Cyber Security: Is email a double-edged sword for law firms?

By Carl Mazzanti

A small law firm in New Jersey thought it had been hired to assist an individual in obtaining severance pay from their employer. Attorneys got a cashier’s check for $118,850, believing it was a settlement payment. However, according to published reports, just a few days after sending the proceeds to the supposed client, the “cashier’s check” bounced, leaving the firm with an overdrawn account.

In a separate incident, a Texas attorney lost nearly $400,000 after receiving a fake cashier’s check from a client. The attorney deposited the check into his Interest on Lawyers’ Trust Account and then transferred the money to a bank account in Japan. Too late, he found out the cashier’s check was fraudulent.

In both cases, along with many others, the scams started with an emailed request for representation. While law firms find email to be a fast, inexpensive communication tool, criminals love it, too, because email can represent an efficient, inexpensive vector for cyber attack. Firms that collaborate with IT support services organizations, though, can enhance cyber security measures and better protect data and systems from this and other potential threats.

As far back as 2015, in its Formal Opinion 2015-3: Lawyers Who Fall Victim to Internet Scams, the New York City Bar warned that over the previous six years, email scams had swindled lawyers out of an estimated $70 million. “These scams are often highly sophisticated, involving parties that appear to be representing legitimate international corporations and using high-quality counterfeit checks that can take a bank weeks to discover. One experienced ring obtained $29 million over two years from seventy lawyers in the United States and Canada.”

Once an attorney fell victim to a scam, his or her problems had just begun, the opinion noted. “Banks have sued attorneys for lost funds caused by counterfeit checks, and some malpractice insurers have refused to indemnify affected lawyers. See e.g., Lombardi, Walsh, Wakeman, Harrison, Amodeo & Davenport, P.C. v. American Guarantee and Liab. Ins. Co., 924 N.Y.S.2d 201 (3d Dep’t 2011) O’Brien & Wolf, L.L.P. v. Liberty Ins. Underwriters Inc., No. 11-cv-3748, 2012 WL 3156802 (D. Minn. Aug. 3, 2012)…Attorneys Liab. Protection Soc., Inc. v. Whittington Law Assocs., PLLC, 961 F.Supp.2d 367 (D. N.H. 2013).”

Many firms are falling behind on email security just as cyber attackers are becoming more sophisticated. Attorneys should update email and security practices to address this concerning trend and also learn to identify email threats, like phishing emails that trick people into giving personal information or downloading harmful software.

Clever deceptions

Phishing emails are a type of social engineering, are always changing, and can come through emails, texts, phone calls, or websites. Today, artificial intelligence is helping threat actors make their attacks appear even more convincing.

Hackers are also upping their game with malicious “spear phishing” emails. Scammers may send fake emails pretending to be from a client or another source familiar to an organization. Their goal is to trick you into downloading harmful files or taking actions that could put a firms’ digital assets at risk.

Email threats may also involve file-less attacks, which use deceptive links or attachments to trigger an exploit, putting users at risk. These kinds of attacks often initiate actions in legitimate programs, like the Windows registry, without downloading any files. This approach is designed to avoid detection by traditional antivirus scans.

A good firm-wide email cyber security plan begins with strong passwords featuring a mix of uppercase and lowercase letters, and special characters. Avoid passwords that are repetitive or sequential, like “12345678.” Also, long passwords or passphrases greatly improve password strength.

Layers of security measures

However, strong passwords alone will not suffice. Firms should also implement a layered cyber security approach featuring software and other automated defenses. One idea: Use multi-factor authentication, or multiple credentials on different devices, to confirm your identity when logging in or making a transaction.

Another defense features email filters to stop harmful messages before they reach you. Defense systems should also block dangerous file types, URLs, and QR codes that can link to harmful websites. Firms can use tools like DMARC, an email authentication protocol, to prevent email spoofing and tampering and help ensure email integrity.

Training programs are another component of a layered defense. It is important to train employees to question QR codes, links, and attachments, even if they seem trustworthy. Any hacking attempts should be reported to designated individuals.

Security awareness training, customized for specific teams and individual roles, adds additional protection. Training should include such immersive experiences as phishing simulations that engage users and test their understanding.

Nation-states and other cyber criminals are leveraging artificial intelligence to develop increasingly complicated email and other security threats. However, firms can partner with cyber security managed services providers to develop defense strategies tailored to meet firms’ specific needs and resources.

 

Carl Mazzanti is president of eMazzanti Technologies, a cyber security and IT support organization based in Hoboken, N.J. The company can be reached at [email protected].