Category Archives: Cybersecurity

New Software Scam

Do you have antivirus/malware software on your PC/Mac/Server? If so, pay close attention to that software’s renewal terms. Watch out for any future phishing emails that contain an attached invoice. The scam asks you to either click a link to renew your subscription or call the phone number listed on the fake invoice to cancel. 

Tips to Avoid Antivirus / Malware Software Scams

  • Visit the software company’s verified URL and pay through the software company’s portal
  • Calendar renewal dates
  • Keep your antivirus/malware software up to date
  • Know the general terms of all software on your PC/Mac
  • Avoid paying invoices through email
  • When in doubt, look in the software settings to find Support info. Don’t always trust contact information on search engines because sometimes the business information can be claimed by scammers.
  • Sometimes scammers pry on your browsing habits or purchases. Be sure to limit browser data collection by checking your browser’s security and browser settings
  • Keep all other software on your PC or Mac up to date
  • Educate your staff on technology scams so they know what to watch out for too
  • Check with your IT professional to make sure the software you use is up to date with today’s cybersecurity market, malware, scams

Visit for great links or email for more advice.

Password Tip

Have you ever saved a password in your browser, while logging into a website? If yes, it is a good idea to turn off that feature, which allows you to save that information, in your browser and choose a password manager!

Here are the steps to turn off the “save password” feature by browser:


In Chrome, look for hamburger menu (icon looks like three horizontal lines stacked on top of each other) on far right hand side of browser, click Settings, click Autofill, click Passwords, toggle “offer to save passwords” off.


In Firefox, look for hamburger menu (icon looks like three horizontal lines stacked on top of each other) on far right hand side of browser, click preferences, click Privacy & Security, look for Logins and Passwords section, uncheck “Ask to save logins and passwords for websites.”

Microsoft Edge

In Microsoft Edge, – click the three dot menu button (look for an icon that looks like …) on the far right hand side of the browser, Click Settings, Click the Passwords button, Toggle “Offer to Save Passwords” option to off.

Follow @SCBar_PMAP on Twitter for additional tips and contact for assistance.

Seven Simple Suggestions

I know what you are thinking: don’t I have enough on my plate right now without making New Year’s resolutions? I agree. That’s why I have chosen a few very simple suggestions that might actually make your life a little simpler. Some of these resolutions, I mean, suggestions, also help you stay out of ethics trouble (win-win!). They are in no particular order of importance – start with the easiest for you to do. 

Get a password manager. We already know that passwords need to be complicated in order to be strong and we shouldn’t use the same one more than once (or write them on sticky notes or store them in Word file). The solution is a password manager. There are lots of good free and cheap password managers. Need to create a new password? Tell the password manager how long your want it and if you want to use letters, numbers, special characters, or all three. The password manager will create a password and save it for you. Later, when you visit that website and have to login, the password manager can fill in the information for you. All you need to remember is your login and password for the password manager! Popular password managers include Dashlane, LastPass, 1Password, and Roboform. You can also see if your internet security software offers a password manager – many do. 

Start using two factor or multi-factor authentication (MFA). I know that sounds techie, but stay with me. The easiest way to explain 2FA or MFA is to tell you that you’ve probably already used it. Log in to most financial institutions and you have to enter your password and then perform a second step, such as entering a code you receive on your phone by text. Voila! That’s MFA! Start adding this extra security layer now with all your email accounts. If you have a Google account, set up “2-Step Verification.” Not sure how? Google it. For the rest of the year, when you login to any of your online accounts or websites, look for instructions on how to set up MFA (and don’t forget that new password manager can store those logins and passwords). Trust me on this one, it may be the best and easiest way to protect yourself from hackers and safeguard client confidentiality. 

Check Google My Business. Yes, that’s actually what Google named their free marketing service. Do this: Google your law firm. Alongside the usual results list, you’ll see a block with photos, a map view, your firm address, phone, and other information. This is a free business listing and you need to “claim” it if you haven’t already. Click “Own this business?” or “Claim this business.” Do it, because if you don’t, someone else may and you may not like what they do next. But that’s not the only reason to claim it. You’ll be able to correct and add information and take other steps to help clients find you better. 

