According to a February 2017 American Bar Association press release, “cyber-related risks have escalated based on the sensitivity and nefarious uses of that data. Last year, for example, the Manhattan U.S. attorney’s office unsealed indictments against three Chinese men who are accused of using stolen law firm employee credentials to access troves of internal emails at two law firms. The men, according to prosecutors, used details they obtained from partners’ emails about pending deals to make more than $4 million in illegal stock trades.” Odds are, the hackers stole the employee credentials through a scam.
Scams resulting in access to confidential information are probably a lawyer’s greatest technology and cybersecurity risks. Legal ethics require lawyers to protect clients’ confidentiality and to practice law competently, which requires knowing enough about cybersecurity to limit vulnerability from scams. Hackers are probably more likely to gain access to a lawyer’s computer systems through human error, usually responding to a scam, than a brute force attack on the computer system.
What are today’s technology risks for lawyers? In addition to avoiding scams, every lawyer should consider password fundamentals, mobile security and computer system security. In the past, I have written about password fundamentals and mobile security and about computer system security. Here, in this article, the focus is on avoiding scams.
Avoiding Scams: Practical Considerations for Lawyers
Avoiding scams sounds almost too obvious to discuss as an ethics issue that lawyers should consider. Nonetheless, when people say their computer has been hacked, they probably mean the hacker deceived someone into allowing direct access to the computer or into sharing a password. A lawyer should learn how to detect and to avoid such scams and should train his or her staff on how to do the same.
Because secure computer systems are difficult to access from outside, hackers often attempt to can gain access by deceiving someone. Generally, hackers use two deceptive methods: (1) sending phishing and spoofing emails, which urge the email recipient to respond; or (2) using malware that a recipient downloads with games or other apps or downloads by opening infected email attachments, infected thumb drives or unsafe websites that infect a computer visiting it.
With a phishing email, the sender is fishing for information to use for whatever purposes the sender can imagine. Spoofing is creating a deceptive phishing email that looks like it is sent by a legitimate business — for example, a bank. Many phishing emails spoof a specific business’ emails, often with an email address that looks like the spoofed business’ email address.
If one hovers a cursor over (do not click) an email sender’s name, the sender’s email address and its domain name is shown. For an email with links, if one hovers a cursor over (do not click) a link, the link’s internet website address (uniform resource locator or “URL”) is shown. The domain name or the URL should match what one expects. A creative spoofing email might have names that are close to those being spoofed, but with slight differences; for example, “bradlley” with two ls, rather than “bradley” with one l. If an email’s sender’s domain names or link URLs make one suspicious, the email is probably a phishing attempt.
Malware is short for malicious software. It includes computer viruses, worms, trojan horses, ransomware, spyware and other malicious programs.
As an example, arguably one of the 10 worst computer viruses of all time, the Melissa virus first appeared in 1999. Emails with an attachment spread this computer virus. After a Melissa virus email recipient opens the attachment, the virus replicates itself by creating emails with the same attachment and sending them to the first 50 addresses in the recipient’s Outlook address book. Unless contained, the Melissa virus can shut down email systems with the huge number of emails.
Today, probably the most serious malware risk is ransomware. Ransomware stops one from normally using an infected computer and requires doing something before normal computer use returns. Usually, ransomware requires paying money (a “ransom”) to the hacker. Ransomware can encrypt files making them unusable, can prevent access to Windows, or can stop certain apps from working.
According to a Microsoft report, ransomware attacks in the United States averaged 4,000 per day, costing over $200 million in the first three months of 2016. For example, in February 2016, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital’s computer systems. A September 2016 article reported that two-thirds of ransomware infected companies in the United Kingdom pay ransomware demands, but not all get their data back.
As part of “How do I remove ransomware from my PC,”  Microsoft offers suggestions for removing some ransomware. The FBI also has a publication with suggestions: While they used to advise paying the ransom if no other alternatives were available, they have since changed positions, and now recommend not paying bitcoin ransom to extortionists.
