newsletter.
QUESTION: I’ve read some recent horror stories of law offices being taken by online scam artists. The scams have ranged from lawyers being tricked into wiring money to the wrong bank in a real estate deal, to scammers holding the law firm’s computer files for ransom after they gained access to them with ransomware.
We are a small firm that outsources our IT services to a consultant since we’re too small for an in-house employee. I’m concerned these cybercriminals are more likely to target small firm and solo lawyers who may not have the updated hardware, software or know-how to identify and avoid these scams.
What are the best, and preferably affordable, ways to protect our office, and in turn protect our clients, from phishing scams and other online threats?
ANSWER: Cybercriminals can use phishing attacks to obtain credentials and move through your office’s digital environment (including computer data that’s in the cloud) as if they were the authorized user. Often through phishing emails and fake websites, unsuspecting users are persuaded to reveal their login information or install malware.
From there, attackers can access and control the data, sometimes even doing so for months without detection. They might delete files or hold them for ransom by encrypting them until you pay up. If the attackers have the proper credentials, virus protection and some security controls can offer little help.
Identifying and avoiding malware, ransomware and phishing email attacks needs to become a routine part of your office’s operations and training, regardless of your organization’s size. By learning how to spot the telltale signs of phishing, you can maintain your reasonable due diligence to protecting your office’s and clients’ information. This is especially important if you live in one of the 35-plus states that have adopted ABA Model Rule 1.1 requiring attorneys to keep abreast of changes in law and its relation to technology.
Likewise, ABA Model Rule 1.6(e) requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Such access prevention responsibilities extend, of course, beyond the information sitting in file folders on your desk. The confidential client information transmitted via electronic means must be properly safeguarded, demanding that you employ, supervise and oversee those with access to your data with the same reasonable efforts (see Model Rule 5.3).
Cybercriminals continue to bombard us with new tricks and ploys to get victims to grant access to otherwise protected accounts and data, often through phishing emails. A variation of this scam — spear phishing — takes a more targeted approach to a specific person or organization. Roughly $500 million a year is being scammed from phishing attacks alone, according to the FBI. And those are just the cases law enforcement knows about.
Be ready, as the spam emails and unsolicited business opportunities that seem too good to be true will continue to come. Here are some helpful tips along with more advice about protecting the information of your organization and clients.
Use two-factor or multifactor authentication. Just like protecting yourself and your valuables at home, no level of defense can offer complete protection. But the more layers of defense you can apply, the more difficult it will be for a break-in to happen. The extra layer of defense also may serve as a deterrent to would-be hackers. Learn more about how to use two-factor authentication in your business and personal dealings.
Use VPNs for security. Virtual private networks (VPNs) help secure privacy and data, especially when you are operating over a public access point. For example, if you’re in a coffee shop or hotel checking emails or surfing online (often for free), your information is “open” for someone with the right software and hardware to track and access your data flow. Activating a VPN on your computer or device will greatly help encrypt your communication flow. Many affordable VPN services are available.
Use secured communication for important information. Phishing emails can direct you to a webpage that is specifically constructed, as a fake, to look exactly like the authentic page, tricking you to input your login, password and more. Whether it’s financial or personal information you wouldn’t want a stranger to see, be absolutely sure that the website you are using is legit.
Start by looking for a secure website that starts with “https,” often with a locked lock symbol in the browser address bar. When in doubt, start at the company’s main webpage to navigate to the login or input webpage you need, instead of relying on a direct link from an email. If you decide to call to confirm the website’s validity, look up the phone number independently instead of relying on any phone number provided in the (phishing) email.
Keep your computer updated. Cyberattackers not only use ever-changing techniques to hack into your data, they use ever-changing code. Your operating system maker (Microsoft or Apple) has dedicated software engineers creating updates to better protect you from malicious attacks.
Check for updates often and install/reboot whenever you find new ones. Microsoft releases regular software updates via Windows Update and they can be done automatically behind the scenes.
Use antivirus software. Various software tools can be used to prevent, detect and remove spyware, adware, ransomware and malware threats. A good antivirus program that incorporates anti-spyware, anti-adware, and anti-ransomware protections will help keep you safe. Just like your system software, keep it updated by downloading and installing the updates as they become available.
Be suspicious of pop-ups. Pop-up windows often impersonate components of a website. They can be just another phishing tool to redirect you to an unscrupulous website or start an unauthorized download. Popular browsers give you far better control of pop-ups these days, including on a case-by-case basis from legitimate pages.
When you do suspect a pop-up, pay extra attention to clicking the correct “x” button to close it. Do not click the Cancel or OK button or otherwise. Look for the small “x” in the upper corner of the pop-up or, when in doubt, close and restart the browser program.
Use caution with all emails. Here are things to keep your eye on:
Keep these tips in mind as you navigate your online and email communication portals. You are likely the weakest link in maintaining cybersecurity. Technology providers are constantly updating their software protections to shield us, but we — the users — must practice prevention to avoid a data breach. For lawyers, technology competency is demanded of us.
About the Illinois Supreme Court Commission on Professionalism
The Commission on Professionalism was established by the Illinois Supreme Court in September 2005 to foster increased civility, professionalism, and inclusiveness among lawyers and judges in the state of Illinois. By advancing the highest standards of conduct among lawyers, we work to better serve clients and society alike. These duties we uphold are defined under Supreme Court Rule 799(c). For more information, visit 2Civility.org, the Illinois Supreme Court Commission on Professionalism’s website.
Sign up for our free newsletter.
Legal technology pros Sheila Blackford, Jim Calloway, Anne Haag and Sharon Nelson share some favorite bits from this year's conference and expo.March 8, 2019 0 0 0