Try not to email clients anything confidential. Email fraud can occur when a lawyer emails details about a case to clients and other parties. If one of the people has had their email breached, the hacker may be watching email exchanges waiting for an opportune moment to intervene. This usually happens once they learn about money changing hands. They’ll spoof one of the parties’ email address and send their own settlement offer or bank routing instructions. If you need to discuss a case, use a client portal in a practice management program. If you’re using a cloud practice management program such as Clio, MyCase, Cosmolex, Rocket Matter (etc.) talk to the provider about how to set up secure portals for clients. Besides being more secure, clients appreciate being able to see how their case is progressing. 

Make sure that you have cyber insurance. According to a 2019 survey by the American Bar Association, one in four law firms have experienced a security breach. General liability and professional liability insurance policies may not cover all the costs of a cyber incident. Talk to your carrier and find out what your policies cover. Most lawyers discover that they need to add a cyber liability policy. Whether you are shopping for cyber insurance or reviewing your current policy, there are numerous articles on the internet outlining the claims that are frequently denied or not covered by cyber insurance, so read policies carefully.  

Hire a virtual receptionist. Clients hire law firms that have a live human answering the phone. For many small firms, a virtual receptionist/answering service can be a lifesaver. Banish the idea of the impersonal answering service your doctor uses after hours. Today’s virtual receptionists can help you all day by handling tasks a real receptionist would do. There are many companies to choose from, including Call Experts, Smith.AI, Ruby, and LexReception.  

Call the Bar for free help. The South Carolina Bar has lawyers on staff to answer questions about practice management (including technology), ethics, fee disputes, pro bono opportunities, and more. Bonus resolution: join a Bar section or committee for your practice area and take advantage of the free listserv!  

By Courtney Troutman
Practice Management Assistance Program
South Carolina Bar

Four Tip Friday

Hi everyone!

            1.         If you need an easy way to keep up with legal technology, subscribe to John Simek’s email newsletter, Your IT Consultant. (You can also subscribe via your favorite RSS reader, like Feedly.) Here is a link:    Recent newsletters have addressed password managers and home routers. And, of course, unless you are in Spaceballs, don’t use 123456 as a password.   

2.        If you are looking for serviceable to decent noise cancelling headphones, check out either the ones by TaoTronics here  or the ones from Anker  I don’t use the noise cancelling that much, because it does not cancel out my bad dog’s barking, but the sound quality will satisfy the non-audiophile and battery life has come a long way. Plus, as someone on the Clockwise podcast pointed out, if you are wearing earbuds people will bother you, but if you are wearing a big set of cans, they won’t. 

3.        Some of you are saying, OMG I simply cannot put cheap headphones on my delicate ears. In that case, if money is no object, skip to 4, but if it is, check out   It will help you figure out when the best time to buy something is.

4.        If you are wondering how to get short links, check out   It will make your life (and blog posts) easier!

We are one day closer to things settling down. That counts for something, right?

Let’s be careful out there!

Michael J. Polk, Esquire
SC Bar Technology Committee
Belser & Belser, PA
Columbia, South Carolina

Technology Takeaways from the 2020 Bar Convention

In November, 2019, the South Carolina Supreme Court adopted amendments to Rule 1.0 (r), Rule 1.1 Comment 6, Rule 1.6 Comments 20 and 21, and new Rule 1.6(c) of the Rules of Professional Conduct. The amendments were modified versions of amendments made to the ABA Model Rules of Professional Conduct in 2012 meant to offer guidance to lawyers about technology. The Technology Committee sponsored a CLE at the Bar Convention in January, featuring national experts Sharon Nelson and John Simek who addressed best practices for lawyers to be ethically compliant and competent in the area of technology. They addressed three big areas: ethical competence in the digital area, disasters and data breaches, and the future of law practice. Here are some takeaways, but you can find this information and much more in the articles listed on their website

Most, if not all, law firms have experienced a technology security event – from malware infections to total breaches. In light of that, firms should conduct security assessments and have incident response plans. Many cybersecurity insurance policies are requiring these (the cost of cybersecurity insurance is reportedly rising). Firm training is also critical, since the majority of security issues rely on human error and gullibility. Firms should have a security policy for employees to follow, covering everything from backups, BYOD (bring your own device), acceptable use and more. Firms should also have an incident response plan to avoid running around like a chicken with … you know the rest. The plan should include contact information, immediate steps to take, and steps to resume operation. Most states have data breach notification laws, including South Carolina. Consult the law for your duties. 

