Wilson Elser’s Cyber Incident Response Team has seen an alarming uptick in cyber-criminal activity targeted at professional services firms, particularly accounting firms. As described in more detail below, the criminal activity follows a very specific pattern. We take this opportunity to remind all professionals of the need to be wary and skeptical of what communications they receive electronically. Consider starting the New Year with training and education for yourself as well as your partners, staff and employees on cyber risk and how to best avoid an attack and mitigate any damages if an attack occurs. In the past three months, we have noticed a pattern of activity targeted at small to midsize professional services firms. Attackers attempt to gain access to computer systems containing sensitive financial information, which may result in a legal duty on the part of the professional to notify their clients that their confidential information was or may have been exposed.
So what does an attack look like?
In one scenario, a professional services firm’s partner or employee receives an email offering a free download of a program such as Microsoft Office 365, Windows 10 or some other desirable program. The email appears to be legitimate, and when the user clicks on it, a pop-up message provides a number for the user to call. The number connects the user with what seems to be a legitimate company. The cyber-criminal responding to the call then asks for access to the user’s computer, citing a need to check for viruses or to see if the computer is compatible with the download, or some other legitimate-sounding reason. Once the user provides access, the cyber-criminal tells the user that the computer is infected, and tries to sell an anti-virus or anti-malware software for about $350.
Even if the sale is rejected by the user, once access is granted, the cyber-criminal has fullaccess to the files on the computer. Even if the hacker does not access or download sensitive information, the mere fact that the server was hacked could trigger client notification obligations under state laws, since it is not always possible to conclusively prove whether the cyber-criminal did indeed access or download the information.
While this activity seems to be targeting accounting firms, it is likely that any organization that handles sensitive client information will be targeted.
So how do you protect yourself?
Education, training and diligence. Partners and employees alike need to be educated about cybersecurity risks and trained to identify them. Everyone with a password into the system needs to think twice about the communications they receive, the sites they visit and the access they are willing to give third parties (i.e., strangers) to their computers. If you receive an email that offers a branded product for free, contact the named company before downloading or clicking on any links or attachments in the email. Use a telephone number from the official website (rather than from the email) to see if this is a legitimate offer. If it sounds too good to be true, it most likely is.