Category Archives: Ransomware

Seven Simple Suggestions

I know what you are thinking: don’t I have enough on my plate right now without making New Year’s resolutions? I agree. That’s why I have chosen a few very simple suggestions that might actually make your life a little simpler. Some of these resolutions, I mean, suggestions, also help you stay out of ethics trouble (win-win!). They are in no particular order of importance – start with the easiest for you to do. 

Get a password manager. We already know that passwords need to be complicated in order to be strong and we shouldn’t use the same one more than once (or write them on sticky notes or store them in Word file). The solution is a password manager. There are lots of good free and cheap password managers. Need to create a new password? Tell the password manager how long your want it and if you want to use letters, numbers, special characters, or all three. The password manager will create a password and save it for you. Later, when you visit that website and have to login, the password manager can fill in the information for you. All you need to remember is your login and password for the password manager! Popular password managers include Dashlane, LastPass, 1Password, and Roboform. You can also see if your internet security software offers a password manager – many do. 

Start using two factor or multi-factor authentication (MFA). I know that sounds techie, but stay with me. The easiest way to explain 2FA or MFA is to tell you that you’ve probably already used it. Log in to most financial institutions and you have to enter your password and then perform a second step, such as entering a code you receive on your phone by text. Voila! That’s MFA! Start adding this extra security layer now with all your email accounts. If you have a Google account, set up “2-Step Verification.” Not sure how? Google it. For the rest of the year, when you login to any of your online accounts or websites, look for instructions on how to set up MFA (and don’t forget that new password manager can store those logins and passwords). Trust me on this one, it may be the best and easiest way to protect yourself from hackers and safeguard client confidentiality. 

Check Google My Business. Yes, that’s actually what Google named their free marketing service. Do this: Google your law firm. Alongside the usual results list, you’ll see a block with photos, a map view, your firm address, phone, and other information. This is a free business listing and you need to “claim” it if you haven’t already. Click “Own this business?” or “Claim this business.” Do it, because if you don’t, someone else may and you may not like what they do next. But that’s not the only reason to claim it. You’ll be able to correct and add information and take other steps to help clients find you better. 

Try not to email clients anything confidential. Email fraud can occur when a lawyer emails details about a case to clients and other parties. If one of the people has had their email breached, the hacker may be watching email exchanges waiting for an opportune moment to intervene. This usually happens once they learn about money changing hands. They’ll spoof one of the parties’ email address and send their own settlement offer or bank routing instructions. If you need to discuss a case, use a client portal in a practice management program. If you’re using a cloud practice management program such as Clio, MyCase, Cosmolex, Rocket Matter (etc.) talk to the provider about how to set up secure portals for clients. Besides being more secure, clients appreciate being able to see how their case is progressing. 

Make sure that you have cyber insurance. According to a 2019 survey by the American Bar Association, one in four law firms have experienced a security breach. General liability and professional liability insurance policies may not cover all the costs of a cyber incident. Talk to your carrier and find out what your policies cover. Most lawyers discover that they need to add a cyber liability policy. Whether you are shopping for cyber insurance or reviewing your current policy, there are numerous articles on the internet outlining the claims that are frequently denied or not covered by cyber insurance, so read policies carefully.  

Hire a virtual receptionist. Clients hire law firms that have a live human answering the phone. For many small firms, a virtual receptionist/answering service can be a lifesaver. Banish the idea of the impersonal answering service your doctor uses after hours. Today’s virtual receptionists can help you all day by handling tasks a real receptionist would do. There are many companies to choose from, including Call Experts, Smith.AI, Ruby, and LexReception.  

Call the Bar for free help. The South Carolina Bar has lawyers on staff to answer questions about practice management (including technology), ethics, fee disputes, pro bono opportunities, and more. Bonus resolution: join a Bar section or committee for your practice area and take advantage of the free listserv!  