Ransomware attacks are evolving (think it’s some guy in Russia? These days it could be a bot or artificial intelligence). Ransoms being demanded are higher than most firms can pay. A new twist in ransomware: firms who ignore the ransom request because they have a good backup may be subject to having their data used or leaked to the dark web in retaliation for not paying the ransom. Some good news: success rates in thwarting ransomware are increasing if the FBI is notified within the first 24 hours. So, even if you have a backup, notify the authorities asap. Also good news: more banks are recognizing wire fraud attempts and stopping fraudulent transfers before they conclude. 

Basic backup advice that applies to most law firm sizes: have a local (physical) backup and two cloud backups. Make sure your cloud provider allows you to control the encryption key. The speakers named Carbonite and Backblaze as good options. Make sure backups work by doing a test restore. One solo used a cloud backup and lost five years of law firm data because he’d never tried to verify if the data was restorable or not corrupted. Don’t take the word of the software that says “Backup successful!” – be certain. If you use a USB backup drive, disconnect it from the server once the backup is completed (more than one physical backup drive is recommended so you can swap them out). If you experience a ransomware attack and your backup is connected to your computer – well, there goes your backup.  

Zombie data, also known as “dark data” is data you don’t realize you have. It can come up in data breaches or in cases during e-discovery. The speakers’ advice about old data: if you don’t need it, and are not legally required to preserve it, get rid of it! Don’t forget old email accounts – nearly everyone has old free email accounts they’ve ceased using. They’re ripe targets. 

The speakers next turned to the Future of Law Practice. Consumers, accustomed to smart TV sets , doorbell security cameras, and Alexa, have rising expectations for lawyers. Consumers expect same day delivery of products, automated contract delivery, client portals and video chat. Trends that will grow include non-lawyer ownership of law firms, traditional legal work being done by non-lawyers and alternative legal services providers, and of course, Artificial Intelligence (AI). As an example of the rapid rate of change in AI, the speakers reported that the IBM Watson computer that defeated Ken Jennings at Jeopardy! in 2011 was the size of a master bedroom and weighed thousands of pounds. One year later, it was 18 x36 inches and weighed just 100 pounds. 

Although the term AI is often incorrectly used to hype products and sound cool, in reality, AI is already in widespread use in the world’s largest law firms (but the speakers were quick to say that it is also being used by solos). Lawyers use AI for contract review, due diligence, e-discovery, legal research, predictive analytics, and more. AI represents a direct threat to some legal job sectors, including lawyers performing document review, paralegals, and even first year associates. JPMorgan Chase uses COIN (Contract Intelligence) which in seconds can do the work formerly requiring 360,000 hours a year by lawyers and loan officers. 

Bar members can read many of Nelson and Simek’s articles on technology, security, ethics, and law practice on their website, watch Sensei YouTube videos, or listen to Digital Detectives or The Digital Edge podcasts.  

The Bar also has many resources to help lawyers with technology questions, from a lending library of ABA technology books to online resources at and the Technology Committee’s page

By: Courtney Troutman, Director
South Carolina Bar Practice Management Assistance Program

Mike Polk, Technology Committee Chair, South Carolina Bar
Belser & Belser, PA
Columbia, South Carolina

Four Tips for Better Password Security

Do passwords still matter? Isn’t it true that if an attacker really wants to, they can crack any password? Many lawyers have been asking this in recent years, frustrated by ever-changing advice on what constitutes a “safe” password. Yes, passwords do matter. Now is not the time to throw in the towel and become “low hanging fruit” for hackers.  

Lawyers should take reasonable steps to create and use secure passwords to protect client confidentiality and safekeep client property. (Rule 1.6 Confidentiality of Information, Rule 1.15 Safekeeping Property, SCRPC.) In 2012, ABA Model Rule of Professional Conduct Rule 1.1, Comment 8 was amended to advise that lawyers also maintain competence by keeping “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Since, then at least 37 states have followed suit with similar amendments. 

