Surviving the Attack
Scams come in all shapes and sizes. They can be low-tech in the form of an attempt to get you to send money from your attorney trust account or it can be a high-tech attack with a malicious link or file. Regardless of the complexity, the goal is always the same: dupe you into doing something you shouldn't.
Even if you've purchased advanced email filtering and anti-spam systems, it's important to understand that even the most advanced systems are not capable of reducing the threat to your firm to 0. With hundreds thousands of attempts hitting your email provider's servers every day, you’re going to encounter a few. Sadly, it only takes one to bring the whole house down.
There has been a dramatic uptick in the number of targeted phishing attacks on law firms. A phishing attack is a social engineering tactic that attempts to use a trustworthy or known entity as a means of "tricking" the user to download a malicious file or surrendering sensitive information. One such attack targeted members of state bar associations in Florida, Nevada, and Georgia with a ransomware virus. In the attack, an email was sent out to bar members notifying them either that their dues were late or that they had pending disciplinary issues against them, requesting that they click a link or download a file that would result in installing virus capable of locking an attorney out of their computer files unless they paid a fee.
Whether its ransomware or a virus designed to pull information off your computer systems, this is the new paradigm and it demands that you approach your email with caution and vigilance. This page has been created as a resource for you and your firm staff.
For this particular threat, training and awareness are your best defenses. We've created this page to help you detect and avoid attempted scam attacks on your computer systems. Skepticism and vigilance are the best tools in your arsenal, and they require no technical knowledge to acquire. If you ever find yourself wondering why a person or business sent you an email containing a file or link, don’t open it. Prevention starts with trusting your gut, what comes next depends on how you or your firm decide a suspicious email needs to be treated.
Have a Plan
A plan can be as simple as "contact our IT Helpdesk or Insurance provider." Sit down with personnel in your office and figure out how your firm wants to respond to these incidents should one occur.
Have the Right Tools
Having the right tools can help make a bad situation less bad but cannot outright prevent the situation from happening. Consider having the following setup in your firm:
- Updated antivirus
- Enable anti-spam filters on email servers and Outlook clients
- Back-up your data
Standard legal malpractice insurance policies are not likely to cover cybercrime or cyber risk issues, which are typically separate policies.
Take a look at your firm's insurance policies and see if there are provisions for cybercrime AND cyber risk. If no such provisions exist, contact your malpractice insurer and check to see if they offer any such policies. If they don't they may be able to direct you to an insurer who does.
Here is a good article by Sharon Nelson of RidetheLightning Blog on the differences in cybercrime and cyber risk.
If It's Not Expected, It Shouldn't Be Opened
- Be suspicious when you are sent a file that you were not already expecting.
- Never offer or provide personal or confidential information in response to a request that you did not initiate. Verify any requests with publicly available contact information or sources.
- Print up known attempts that looked convincing and share them with your coworkers, so they know what to look out for.
It's always good to know where you're going before you set out on your journey. Checking the destination to the hyperlink you're about to click on before you click on it will help prevent you from ending up in an unsavory place.
- Move your mouse pointer over the link (don't click!).
- Look at the destination for the link and make sure it is going to a reputable website. If there is code or a website showing that you are not familiar with, do not click it.
For example, if you receive an email containing a link from the State Bar of Montana and the link didn't have the "montanabar.org" domain name in it, you should avoid clicking that link.
Limit your exposures
The more places you've publicly plastered your email, the more opportunities you've given someone to hit your firm. You have to weigh the risks of posting your email address publicly versus the potential reward of giving potential clients another way to engage you for your services.
- Consider removing your attorneys' email addresses from the firm page and leaving either the office administrator or a contact form.
- Make sure the person you designate as the primary contact person on the website is trained to identify and scrutinize incoming mail.
- If you are a member of another Bar Association that allows public searches of their members and you don't want your email address listed, see if you can change your email or remove your email from the listing. Bear in mind that this may not be possible due to public records statutes in some states.
- Some websites offer contact forms that do not make email addresses publicly available.
If you are unsure if the email is from a legitimate source, check the Internet header. Internet headers provide technical details about the message, like the sending server and the other servers it passed through. Typically, particularly where companies are concerned, you want to see if the domain of the sending server (contosocompany.net) matches up with who the sender is alleging to be. This is more time consuming and involves verifying the server domain of the sending party but is a good alternative if the authenticity of the email is in question.
Note: Internet headers can read like Klingon, but free tools are available if you'd rather not scan through the whole email. Google offers one such tool here.
Open the message in Microsoft Outlook.
Select "View," then "Options."
You'll see the headers in the "Internet Headers" box.
For more information, click here.
Open the message in your Gmail inbox.
Click the down-arrow in the top-right corner of the message.
Click the "Show original" link toward the bottom of the options box. The message will open in a separate window with the full message headers at the top.
Open the email message in your Yahoo Mail inbox.
Click the "Full Headers" link located in the lower-right corner of the email message.
Refer to Your Firm's Incident Response Plan
One of the worst things you can do in a breach scenario is immediately react without having a plan. Step away from your machine, call a meeting and review your firm's incident response plan.* It's best not to wait until after you have a crisis to develop a plan. Some insurance providers have template response plans you can modify for your firm's use.
If you're already in a crisis and need to figure out , contact your IT provider or reach out to a cybersecurity to discuss the first steps. If you are breached, you should absolutely seek the services of a cybersecurity firm to conduct an investigation so you know exactly what information was breached and for how long. The worst time to find out your firm's information did make it into the wild is after your client's start calling.
*If you are the target of a ransomware attack, your first step should be to immediately disconnect the infected machine from your network. If your machine has wireless capability, turn off the WiFi card on your machine.