Technology continues to produce amazing things in many areas of life, from medicine to new law office software. But to read all the headlines about “cyber attacks” your instinct might be to shut down your computer and read a book. Still, as lawyers, we need to know about the very real threats out there that are trying to target lawyers specifically. For example, the FBI has repeatedly issued warnings to law firms that they are highly vulnerable to malware attacks. Large firms have been hit already, such as two firms representing a number of Fortune 500 companies and Wall Street Banks. Smaller firms are not immune to attacks. On the contrary, the Bar has received numerous reports from South Carolina small firms that have been successfully targeted by malware, including ransomware -- software that encrypts the data on the user’s computer or entire network. You must pay the “ransom” if you want your data decrypted or have a good complete backup.
Ransomware is just one form of malware that usually enters a firm’s computers through “social engineering,” a fancy way of saying an employee was tricked into clicking on a link that unleashed the bad bug.
Security experts claim that most attacks launched on computers these days are not “blunt force attacks” but are a result of social engineering. So, let’s examine some of these cybertricks, starting with phishing. Phishing can start with a phony email, purporting to be from someone it’s not, containing a link allegedly going somewhere that it’s not. (Spearfishing scams are emails that appear to come from someone you know who knows a little about you.) The trouble begins when you click on the link and go to an infected website, or the link itself may contain the malware. It’s important to know that once the action is taken, it can’t be undone.
One more type of phishing: a whaling attack. Users are made to believe they are receiving an e-mail from the head of the organization, but, as you probably guessed, the e-mail is from a phisher.
So, what’s busy law office to do? First and foremost, educate everyone in the firm who touches a computer. Here are five ways to do that:
- Give employees a list of e-mail addresses throughout your firm and keep it updated when e-mail addresses change. Keep the list up-to-date when employees leave, someone gets married, or new employees join. If an employee receives an email from inside the firm that is not on the official list, they should delete it.
- Train employees to understand domain names (generally the part of the Internet or email address that comes before “.com.”) Phishers like to change real domain names slightly by adding a number or letter onto the address. Make sure all employees routinely check domain names carefully.
- Train employees to know the popular “catch phrases” used by phisher and whalers, and avoid using these phrases in staff emails. Here are a few popular catch phrases:
- Too busy to talk
- Need the money fast
- I said immediately
- I would gladly pay you Thursday for _____ (fill in the need and the time)
- Train employees to be EXTRA careful when replying or sending e-mail to free e-mail accounts (examples include, but are not limited to, Gmail, Yahoo, Hotmail, etc.)
- Phishers love to change e-mail addresses to look valid. For example, instead of an e-mail going to firstname.lastname@example.org - a phisher would make a phishing e-mail go to email@example.com. Notice the firm name has been completely removed.
- Verify e-mail addresses with any sender/recipient who uses free e-mail accounts. Pick up the phone and confirm that they were the authorized sender/recipient and they are the only ones who can access this information.
- Hire an IT security professional to conduct a security and cyber-risk audit of your firm. For additional online security, take the following safety measures:
- Ensure you back up files regularly and keep recent backups off-site
- Lock down social media accounts
- Set security settings on all accounts to the highest setting possible. Avoid making profiles public
- Do not post unnecessary information like birthdays, information only you or close family would know, etc. Keep information at a minimum and keep your confidential information secret.
- Train employees to use caution when opening unsolicited e-mail attachments
- Patch & update all software and online tools
- Use stronger passwords – at least fourteen characters and a mix of numbers, letters and symbols
- Deploy strong spam filters that detect viruses, blank senders, etc.
- Use security software including firewall, antivirus software and web filters
- Encrypt all sensitive company information and require employees to use encryption when sending company information
- Make sure you have a good cyberinsurance policy
Also, check out these other ways you can prevent phishing scams, whaling attacks and cybersecurity conundrums. Contact us to help answer any practice management or technology questions for free at firstname.lastname@example.org and don't forget to save the date for the upcoming LPM-TECH (Solo and Small Firm Conference) on September 16, 2016. There will be a variety of cybersecurity professionals on hand to discuss these topics plus more. Register now.
Written by: Courtney Kennaday, Director, PMAP and Emily Worley, PMAP Assistant, South Carolina Bar