It’s true that there are such things as “bad” passwords. There are numerous lists of most hacked or “worst” passwords on the internet, including one by the UK National Cyber Security Centre “123456” consistently tops all lists as the most commonly used password, followed closely by “qwerty” and “password.”  

Many online accounts force certain requirements on users – a minimum number of characters, an uppercase, a lowercase, a symbol, a number. This requirement can offer limited protection if you use a password like “trustno1” or “v3r!Fy.” Password crackers know to look for common substitutions for letters. 

Hackers use data from frequent corporate and website data breaches to perform “credential stuffing” – where hackers use stolen username and password credentials and try to login to other websites with those same credentials. Often, they are successful.  

Keeping in mind that what constitutes a strong password changes without warning and can even vary depending on the situation, here are a few tips: 

  1. Use Passphrases as Passwords – We listed some examples of problematic passwords above. A better password solution involves entropy, which is a lack of order or predictability, using passphrases – not a recognizable quote, but a string of words or text you can remember. Gary likes the “Diceware” method, which uses dice to come up with passphrases. A person rolls a set of five dice, each of which produces a random number between 1 and 6, and then matches the dice roll results with a list of predetermined words. The method is described in this post: Courtney prefers to make up her own unique passphrases. 
  1. Never Reuse Passwords – In a February, 2019, Google/Harris poll of three thousand adults, sixty-five percent of the respondents reuse a password for one or all of their online accounts. As noted earlier in this article, hackers use information from breached web sites to perform “credential stuffing” to access accounts on other online web sites.   You should never reuse a password for any online site. In late 2019, Google announced “Password Checkup,” a new Chrome extension that warns you if the username and password you’re using were stolen in any data breaches and then prompts you to change them if they were. 
  1. Ideally Use a Password Manager – The best solution as far as organizing your password security is to use a password manager. Password managers are software applications that allow users to generate, store, and retrieve secure passwords for various online sites. Most password managers allow the generation of passphrases as well. Many password managers have smartphone apps and browser plug-ins so that you can easily retrieve a password. You only need to remember your master password to access the password manager. does an annual roundup of password managers. Most have a very reasonable annual fee. There are free versions available, but most limit the number of passwords you can save, and the terms and conditions can vary. As a general rule, Courtney recommends that lawyers not use free software or apps, but buy the pay version. Gary likes 1Password, and Courtney uses LastPass  
  1. Use TwoFactor Authentication Whenever Possible – Two-factor authentication is the means of using two different types of information to login to an online account, such as a password, a PIN sent by text message or authenticator app, or a fingerprint/biometric. Most people are already familiar with two-factor authentication with online banking or cloud-based storage web sites. Enable two-factor authentication whenever possible with your online and cloud-based providers.  Visit Two Factor Auth for a list of websites that do and do not support two-factor authentication. 

Ronald Rotunda, in his February 2018 article for Justia “Lawyers, Passwords, and the Obligation to Keep Clients’ Secrets”, summed up password security: “When we take these precautions, the modern-day equivalent of a deadbolt, we will know what to say when the client asks, “What are you doing to keep my information secret?”” 

By: Gary Moore
Assistant Dean for Academic Technology
University of South Carolina School of Law
SC Bar Technology Committee

Courtney Troutman, Director
SC Bar Practice Management Assistance Program
Liaison to the SC Bar Technology Committee. 

