Do junk and spam emails overflow your inbox? What about those emails that appear to be from a friend or colleague, but you’re not quite sure? Or an unsolicited business opportunity that seems too good to be true?
Cybercriminals bombard us with new tricks and ploys asking victims to grant access to otherwise protected accounts and data, often through phishing emails. A variation of this scam – spear phishing – takes a more targeted approach to a specific person or organization. Roughly $500 million a year is being scammed from phishing attacks alone, according to the FBI. And those are just the cases law enforcement knows about.
A February 2019 study on company data security by Ponemon Institute LLC (and sponsored by Experian), reported that only 47 percent of organizations train employees to recognize and minimize phishing scams. Privacy and data protection awareness programs for employees and others who have access to sensitive information have reduced the likelihood of a data breach. Seventy-nine percent of respondents from organizations that haven’t experienced a data breach say they provide such training, according to the same study.
Lawyers’ ethical responsibility
The ethical responsibility to protect and preserve client information is universal. However, for so many attorneys across the U.S., IT consulting work is outsourced. Consequently, there are few opportunities for proper training on themes of cybersecurity and data protection. This is especially true of solo and small firm attorneys.
This important topics was addressed in a 2019 ABA TechShow session called, “Avoid Swimming with the Phishes.” Speakers covered how to avoid malware, ransomware and phishing email attacks by learning how to spot the tell-tale signs of phishing scams.
Sherri Davidoff, CEO of BrightWise and founder of LMG Security, joined Ian Hu, counsel for lawPRO, to provide tips for becoming aware of threats to your online well-being. They also discussed the biggest threat to your clients’ data – YOU! Or, as they put it, “PEBCAK” (Problem Exists Between Chair and Keyboard).
Davidoff and Hu explained how hackers can use phishing scams to obtain credentials and move through a digital environment as if they were the authorized user. Often through phishing emails and fake websites, unsuspecting users are persuaded to reveal login information or install malware. From there, attackers can access and control data, sometimes doing so for months without detection. If attackers have the proper credentials, virus protection and some security controls offer little help.
Tips for protecting data from phishing scams
Here are helpful tips for protecting your organization and your clients from an attack:
- Use two-factor or multi-factor authentication: Just like protecting yourself and your home, no level of defense can offer complete protection. However, the more layers of defense applied, the more difficult it is for a break-in to happen. Extra layers of defense may also deter would-be burglars or hackers. Learn more about How to Use Two-Factor Authentication in your business and personal dealings.
- Use VPNs for security: Virtual private networks (VPNs) help secure privacy and data, especially when you’re operating over a public access point. For example, if you’re checking your emails or surfing online (often for free) in a coffee shop, your information is “open.” This means someone with the right software and hardware can track and access your data flow. Activating a VPN on your computer or device will help encrypt your flow of communication. Many affordable VPN services are available.
- Use secured communication for important information: Phishing emails may direct you to a fake webpage that’s constructed to look like the authentic page. This may trick you into inputting your login, password and more.It’s important to be sure that the website you’re accessing is legit. Start by looking for a secure website that starts with “https” and often has a locked lock symbol in the address bar. When in doubt, navigate to the login or desired input page from the company’s website rather than clicking a link in the (phishing) email. If you call to confirm the website’s validity, look up the phone number instead of relying on a number provided.
- Keep your computer updated: Cyberattacks use ever-changing techniques to hack into your data. They also use ever-changing code. Your operating system developer (Microsoft or Apple) has dedicated software engineers creating updates to better protect you from malicious attacks. Check for updates often and install/reboot whenever you find new ones. Microsoft releases regular software updates via Windows Update that can be done automatically behind the scenes.
- Use antivirus software: Software tools can prevent, detect and remove spyware, adware, ransomware and malware threats. A good anti-virus program that incorporates anti-spyware, anti-adware and anti-ransomware protections will help keep you safe. Just like your system software, keep your anti-virus program updated by downloading and installing updates as they become available.
- Be suspicious of pop-ups: Pop-up windows often impersonate components of a website. They can be another phishing tool to redirect you to an unscrupulous website or start an unauthorized download. Popular browsers allow you to control pop-ups far better these days, including on a case-by-case basis from legitimate pages. When you suspect a pop-up, pay extra attention to clicking the correct “X” button to close it. Do not click “Cancel,” “OK” or otherwise. Look for the small “X” in the upper corner of the pop-up or, when in doubt, close and restart the browser program.
- Use caution with all emails.
- Unfamiliar “From” address: Make sure the sender’s name coincides with the email address and isn’t from an unfamiliar domain. Hover over the email address (or links in the email) to see a more detailed description or the destination of a link. When in doubt, delete the email without opening it.
- Vague greeting: A classic phishing scam giveaway is a vague greeting like “Hi there” or “Dearest Sir.” These are likely mass emails. Nevertheless, targeted spear phishing scams may use an accurate salutation with your name. The greeting should be just one factor to consider when opening an email.
- Poor spelling and grammar: Spelling and grammar mistakes should raise an eyebrow. Hackers often aren’t the most eloquent. Sometimes they purposefully try to bypass email spam filters.
- Offers of money or prizes: Do you really think you’re going to receive a $1 million lotto announcement via email? Would your bank want you to “update your records” or “login for an important message”? Confirm via another communication channel if you’re suspicious.
- Valid email, but odd message: The most dangerous type of phishing scam is when a legitimate account has been hacked. Emails with attachments and links deserve extra scrutiny, even from a known friend or colleague. Pick up the phone and call to confirm. Don’t reply to the email to ask (i.e., talk to the hacker). Don’t open attachments or click links without confirming.
Keep these tips in mind as you navigate online and email communication. While technology providers are constantly updating their software protections, we must also practice prevention to avoid a data breach. For lawyers, technology competency is demanded.