By Courtney Troutman
Director
Practice Management Assistance Program
South Carolina Bar

Technology Takeaways from the 2020 Bar Convention

In November, 2019, the South Carolina Supreme Court adopted amendments to Rule 1.0 (r), Rule 1.1 Comment 6, Rule 1.6 Comments 20 and 21, and new Rule 1.6(c) of the Rules of Professional Conduct. The amendments were modified versions of amendments made to the ABA Model Rules of Professional Conduct in 2012 meant to offer guidance to lawyers about technology. The Technology Committee sponsored a CLE at the Bar Convention in January, featuring national experts Sharon Nelson and John Simek who addressed best practices for lawyers to be ethically compliant and competent in the area of technology. They addressed three big areas: ethical competence in the digital area, disasters and data breaches, and the future of law practice. Here are some takeaways, but you can find this information and much more in the articles listed on their website https://senseient.com

Most, if not all, law firms have experienced a technology security event – from malware infections to total breaches. In light of that, firms should conduct security assessments and have incident response plans. Many cybersecurity insurance policies are requiring these (the cost of cybersecurity insurance is reportedly rising). Firm training is also critical, since the majority of security issues rely on human error and gullibility. Firms should have a security policy for employees to follow, covering everything from backups, BYOD (bring your own device), acceptable use and more. Firms should also have an incident response plan to avoid running around like a chicken with … you know the rest. The plan should include contact information, immediate steps to take, and steps to resume operation. Most states have data breach notification laws, including South Carolina. Consult the law for your duties. 

Ransomware attacks are evolving (think it’s some guy in Russia? These days it could be a bot or artificial intelligence). Ransoms being demanded are higher than most firms can pay. A new twist in ransomware: firms who ignore the ransom request because they have a good backup may be subject to having their data used or leaked to the dark web in retaliation for not paying the ransom. Some good news: success rates in thwarting ransomware are increasing if the FBI is notified within the first 24 hours. So, even if you have a backup, notify the authorities asap. Also good news: more banks are recognizing wire fraud attempts and stopping fraudulent transfers before they conclude. 

Basic backup advice that applies to most law firm sizes: have a local (physical) backup and two cloud backups. Make sure your cloud provider allows you to control the encryption key. The speakers named Carbonite and Backblaze as good options. Make sure backups work by doing a test restore. One solo used a cloud backup and lost five years of law firm data because he’d never tried to verify if the data was restorable or not corrupted. Don’t take the word of the software that says “Backup successful!” – be certain. If you use a USB backup drive, disconnect it from the server once the backup is completed (more than one physical backup drive is recommended so you can swap them out). If you experience a ransomware attack and your backup is connected to your computer – well, there goes your backup.  

Zombie data, also known as “dark data” is data you don’t realize you have. It can come up in data breaches or in cases during e-discovery. The speakers’ advice about old data: if you don’t need it, and are not legally required to preserve it, get rid of it! Don’t forget old email accounts – nearly everyone has old free email accounts they’ve ceased using. They’re ripe targets. 

The speakers next turned to the Future of Law Practice. Consumers, accustomed to smart TV sets , doorbell security cameras, and Alexa, have rising expectations for lawyers. Consumers expect same day delivery of products, automated contract delivery, client portals and video chat. Trends that will grow include non-lawyer ownership of law firms, traditional legal work being done by non-lawyers and alternative legal services providers, and of course, Artificial Intelligence (AI). As an example of the rapid rate of change in AI, the speakers reported that the IBM Watson computer that defeated Ken Jennings at Jeopardy! in 2011 was the size of a master bedroom and weighed thousands of pounds. One year later, it was 18 x36 inches and weighed just 100 pounds. 

Although the term AI is often incorrectly used to hype products and sound cool, in reality, AI is already in widespread use in the world’s largest law firms (but the speakers were quick to say that it is also being used by solos). Lawyers use AI for contract review, due diligence, e-discovery, legal research, predictive analytics, and more. AI represents a direct threat to some legal job sectors, including lawyers performing document review, paralegals, and even first year associates. JPMorgan Chase uses COIN (Contract Intelligence) which in seconds can do the work formerly requiring 360,000 hours a year by lawyers and loan officers. 

Bar members can read many of Nelson and Simek’s articles on technology, security, ethics, and law practice on their website www.senseient.com, watch Sensei YouTube videos, or listen to Digital Detectives or The Digital Edge podcasts.  

The Bar also has many resources to help lawyers with technology questions, from a lending library of ABA technology books to online resources at www.scbar.org/pmap and the Technology Committee’s page www.scbar.org/tech

By: Courtney Troutman, Director
South Carolina Bar Practice Management Assistance Program

Mike Polk, Technology Committee Chair, South Carolina Bar
Belser & Belser, PA
Columbia, South Carolina

Phishing Update: A Whale of a Tale

Bar Bytes has previously addressed the dangers posed by “phishing” emails: messages that seek to trick recipients into revealing secrets and clicking on links or attached files that contain malware.1 The points raised then remain valid today, and this update seeks to offer additional information and strategies for combating phishing attempts. Detecting and avoiding this threat requires constant vigilance; it only takes one mistake to compromise your data. 