Four Tip Friday

  1. I recently went to a CLE at USC Law School entitled How a Solo can be Han Solo – Using Technology for Courtroom Presentations. It was part of the law school’s Legal Tech series. Bill Booth, a lawyer in Columbia, was the speaker. He recommended checking out Miracast, a dongle that acts like a wireless HDMI cable. It is easy to setup and use. You can pick one up for about $40 on Amazon. Bill uses a Microsoft branded Miracast like this one:  but there are other brands as well. If you are having trouble with your current setup, consider picking one up and giving it a try. By the way, if you want to see courtroom presentation demonstration featuring Keynote and TrialPad with Apple TV, check out the Galactic Empire v. Han Solo trial on YouTube here It was part of a CLE for the York County Bar Association and is worth a look.
  2. Gary Moore, Assistant Dean for Academic Technology at USC, writes to remind us not to reuse passwords. Gary writes: “In a February 2019 Google/Harris poll of three thousand adults, sixty five percent of the respondents reuse a password for one or all of their online accounts.   As noted earlier in this article, hackers use information from breached web sites to perform “credential stuffing” to access accounts on other online web sites.   You should never reuse a password for any online site.”
  3. Here is a good tip I received from a solo small firm conference here in Columbia a couple of years ago. If you are an Amazon shopper, and you are wondering if you should pounce on a Black Friday deal, check out It is a free Amazon price tracker that will give you a better idea as to what kind of deal you are actually getting.
  4. Looking for ways to use your iPad in your practice? Thomas McDow, a lawyer in Rock Hill, uses the Duet app. With it, he can use his iPad as a second monitor. Duet is currently $9.99 on the Apple App Store.

By: Mike Polk, Chair, Technology Committee
Belser & Belser, PA
Columbia, South Carolina

National Cybersecurity Awareness Month

It’s the most wonderful time of the year! No, not that one, the other one – Cybersecurity Awareness Month!

It is a great time to review some of the basics yourself and with your staff. If you are looking for some ideas, check out the toolkit here: (part of the Homeland Security website).

As with any good celebration, it has a theme: OWN IT, SECURE IT, PROTECT IT. The entire toolkit is worth saving for reference (and, at 9 pages, an easier and less stressful read than the comments to any given news story.)

Here are some highlights:

  • Own it. Understand your devices and applications, check your privacy settings on the websites you use, use safe social media practices, and don’t let tech own you.
  • Secure it. Criminals are getting better and better. Five years ago most email scams were laughable – poor formatting, poor appearance, poor grammar, misspellings, and outlandish claims. While those persist, there are many more sophisticated attempts made that can fool those who are unwary or in a hurry. Consider changing your passwords or passphrases if you haven’t in awhile, do not reuse passwords, (bonus points for using a password manager) enable multi-factor authentication where available, and pause before you reply with sensitive information to requests that are out of the ordinary or that create a perceived emergency.
  • Protect it. Stay on top of your digital life. Close unused accounts and practice good cyber hygiene and practices. Make sure to do things like change the default passwords on your internet of things devices (you know, stuff like your smart refrigerator, your smart camera, and your smart socks.)

It has been said that eternal vigilance is the price of liberty. Well, it is now the price of being a part of the digital world. As the sergeant in Hill St. Blues used to say, “Let’s be careful out there.”

Written by:

Michael J. Polk, Chair, South Carolina Bar Technology Committee
Belser & Belser
Columbia, SC

Spot Phishing Attempts

Lawyers can try this tip to see if an email from a prospective client is real: copy and paste any unique language from the sender into Google or another search engine. You only need a sentence, or even part of a sentence, usually. For example, a recent email describing a dog bite claim contained “biting me and causing gaping wounds near my left eye.” When this was pasted into Google, it returned an article about a nearly identical email scam on lawyers in another state. The names and places had been changed in order to be more convincing to the new target/lawyer. Also, remember the usual warning signs, such as misspellings, poor grammar, and unrealistic settlement offers. Phishing attempts are becoming sophisticated, using real company names, real employee names, and other information to make the phish convincing. Some lawyers have even reported that the emails have been followed up with phone calls from the sender. Besides researching on the Internet, contact your malpractice insurer or bar association to see if they can assist or if they have seen similar scams.

Phishing Update: A Whale of a Tale

Bar Bytes has previously addressed the dangers posed by “phishing” emails: messages that seek to trick recipients into revealing secrets and clicking on links or attached files that contain malware.1 The points raised then remain valid today, and this update seeks to offer additional information and strategies for combating phishing attempts. Detecting and avoiding this threat requires constant vigilance; it only takes one mistake to compromise your data. 

Know the Threat 

Phishing attempts take many forms, crafted with varying degrees of deception by scammers. While basic phishing attempts can be relatively easy to spot, targeted phishing attempts – known as “spear-phishing” – are much more troublesome. A spear-phishing email will attempt to trick you or others at your firm by masquerading as a message from a trusted sender. The message may appear to be from a co-worker, a client, or a third party such as a financial institution. Indeed, some scammers have used targeted emails to redirect wire transfers.2 The scammer may include publicly available information, such as details gleaned from an online directory, or even your own website to make the attempt look more convincing. A related tactic, known as “whaling,” is used to prey on an employee’s eagerness to please an employer and occurs when scammers impersonate the management or leadership of an organization. Instead of currying favor with a supervisor, the employee then unknowingly does the bidding of a scammer. 

