- It is time that lawyers and law firms recognize that, despite the convenience of technology the type of personal authentication that is almost certainly not going to be hacked.
“Reach out and touch someone” was an advertising slogan AT&T used for many years. The message was simple: There is no substitute for hearing another person’s voice. The slogan highlighted the need for people to interact with each other.
Attributed to Canadian educator and philosopher Marshall McLuhan, who also coined the phrases “The medium is the message” and “global village,” the slogan is perhaps truer now than ever before. Between the pandemic and the ubiquity of email and text communications, we seem to speak less than ever to others.
An article from Forbes, “The Power of Connection Through Voice,” highlights the importance of hearing each other. The article explains that “Hearing the voices of others helps us solve problems and demands attention from both listener and speaker in a way that texting does not.”
Hearing another person’s voice makes a difference, which can be even more important for lawyers and firms. And hearing someone’s voice can also avoid problems for lawyers and firms— it is what I call the requirement for two-factor or multifactor authentication in legal transactions. Unfortunately, lawyers who do not employ this type of two-factor authentication, and the firms that do not mandate it, may not be meeting their ethical obligation to protect client information.
Allow me to explain with two examples, both true. Each situation could have been averted had the “victims” merely picked up a phone and verified that the persons they were communicating with, and to whom they were providing financial information, were who they thought they were.
In the first example, a lawyer represented a company selling its assets to another company. The attorney communicated with one person at the selling company, as well as counsel for the buyer. The sale price exceeded $1 million. As closing approached, the lawyer engaged in email exchanges with his client’s representative and the buyer’s representative, the latter with approval of the buyer’s counsel.
The lawyer received one email that appeared to be from his client’s representative, asking him whether he should send his “bank details where they will wire the money.” The lawyer gave his approval for the client to send the information so the buyer could provide it to their lender. He later received an email from the same email address used in the prior emails containing wire instructions, including the routing number, account owner (the seller), account number and bank address, which was out of state. The lawyer forwarded the instructions to buyer’s counsel.
After closing, the buyer’s counsel sent an email confirming the wire transfer. Several days later, the buyer’s counsel notified the lawyer by email that the seller did not receive the wired funds. At that point, the lawyer called his client, who believed that the issue was resolved. The next day, on a joint call with his client and the buyer’s lender, the lawyer realized that his email had been hacked and that the email instructions provided by his client, which were conveyed to buyer’s counsel, were fraudulent.
The buyer’s lender attempted to recall the wire transfer. But it was too late.
Meanwhile, the lawyer investigated and discovered that his client had been communicating with the cybercriminals, who were impersonating him and leading his client to believe that the delays were normal and that all was copacetic. Ultimately, the lawyer discovered that the hackers had created a separate email address that ended in lavv.com rather than law.com. Thus, the wire instructions were sent to the hackers rather than the lawyer.
In the second example, the City of Chester, Pennsylvania, was victimized by a phishing scam. According to The Philadelphia Inquirer, the theft occurred when the City of Chester’s director of accounts and finance received an email that he believed came from the city’s workers’ compensation insurance broker, asking for the city’s monthly payment. The individual then paid the bill, only to discover later that the request for payment was from a thief who had created a false email address that closely resembled the insurance firm’s email. The City of Chester lost $400,000 because of the error, and subsequently filed for bankruptcy.
Both situations arose because there was no verbal communication. They arose because the lawyer and the Chester official simply relied upon email and never took any steps before setting into motion the communications and payments that together ultimately cost more than $1.5 million. Worse, the lawyer is now embroiled in a controversy with his client, and likely will be subject to malpractice and negligence claims, and potentially a disciplinary proceeding.
These situations arose because no one picked up a phone, no one sent a text message and no one took any action except to respond to emails.
In each case, those victimized were lazy or ignorant, or both. They failed to heed the most basic of advice: Look closely at the links in emails, and look closely at the email address of the sender to confirm it really is the person or entity you think it is.
