Beware the malware

Earlier this month Steve Abrams of Abrams Cyberlaw and Forensics in Mount Pleasant accepted a case from a home buyer who lost hundreds of thousands through a wire scam.

A hacker had been able to access communications between the buyer’s real estate attorney and a real estate broker. When it came time to close on the sale, the attorney sent the broker instructions on how to transfer the buyer’s money into escrow. The hacker then sent a follow-up email from an address similar to the attorney’s, telling the broker to disregard the previous email and to put the money in another account.

The money disappeared.

The case is just one of four that Abrams is investigating right now.

“And I’m just one guy,” he said. “The real estate wire scam is the single most dangerous cyber-threat to attorneys at the moment.”

Around the same time, attorney Marshall Wall of Cranfill, Sumner & Hartzog in Raleigh woke up on a Saturday morning to find emails from his colleagues, inquiring about an email he had ostensibly sent them.

“Hello,” the email said. “I have a request I need you to handle urgently this morning please. Kindly Reply ASAP. Thanks. Marshall Wall.”

The stilted language was suspicious, and Wall’s colleagues didn’t take the bait.
“It was very quickly reported to our IT staff, and they blocked the address and we alerted everyone in all of our offices about the issue,” Wall said.

Cases like these illustrate that, now more than ever, diligence is key when it comes to cybersecurity.

“We didn’t think about this much at all when I first started practicing,” Wall said. “You had to worry about physical security. We still do have some paper documents filed that you don’t want someone to see, but so much of it is balancing security versus accessibility. People in the office want to have access to documents in our system when they are at home or when they are out of town for a deposition or a trial. The challenge is making sure that the right people can get to the right places in your systems and keeping the wrong people from getting in at all.”

Unfortunately, Wall said, many attorneys are behind the curve when it comes to cybersecurity, but there are steps and safeguards that Wall recommends firms take to ensure that their data and files aren’t exposed to the wrong eyes:

• Beware of phishing. The email Wall’s colleagues received contained his name, but it was from a Yahoo account, not his firm’s account. It may seem obvious, but attorneys and their employees should never open an email attachment from an unfamiliar email address, or reply to one.
• Build in two-factor authentication. This makes it more difficult for employees to access systems when they are not in the office, but firms should insist on it anyway. Wall’s firm requires that a user, in addition to entering their usual password, enter a code sent to a mobile phone number in order to log in to the firm’s data system.
  “It takes some getting used to, but it adds another layer of security,” Wall said.
• Use encryption. Laptops, tablets, phones, and removable media such as flash drives should be encrypted. Wall cites an instance where an unencrypted flash drive was lost in the mail. The envelope reached its destination, but the flash drive did not.

“Fortunately, personal information had been redacted from the documents on the flash drive, but it was hard to be reminded of this lesson,” he said.

• Map the data. Whether it’s medical records, employees’ Social Security numbers, or clients’ credit card numbers, know what data you have, where it is, and who has access to it.
• Check routing instructions. As in Abrams’s case, too many law firms have fallen victim to scams involving wire transfer fraud, especially related to real estate transactions. Confirm all wiring instructions, and if something seems amiss, follow up on it.
• Reconsider free Wi-Fi. Think before logging on to free Wi-Fi at the coffee shop, airport, or other public places. These are often insecure and can result in compromised networks. Wall says to consider Virtual Private Networks (VPN). There are free versions, but the ones you pay for are relatively inexpensive and work much better.

No matter how many safeguards and precautions law firms put in place, they only reduce the risk, not eradicate it. And when it comes down to it, it’s not the technology that puts firms in dangers–it’s how people use and abuse it, said Bryan Focht, an attorney in Charlotte whose areas of practice includes cybersecurity.

“Law firms, particularly smaller firms, underestimate how much they put absolute trust in all of their employees,” Focht said. “An internal actor is more likely to be involved in the hack than any other type of actor,” whether unintentionally or not.

People at the top and the bottom of a firm’s hierarchy may be the most vulnerable. Those at the top are often the least informed about cybersecurity risks, and those at the bottom simply might not care, particularly if they aren’t treated well.
“If your employees are mistreated, if they feel neglected, if they feel like what they are doing doesn’t really matter, you are never going to have a secure work environment,” Focht said.

Cybersecurity training for all employees is critical and necessary, but not enough.

“You can train anyone to do anything,” Focht said. “Getting them to actually do it once the training ends requires something else. They have to be motivated to do it based on the understanding that what they are doing it can help. There has to be an actual benefit, as well as a justification for achieving that benefit.”

Abrams recommends that law firms check their network infrastructure components, computers, and mobile communications devices for spyware regularly, and use antivirus and antispyware software.

He said perhaps the most important safeguard firms should have is insurance. Attorneys should purchase a malpractice insurance policy that includes cyber-threat insurance, or buy a separate policy.

“This will ultimately protect both you and your client,” Abrams said.

Follow Bill Cresenzo on Twitter @bcresenzosclw