Know the Threat 

Phishing attempts take many forms, crafted with varying degrees of deception by scammers. While basic phishing attempts can be relatively easy to spot, targeted phishing attempts – known as “spear-phishing” – are much more troublesome. A spear-phishing email will attempt to trick you or others at your firm by masquerading as a message from a trusted sender. The message may appear to be from a co-worker, a client, or a third party such as a financial institution. Indeed, some scammers have used targeted emails to redirect wire transfers.2 The scammer may include publicly available information, such as details gleaned from an online directory, or even your own website to make the attempt look more convincing. A related tactic, known as “whaling,” is used to prey on an employee’s eagerness to please an employer and occurs when scammers impersonate the management or leadership of an organization. Instead of currying favor with a supervisor, the employee then unknowingly does the bidding of a scammer. 

If you believe that an email is a phishing attempt, delete it and do not interact with the message in any way. Once the recipient of a phishing email has taken the bait and clicked on a malicious link or infected attachment, there is no going back. The recipient of the message may be tricked into revealing confidential information or the email account may be hijacked and used for further phishing attacks. The affected computer may be stricken with “ransomware,” a type of malware that will encrypt your files and make them inaccessible unless you pay a fee to the scammers. A new risk, dubbed “cryptojacking,” allows scammers to syphon processing power from your computer for their own projects – such as mining for cryptocurrencies like BitCoin.3 The best way to avoid these outcomes is to practice a balanced approach of detection and preparation.  

Know Your Contacts 

To defend against all forms of phishing it is helpful for everyone in a firm who is using a computer to be well-versed in recognizing the hallmarks of a phishing email, including: typos, an unfamiliar domain name in the sender’s email address, and demands for an immediate response. The increasingly sophisticated nature of spear-phishing and whaling attempts has made it imperative that suspicious emails be given additional scrutiny. If a dubious email appears to be from an acquaintance or co-worker, it is much better to call that person for verification than take the chance of being hoodwinked. 

A recently reported example of a whaling scheme was directed at academia; scammers posing as deans or department heads attempted to trick faculty at multiple institutions into purchasing gift card codes for them as a favor (promising reimbursement, of course).4 Those who responded to the phishing messages often found the requests odd, unprofessional, or otherwise unlike the individual the scammers were attempting to emulate. However, for newer faculty members – or those unfamiliar with the writing style of a new administrator – these messages can be harder to detect. 

This scenario could easily play out in a law firm setting. Let’s suppose a newly hired employee receives such an email that appears to be from a supervisor, or even a partner. The email could ask the employee to perform any number of tasks: authorize a purchase, provide log-in credentials, or review an attached document that is infected with malware. Newer hires are especially at risk since they may not yet be familiar with the conversation style or writing habits of others in the firm. 

Know Your Plan 

Hope for the best, but prepare for the worst. Here are a few steps that you can take right now to shore up your defenses: 

  • Prepare a plan that details how your firm will respond to a successful cyberattack. Include procedures for isolating infected machines, responding to client inquiries, and for minimizing chaos in the wake of the attack. Consult an IT security professional for addressing additional concerns and consider your insurance options to ensure you have adequate coverage. 
  • Offer cybersecurity training for all employees, and especially new employees. 
  • Ensure that your computers and software are updated and have the latest security patches. 
  • Make routine back-ups of your files and keep at least one copy saved off-site. If your security is compromised, you may be able to restore your operations using one of these recent backups. 

Despite the best efforts at detecting phishing attempts, one may still slip past your defenses. If that happens, your preparation will be vital to preserving not only your data, but your reputation as well; how will your clients respond if your firm suffers a breach and you are caught completely off guard? 

For more information and helpful resources, please visit the University of South Carolina Law Library’s cybersecurity resource guide: https://guides.law.sc.edu/cybersecurity. 

Additional information on protecting your data also can be found on the South Carolina Bar Technology Committee’s page at http://www.scbar.org/tech. 

By: Aaron Glenn, JD, MLIS
Reference Librarian
University of South Carolina Law Library. 

