As the Internet continues to grow in popularity it has spawned a corresponding industry of crime, inspiring thieves to pan for Internet gold in the form of various schemes and scams. Some scammers have specifically targeted lawyers, leaving them on the hook for hundreds of thousands of dollars, potentially ruining their practices and livelihoods, and in one case prompting a bank to sue the lawyer. Here are three noteworthy types of online threats to look out for and corresponding solutions.
Threat: phishing and spoofing via e-mail
Imagine receiving an e-mail message appearing to originate from a court and filled out with your personal name, firm name and phone number. Imagine that the message directs you to appear in court and claims that a relevant subpoena can be downloaded by clicking on a link in the message. Would you momentarily forget about proper subpoena service procedure, perhaps out of fear or curiosity, and click on the link?
According to the New York Times, in April 2008 as many as 1,800 company executives clicked on such links in e-mail messages which appeared to originate from the United States District Court in San Diego and which directed them to appear before a grand jury in a lawsuit. Each message contained the executive’s name, company name and phone number, and contained a link which would allegedly allow the executive to download the relevant subpoena online. When clicked, the link led to a spoofed Web site designed to download a malware-infested plug-in to allow identity thieves to control the CEOs’ computers remotely, opening the doors to identity theft and theft of valuable corporate information.
Many people have heard of phishing attacks by now, online scams in which identity thieves try to trick you into revealing sensitive data such as usernames, passwords and credit card numbers for them to take advantage of by draining your bank and credit card accounts and opening new accounts in your name. Phishing attempts are often combined with spoofing attacks, in which thieves send e-mails with links to Web sites that appear to come from trusted sources such as your bank or a legitimate company such as e-Bay or PayPal. Many times these messages contain “urgent” messages such as, “Problems have been detected with your account,” in the hopes that you will click on the link to the spoofed Web site and enter your account information for the identity thieves to steal.
While many computer users today know to be wary of such scams, scammers are getting more sophisticated, performing targeted attacks called “spear phishing” and “whaling,” such as the attack on company CEOs mentioned above. Spear phishing refers to the practice of targeting specific individuals, researching publicly available information about the target, and tailoring the attack with the information to make the messages seem more credible. Valuable information for spear phishing is often found on social networking sites like Facebook, business networking sites like LinkedIn, and corporate websites which reveal corporate structure and personnel information. Whaling is spear phishing that targets the “big fish,” such as an organization’s executives, in hopes of accessing trade secrets and information that can result in a high payoff to the identity thieves.
Never provide your personal information, passwords or other confidential information in response to a request that you did not initiate, whether over the phone or over the Internet. The key is that you should be the one to initiate the contact, using contact information that you have verified yourself. Do not transact business online by following links from e-mails; navigate to trusted Web sites yourself. Additionally, research the matter and ask for references. Also, directly contact people such as friends or people in your organization who may have been mentioned in any correspondence, and contact courts and companies over the phone to verify if the information conveyed to you is legitimate.
Threat: Web browser vulnerabilities
Surfing the Internet these days can be dangerous. Imagine trying to browse to your bank’s Web site, and secretly being redirected to a spoofed site. Would you be able to tell the difference? Pharmingattacks like this can occur when identity thieves intercept users’ browsers en route to legitimate Web sites, and redirect their browsers to fake, spoofed Web sites. Pharming attacks are more sophisticated than phishing attacks and harder to detect. One cybercrime group, in a pharming attack using a Trojan horse virus, was able to redirect victims’ browsers to spoofed banking sites and was able to steal the login information for more than half-a-million bank and credit card accounts.
Has your computer been running slow lately? Perhaps it has been taken over and is being used as a “zombie” in a “botnet” to send out spam and perform illegal activities. Robot network (botnet) attacks result when hackers infect and then takeover widely dispersed networks of vulnerable PCs in order to steal financial account data, send out spam and perform other illicit activities.
Threat: Lawyer e-mail scams
Have you ever received an e-mail message, purportedly from someone in a foreign country, asking for your assistance in transferring a large amount of money out of the country in return for a cut? Many of us have, and for most of us, these e-mail messages scream “Scam!!!” Detecting such "Nigerian bank scams" may be old hat to you, but beware, a new twist has recently emerged specifically targeting lawyers. Reports have emerged of lawyers in California and Georgia being taken in by similar e-mail scams with repercussions including losses to individual lawyers to the tune of hundreds of thousands of dollars, law firm accounts frozen by banks and a lawsuit by a bank against a lawyer for repayment of the funds in question.
Here’s how the scam typically works: a lawyer receives an e-mail message supposedly from an overseas company seeking legal help in collecting a debt from a U.S. company. The lawyer might research the overseas company by name, and find out that such a company exists and is a reputable company. However, the scammers are likely using a reputable company’s name but have provided their own contact information not connected to the legitimate company. The scammers will ask to arrange an attorney-client agreement/retainer/engagement letter, which may pique the lawyer’s interest further. If this is arranged, the scammers may inform the attorney that the debtor company has agreed to pay its debt and is sending a check to the lawyer. The lawyer will receive a check and is asked to deposit it in the lawyer’s account and wire the amount, minus legal fees for the lawyer, to the scammers. The scammers may say that they urgently need the money and ask for the lawyer to wire it as soon as possible. The lawyer may wire the money, and the bank may then discover that the check was counterfeit, and will demand that the lawyer repay the wired money if it is too late to prevent the wire from going through. If the wire went through the bank may freeze the lawyer’s accounts, and may even sue the lawyer for repayment—of course the scammers may have received the money and are nowhere to be found.
Always be wary of solicitations that sound too good to be true. Research any such individuals and companies, ask for references, consult your peers, and don’t forget the “smell test.” Find official contact information for the company from a trusted reference source and contact the official number by phone for verification—often scammers use the name of a real, trusted company, but give fake contact information that is a direct line to the scammers themselves. Whenever wiring funds from a deposited check to another party, make sure that the check has actually cleared and been verified as non-counterfeit. Apparently banks may make funds available prior to verification of the check having cleared based on the banking relationship with the lawyer. Deliberate misinformation in the check routing numbers can cause the item to be misrouted thus delaying its verification, so it is very important for lawyers to be patient in waiting for the bank to verify that the check is not counterfeit and that it has cleared.If the lawyer wires the money prior to verification and the check later bounces, the lawyer may be responsible for repaying the funds to the bank, and the bank may freeze the lawyer’s accounts until the funds are repaid, and may even take the step of suing the lawyer for repayment of the extended funds. Ideally, following some of the steps above will prevent you from ever getting to the stage of depositing a fraudulent check in the first place—remember to stay vigilant in all stages of client selection.
This article first appeared in YourABA e-newsletter, a monthly publication distributed via email to all ABA members. Learn more about the benefits of belonging to the American Bar Association.