If you believe that an email is a phishing attempt, delete it and do not interact with the message in any way. Once the recipient of a phishing email has taken the bait and clicked on a malicious link or infected attachment, there is no going back. The recipient of the message may be tricked into revealing confidential information or the email account may be hijacked and used for further phishing attacks. The affected computer may be stricken with “ransomware,” a type of malware that will encrypt your files and make them inaccessible unless you pay a fee to the scammers. A new risk, dubbed “cryptojacking,” allows scammers to syphon processing power from your computer for their own projects – such as mining for cryptocurrencies like BitCoin.3 The best way to avoid these outcomes is to practice a balanced approach of detection and preparation.  

Know Your Contacts 

To defend against all forms of phishing it is helpful for everyone in a firm who is using a computer to be well-versed in recognizing the hallmarks of a phishing email, including: typos, an unfamiliar domain name in the sender’s email address, and demands for an immediate response. The increasingly sophisticated nature of spear-phishing and whaling attempts has made it imperative that suspicious emails be given additional scrutiny. If a dubious email appears to be from an acquaintance or co-worker, it is much better to call that person for verification than take the chance of being hoodwinked. 

A recently reported example of a whaling scheme was directed at academia; scammers posing as deans or department heads attempted to trick faculty at multiple institutions into purchasing gift card codes for them as a favor (promising reimbursement, of course).4 Those who responded to the phishing messages often found the requests odd, unprofessional, or otherwise unlike the individual the scammers were attempting to emulate. However, for newer faculty members – or those unfamiliar with the writing style of a new administrator – these messages can be harder to detect. 

This scenario could easily play out in a law firm setting. Let’s suppose a newly hired employee receives such an email that appears to be from a supervisor, or even a partner. The email could ask the employee to perform any number of tasks: authorize a purchase, provide log-in credentials, or review an attached document that is infected with malware. Newer hires are especially at risk since they may not yet be familiar with the conversation style or writing habits of others in the firm. 

Know Your Plan 

Hope for the best, but prepare for the worst. Here are a few steps that you can take right now to shore up your defenses: 

  • Prepare a plan that details how your firm will respond to a successful cyberattack. Include procedures for isolating infected machines, responding to client inquiries, and for minimizing chaos in the wake of the attack. Consult an IT security professional for addressing additional concerns and consider your insurance options to ensure you have adequate coverage. 
  • Offer cybersecurity training for all employees, and especially new employees. 
  • Ensure that your computers and software are updated and have the latest security patches. 
  • Make routine back-ups of your files and keep at least one copy saved off-site. If your security is compromised, you may be able to restore your operations using one of these recent backups. 

Despite the best efforts at detecting phishing attempts, one may still slip past your defenses. If that happens, your preparation will be vital to preserving not only your data, but your reputation as well; how will your clients respond if your firm suffers a breach and you are caught completely off guard? 

For more information and helpful resources, please visit the University of South Carolina Law Library’s cybersecurity resource guide: 

Additional information on protecting your data also can be found on the South Carolina Bar Technology Committee’s page at 

By: Aaron Glenn, JD, MLIS
Reference Librarian
University of South Carolina Law Library. 


  1. Courtney Kennaday & Emily Worley, Protection from Phishing, SC Lawyer, July 2016, at 10. 
  1. Mark Bassingthwaighte, How to Minimize the Risk of Becoming a Victim of Wire Fraud, South Carolina Bar (Jan. 18, 2017), 
  1. James M. McCauley et al., Is It Ethical for Lawyers to Accept Bitcoins and Other Cryptocurrencies?, N.C. St. B.J., Fall 2018, at 36. 
  1. Lindsay Ellis, Gift-Card Phishing Scheme Targets Professors’ Zeal to Please the Dean, The Chronicle of Higher Education, February 1, 2019, at A21.