When considering safeguards to protect against malware, the types of computers at risk include servers, desktops, laptops, tablets, smart phones or any other device that can download data or access the internet. Lawyers should be able to reduce malware risks, including ransomware risks, with the following steps:
- Do not open risky emails or email attachments.
- Do not click on risky links in emails or websites.
- Do not download games or non-work apps.
- Do not open risky thumb drives or CDs.
- Do not visit unsafe, suspicious or fake websites.
- Block unsafe, suspicious or fake websites.
- Install up-to-date antivirus and security software.
- Update software and replace if it can no longer be updated.
- Separate work and personal computer use.
- Backup important files in a remote, unconnected facility.
In the first quarter of 2016, PhishMe reported that 93 percent of phishing emails were related to ransomware. For emails, what are red flags indicating that an email is risky? Be wary of any email that:
- Asks for your login and password
- Asks you to click on a link and enter or change a password
- Asks you for confidential information, such as your Social Security number
- Asks you for personal information, such as account numbers
- Purports to be from the IRS, a court, or other government entity
- Purports to be from a financial institution or healthcare provider
- Has a suspicious or misspelled sender email address or domain
- Has links with suspicious URL addresses
- Has a generic, unusual or incorrect name in the greeting
- Makes an urgent request with a short deadline, such as 24 hours
- Requests you click on unfamiliar links
- Requests you download a file, especially an .exe file
An email that asks for your login and password should be an obvious red flag. Providing your login and password information is always very risky, but replying to an email with that information is bad — but people must do it, because phishing emails keep asking for that information.
An email that asks you to click on a link and then enter or change your password should be another obvious red flag. Yet, Motherboard reported that a hacker accessed the email accounts of John Podesta and Colin Powell with a phishing email using just such a link. Their hacked emails eventually became a topic of discussion before the November 2016 election.
In addition to emails, most of the above red flags can apply to considering whether a link, website or social media post is risky. Using common sense can help, too.
Some email scams are even more sophisticated. “Social engineering” refers to psychologically manipulating people into performing actions or disclosing confidential information. Victims are often motivated by wanting to help. In this context, social engineering might entail the hacker learning enough about a law firm to pose as the managing partner and sending a “spear phishing” email to the firm’s controller. Avoiding sophisticated scams may require slowing down, doing some research, and using some common sense before you act.
Another email safeguard is to have a warning, such as “External Email,” added as the top line of the message for every email received from an outside sender. The warning should highlight internally any attempt at spoofing the lawyer’s own emails, as well as remind the lawyer and his or her staff to be careful generally.
If a ransomware or other computer infection is detected, a lawyer should, like any other business, quickly assess what happened, determine what is affected, and contain and limit the damage. Hopefully, a lawyer has a plan for such a breach, including segregated backups that can be accessed and used to restore clean data. A lawyer should also consider preserving evidence about the source of the breach, for later use by law enforcement. Another consideration is communications to clients, courts and the public. A lawyer should not only consider having a plan in case of a breach, but also testing that plan, which might entail hiring a consultant.
Safeguarding information is not just for the information technology department or even just for the IT department and lawyers. A lawyer should consider having a technology risks training program for all who have access, through the lawyer’s computer systems, to the internet or to emails. While a cliché, a chain is only as strong as its weakest link. A hacker usually has as much access to a lawyer’s computer system through a staff member’s responding to a phishing email as when a lawyer does so. Important safeguards include not only staff training, but also monitoring and testing to see if staff is complying with that training.
To avoid scams, cybersecurity requires constant attention and training. As emphasized by the ABA Model Rules’ 2012 technology amendments, an ethical lawyer should have reasonable technological competence. Competence requires a lawyer to use good judgment, taking reasonable steps to reduce technology risks and to safeguard information. And a lawyer should not only personally safeguard confidential data, but should also train his or her staff to do the same.
Republished with permission. This article, "What Lawyers Should Know To Avoid Online Scams," first appeared in Law360 on May 2, 2017.