QUESTION: I’ve read some recent horror stories of law offices being taken by online scam artists. The scams have ranged from lawyers being tricked into wiring money to the wrong bank in a real estate deal, to scammers holding the law firm’s computer files for ransom after they gained access to them with ransomware.
We are a small firm that outsources our IT services to a consultant since we’re too small for an in-house employee. I’m concerned these cybercriminals are more likely to target small firm and solo lawyers who may not have the updated hardware, software or know-how to identify and avoid these scams.
What are the best, and preferably affordable, ways to protect our office, and in turn protect our clients, from phishing scams and other online threats?
ANSWER: Cybercriminals can use phishing attacks to obtain credentials and move through your office’s digital environment (including computer data that’s in the cloud) as if they were the authorized user. Often through phishing emails and fake websites, unsuspecting users are persuaded to reveal their login information or install malware.
From there, attackers can access and control the data, sometimes even doing so for months without detection. They might delete files or hold them for ransom by encrypting them until you pay up. If the attackers have the proper credentials, virus protection and some security controls can offer little help.
Identifying and avoiding malware, ransomware and phishing email attacks needs to become a routine part of your office’s operations and training, regardless of your organization’s size. By learning how to spot the telltale signs of phishing, you can maintain your reasonable due diligence to protecting your office’s and clients’ information. This is especially important if you live in one of the 35-plus states that have adopted ABA Model Rule 1.1 requiring attorneys to keep abreast of changes in law and its relation to technology.
Likewise, ABA Model Rule 1.6(e) requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Such access prevention responsibilities extend, of course, beyond the information sitting in file folders on your desk. The confidential client information transmitted via electronic means must be properly safeguarded, demanding that you employ, supervise and oversee those with access to your data with the same reasonable efforts (see Model Rule 5.3).
Pointers for Protecting Your Important Data
Cybercriminals continue to bombard us with new tricks and ploys to get victims to grant access to otherwise protected accounts and data, often through phishing emails. A variation of this scam — spear phishing — takes a more targeted approach to a specific person or organization. Roughly $500 million a year is being scammed from phishing attacks alone, according to the FBI. And those are just the cases law enforcement knows about.
Be ready, as the spam emails and unsolicited business opportunities that seem too good to be true will continue to come. Here are some helpful tips along with more advice about protecting the information of your organization and clients.
Use two-factor or multifactor authentication. Just like protecting yourself and your valuables at home, no level of defense can offer complete protection. But the more layers of defense you can apply, the more difficult it will be for a break-in to happen. The extra layer of defense also may serve as a deterrent to would-be hackers. Learn more about how to use two-factor authentication in your business and personal dealings.
Use VPNs for security. Virtual private networks (VPNs) help secure privacy and data, especially when you are operating over a public access point. For example, if you’re in a coffee shop or hotel checking emails or surfing online (often for free), your information is “open” for someone with the right software and hardware to track and access your data flow. Activating a VPN on your computer or device will greatly help encrypt your communication flow. Many affordable VPN services are available.
Use secured communication for important information. Phishing emails can direct you to a webpage that is specifically constructed, as a fake, to look exactly like the authentic page, tricking you to input your login, password and more. Whether it’s financial or personal information you wouldn’t want a stranger to see, be absolutely sure that the website you are using is legit.
Start by looking for a secure website that starts with “https,” often with a locked lock symbol in the browser address bar. When in doubt, start at the company’s main webpage to navigate to the login or input webpage you need, instead of relying on a direct link from an email. If you decide to call to confirm the website’s validity, look up the phone number independently instead of relying on any phone number provided in the (phishing) email.
Keep your computer updated. Cyberattackers not only use ever-changing techniques to hack into your data, they use ever-changing code. Your operating system maker (Microsoft or Apple) has dedicated software engineers creating updates to better protect you from malicious attacks.
Check for updates often and install/reboot whenever you find new ones. Microsoft releases regular software updates via Windows Update and they can be done automatically behind the scenes.
Use antivirus software. Various software tools can be used to prevent, detect and remove spyware, adware, ransomware and malware threats. A good antivirus program that incorporates anti-spyware, anti-adware, and anti-ransomware protections will help keep you safe. Just like your system software, keep it updated by downloading and installing the updates as they become available.
Be suspicious of pop-ups. Pop-up windows often impersonate components of a website. They can be just another phishing tool to redirect you to an unscrupulous website or start an unauthorized download. Popular browsers give you far better control of pop-ups these days, including on a case-by-case basis from legitimate pages.
When you do suspect a pop-up, pay extra attention to clicking the correct “x” button to close it. Do not click the Cancel or OK button or otherwise. Look for the small “x” in the upper corner of the pop-up or, when in doubt, close and restart the browser program.
Use caution with all emails. Here are things to keep your eye on:
- The “From” address: Make sure the sender’s name coincides with the email address, or does not have an unfamiliar domain attached to it. You may hover over the email entry, or links within the email, to see a more detailed email or discover the real destination of a link in the body of the email. If in doubt, delete it without opening it.
- Greetings: A classic phishing giveaway is a vague greeting such as “Hi there” or “Dearest Sir.” These are likely mass emails. Nevertheless, targeted spear phishing may use an accurate salutation with your name, so it should just be one factor to consider.
- Spelling and grammar: Poor grammar and spelling mistakes should raise an eyebrow. Sometimes hackers aren’t the best email composers, and sometimes they are purposely trying to bypass spam filters.
- Promises of money or prizes: Do you really think you’re going to get a $1 million lotto announcement via an email? Would your bank want you to “update your records” or “log in for an important message”? Always be suspicious and confirm via another communication channel if you’re unsure.
- Valid email address but an odd message or links: Probably most dangerous is when an email does come from a legitimate account but that person or organization has been hacked. Emails with attachments and links deserve extra scrutiny, even from a known friend or colleague. Pick up the phone and call to confirm when something is odd or unexpected. (Don’t reply to the email to ask, i.e., talk to the hacker!) Do not open the attachments or click links without confirming.
Keep these tips in mind as you navigate your online and email communication portals. You are likely the weakest link in maintaining cybersecurity. Technology providers are constantly updating their software protections to shield us, but we — the users — must practice prevention to avoid a data breach. For lawyers, technology competency is demanded of us.
About the Illinois Supreme Court Commission on Professionalism
The Commission on Professionalism was established by the Illinois Supreme Court in September 2005 to foster increased civility, professionalism, and inclusiveness among lawyers and judges in the state of Illinois. By advancing the highest standards of conduct among lawyers, we work to better serve clients and society alike. These duties we uphold are defined under Supreme Court Rule 799(c). For more information, visit 2Civility.org, the Illinois Supreme Court Commission on Professionalism’s website.