chevron-down Created with Sketch Beta.
Vol. 41, No. 3

A problem both old and new: Cyber scammers innovate but rely on human nature

by Dan Kittay

As breaches of cybersecurity occur with increasing frequency throughout society, from Yahoo to the Democratic National Committee, bar associations find themselves with two missions: to protect their own data, which contains confidential information about their members, and to advise those same members on how they should protect their own data—especially that which contains confidential client information.

The focus on security has hit home particularly for those bar associations that in recent months learned that their members were receiving fake emails purporting to be from the bar, and informing the lawyer that a disciplinary complaint had been filed. The emails, part of a phishing scheme, contained instructions to click on a link to learn about the specific charges. The links led to phony websites that then attempted to install malware.

The Oklahoma Bar Association was one of the bars whose members received such emails, and “the phones lit up” with calls from concerned lawyers, says Jim Calloway, director of the bar’s Management Assistance Program. OBA officials realized quickly what had happened, and within a short time sent an email to all members alerting them to the scam, and warning them not to click on any links, Calloway says.

Incidents such as the fake emails don’t necessarily mean that a bar’s defenses were breached, Calloway notes, adding that the OBA was not aware of any successful hacks. “There are all kinds of places on the ‘dark web’ where you can buy email lists, including those of certain professions,” he notes. “It all depends on how much you want to pay.”

Ransomware: a fast-growing threat

Regardless of whether there were actual breaches, the incidents bring to light the need to make sure that digital information is secured as tightly as possible. Some of the malware in recent attacks on law firms and other businesses contains ransomware, software that can encrypt the data on a computer and force the computer owner to pay a “ransom” to have the data unencrypted, says Catherine Sanders Reach, director of Law Practice Management & Technology at the Chicago Bar Association.

If members think that a bar’s database has been used by spammers to contact an attorney who may click on a link and then have their computer locked by ransomware, “while it may not have a direct effect on you, it’s a reputation thing that you do not want to suffer through,” Reach says.

Ransomware attacks against law firms and other businesses are “the fastest growing threat that we see across industries,” says Trey Forgety, director of government affairs and regulatory counsel to NENA: The 9-1-1 Association. “In the past we’ve worried a lot about data theft, and the embarrassment of client information or firm information being shown to parties that aren’t entitled to it. Now, the biggest concern is the threat to the attorney’s business.”  

The typical ransomware attack starts when someone looks for a system that is especially easy to breach, says Forgety, who recently wrote an article for the Tennessee Bar Journal on keeping client information safe.

“For some law firms, the client data that you have represents an enormous investment of time and money that you don’t want to lose,” he adds. “It would be damaging to your business to lose it, so in a lot of cases people pay up.”

But even paying the ransom to have the data unencrypted doesn’t ensure that a lawyer’s problem will end, he continues: “Those same folks who are encrypting the data could later say, ‘I made a copy of it, and unless you take such-and-such an action, I’ll release it.’ Those are equally serious harms.”

Just as the belief by members that a spoof email came from a bar association can harm that bar’s reputation, the loss of client information can do permanent damage to a firm’s reputation, notes the OBA’s Calloway. Whether the loss occurs by a breach of the system, or something simpler such as a laptop with unencrypted information being stolen, the impact can be severe.

“The last thing a law firm wants to do,” he says, “is have to tell hundreds of clients, ‘We may have lost your data … we don’t think so’ because some associate has a laptop stolen.”

The weakest link? People

One common thread underlying many cybersecurity issues is that they require the computer user to take some action, generally to click on a link or an attachment, in order for the malware to inflict its harm. While there are all kinds of hardware and software defenses that experts recommend, the careless or unsuspecting click can easily defeat them.

“The sophistication of all this malware hasn’t improved all that much,” notes the CBA’s Reach. “Mostly it’s relying on being smarter at tricking someone using social engineering to get them to click on something because it looks interesting, or scary. It's relying on the weakness of people.”

Training: not a one-time event

Because of the human error factor, many bars are directing their education efforts—both internally for staff, and externally in CLE programming—on getting computer users to understand how their actions make a big difference in the success or failure of malware campaigns.

One such CLE program, at the CBA, covered how to stay safe both in the office and at home. The material covered such topics as email, passwords, and social media hazards, such as messages on Facebook that indicate that a user has to click something in order to prevent Facebook from taking some action, Reach says.

During the program, she showed examples of the kinds of tricks spammers use to get people to do something that leads to malware being installed. “If it looks scary or too good to be true, then it’s probably something that is trying to get you to take an action that you shouldn’t take,” she says. “You need to be really, really diligent about not clicking on things until you’ve confirmed that they’re legit.”

Even if an email comes from someone you know, it could actually be from someone who is using the address of the person you know in order to get you to trust that the attachment or link is valid. You don’t want to click on anything until you’ve confirmed that the email is genuine. “I hate that you have to be suspicious of everybody,” Reach says, “but you have to be suspicious of everybody.”

Calloway offers similar advice to OBA staffers. “Any business that uses email has to do regular training of its staff, to let them know about email threats, and to let them know that there is no urgency about clicking on an attachment,” he believes. “Doing [the training] once and forgetting about it doesn’t work. You have to do it at least two or three times a year, do it until they’re bored, and keep doing these programs until everybody’s rolling their eyes. Then they’ll remember when it happens to them.”

In a recent report, the Virginia State Bar’s Study Committee on the Future of Law Practice discussed the growing importance of cybersecurity, and offered advice for members on best practices. “There is no such thing as ‘set it and forget it’ when it comes to security,” the report states. “The threats and the defenses to those threats change constantly and firms must strive to keep up with the changes.” (Note: This bar-produced “future report” differs from some others in its unusually detailed focus on cybersecurity.)

Does your network have a hole in it?

One bar that learned its lessons early on is the State Bar of Wisconsin. Back in the days before Google existed, a bar IT person had opened a “back door” in the bar’s network in order to allow some other function to take place, says George Brown, the bar’s executive director. It wasn’t considered as much of an issue at the time, since there was no easy way for people to find the bar’s network online.

Once Google came into existence, it began searching the web for all available content. One day, about eight years ago, a bar staffer googled himself—and one of the results was a message he’d put on a confidential bar Listserv the day before. Ultimately, it turned out that Google had been using the “back door” to index about two year’s worth of WSB Listserv traffic. The bar closed the hole and was eventually able to get Google to remove the content.

The heightened sense of security led to actions such as co-hosting the bar’s website offsite and requiring employees to change their passwords every three months.

Brown says he sees a greater awareness of security issues when he talks to NABE colleagues than he did in the past. “It’s a different world than it was even five years ago,” he says, “and the opportunities are greater for people to cause mischief of one form or another. It’s not too much to be hyper vigilant.”