Endnotes: 

  1. Courtney Kennaday & Emily Worley, Protection from Phishing, SC Lawyer, July 2016, at 10. 
  1. Mark Bassingthwaighte, How to Minimize the Risk of Becoming a Victim of Wire Fraud, South Carolina Bar (Jan. 18, 2017), https://www.scbar.org/bar-news/article/how-minimize-risk-becoming-victim-wire-fraud/. 
  1. James M. McCauley et al., Is It Ethical for Lawyers to Accept Bitcoins and Other Cryptocurrencies?, N.C. St. B.J., Fall 2018, at 36. 
  1. Lindsay Ellis, Gift-Card Phishing Scheme Targets Professors’ Zeal to Please the Dean, The Chronicle of Higher Education, February 1, 2019, at A21. 

Simple Data Security Steps

It costs little or nothing to prevent data theft or other digital mischief. Studies have repeatedly identified that you and your co-workers are far and away the most likely source of any digital security breach.  Computers and systems can only go so far in protecting us from our own laziness, bad habits, and outright goofball moves. 

Just a few habit changes and simple precautions will result in reasonable assurance that your digital information is safe from intrusion by all but the most dedicated hackers:

  • Use “strong” passwords and a different password for each device, site, and account.  If you do not know what a strong password is use a password manager (see below) or other app to create them for you.  And don’t use any of these passwords (https://www.passwordrandom.com/most-popular-passwords).
  • Use a “Password Manager” such as OnePass or LastPass which allows you to have to remember only a single (strong) password to unlock all the other passworded functions and can create “strong” passwords as needed.  Such programs save you from the big three password sins: (1) writing down passwords (and “hiding” them under your blotter, in your top drawer, or in a Word file); (2) using the same password for multiple purposes (one breach unlocks them all); and (3) not using “strong” passwords.
  • Don’t be “social engineered.”  Heart rates go up a tick when you see an email pop in with the subject line “Urgent,” “Payroll,” “Are you available?”  Better read “The 12 most common phishing email subject lines cyber criminals use to fool you.” https://www.zdnet.com/article/these-are-the-12-most-common-phishing-email-subject-lines-cyber-criminals-use-to-fool-you/.  BTW – this same 2019 study found that more than half of employees have replied to unsolicited emails or clicked links in them.
  • Don’t be a “phish.”  An amazing amount of information is just handed over to thieves by people believing that they are communicating with a client, a superior, or a government official.  For a good read on this see https://www.zdnet.com/article/what-is-phishing-how-to-protect-yourself-from-scam-emails-and-more/.
  • That includes government agencies, too.  As the federal government repeatedly broadcasts, the IRS does not call or email you out of the blue for any reason.  And whether IRS or not, don’t give your private information to anyone you do not positively know is on the other end of the line.  And don’t “correct” your personal information if someone says they have it but just want “to confirm” it – and gets it wrong.
  • Examine the email address. I can guarantee Bank of America or Citibank is not having someone from .az (Azerbaijan), .cz (Czech Republic), .ng (Nigeria) or .ru (Russia) working on account security issues.  Also look for closely misspelled email addresses (e.g., cittibank.com or citibanc.com instead of citibank.com). However, there are ways to fake email addresses as well as ways to fake website addresses. “Hovering” over a link in an email is no guarantee that it will reveal the “real” destination. If the email address looks authentic but the email is suspicious, call the purported sender to verify it.
  • Think before you toss or donate anything with a plug or USB port.  Almost all devices you use contain some type of information about you, your business, or you clients, including your cellphone.  But how about the office copier you just gave to the local homeless shelter or the thumb drive you threw in the trash?  In this TechCrunch story, a security researcher collected 366,300 files and images on 85 devices he found on “discarded” devices. For information on safely disposing of old tech, see Old Technology & Equipment.  
  • Finally, please don’t give “Nigerian Princes” or other “royalty” or corporate executive your credit card number no matter what their love or sob story.  That includes “friends” who email you with “travel emergencies” which require immediate funds transfers to “save” them for further troubles.  You may laugh but the “Nigerian Prince Scam” is still raking in the cash – a couple of years ago a raid in Nigeria netted $43.4 million in cash from a suspected “Prince.”

Hopefully, you can see that reasonable digital security can be achieved by a few commonsense good practices. 

By: D.J. Rosinski, Esquire | South Carolina Bar Technology Committee