Which brings us back to two-factor authentication as a method of email security. According to the Cybersecurity and Infrastructure Security Agency’s fact sheet, CISA Insights: Enhance Email & Web Security, “Phishing emails and the use of unencrypted Hypertext Transfer Protocol (HTTP) remain persistent channels through which malicious actors can exploit vulnerabilities in an organization’s cybersecurity posture. Attackers may spoof a domain to send a phishing email that looks like a legitimate email. At the same time, users transmitting data via unencrypted HTTP protocol, which does not protect data from interception or alteration, are vulnerable to eavesdropping, tracking, and the modification of the data itself.”
The fact sheet also addresses “spoofing” emails like the one involving the lawyer, noting that “Other organizations or members of the public might receive spoofed emails, perceive them to be from an authoritative source, and act on them. Internal employees may assume spoofed emails are legitimate and act upon them. If an attacker is successfully spoofing a domain in order to send malicious emails from it, this can significantly harm the affected organization’s reputation.”
This guidance summarizes what happened in the examples cited above. For the lawyer, his client was the subject of emails that spoofed the law firm’s domain. Conversely, the city official failed to review the email closely and followed a phishing link that led to the hackers’ account.
In both cases, email was not secure. That is not news and should not be news to attorneys. Many years ago, a website that has since been retired described email as “quick, convenient, cheap [and as] unprivate as it could be while being so quick, convenient, and cheap. Email is as public as a postcard! Every message you send through the Internet can easily be snatched and scanned for interesting details by anyone having the necessary knowledge. Privacy is virtually nonexistent online.” Despite the ubiquity of the warnings, many attorneys still do not understand how email can be so easily hacked. To them, it is like the old game of connecting two tin cans together and speaking from one can to another. To them, the string is the safe connection. In fact, the string is the Achilles heel of email, because anyone savvy enough can view email messages, along with the attachments.
SecureDocs explains that “an email does not simply go from the sender to the recipient instantaneously. [M]ost emails have to travel across multiple networks and servers before arriving in their intended audience’s inbox. These pause points expose emails to attack, usually due to unsecured networks, vulnerable servers, and the people savvy enough to hack them. Moreover, because email messages generally aren’t encrypted, hackers who manage to break into a network or server can easily read those emails, as well as any accompanying attachments. Some servers store emails that are decades old, and some that were actually deleted at some point. Even if hackers don’t directly target or obtain email messages, they can go after the password needed to enter an email account since many providers don’t require two-factor authentication.”
Against that backdrop, let’s consider the relationship between these two situations and reaching out and touching someone, as well as the lessons for all of us.
If the lawyer and the city official had each reached out and made a telephone call and spoken with the persons they needed to, they would have discovered that their communications were hacked and/or spoofed because phone calls are, at their core, nothing more than old fashioned two-factor authentication.
Therein lies the lesson. Law firms must be vigilant and must take proactive steps to avoid becoming the subject of a story, or worse. Implementing the following process is one method of dealing with the problem:
Let’s look at the components of this process. First, staff must understand how email works and how hackers are able to infiltrate email and then perform their criminal activity.
Second, they must learn about the various types of email threats:
Finally, training will address how to spot the signs of these methods of attack and what to do when you see one. That awareness was missing in the examples cited.
Consider the planning that went into the attack the lawyer experienced. First, the hackers had to gain access to the law firm’s email. Second, after they gained access to the email, they likely accessed other areas of the firm’s technological infrastructure to determine how they could most effectively benefit from their access.
At some point, the hackers were able to view the firm’s incoming and outgoing email. They were also able to create a fake domain (web address) that ended in lavv.com instead of law.com, which they would later use when the situation arose. Because of the similarity in domain names, and the fact that most people do not pay attention to the “To” and “From” fields in email, they could ultimately implement their scheme when they viewed email that likely would lead to a large payday.
Eventually, the thieves spotted the email exchange about the sale of the business and recognized their opportunity. They almost certainly reviewed any documents that were attached to the emails, which were probably not encrypted/password protected, and discovered that this was a seven-figure transaction.
From there, they waited for the moment to strike and ultimately did. The rest is history.
For the City of Chester, email awareness training would have included the most basic information about phishing, that is, to examine every link. While it is likely that the hackers also had gained access to the city’s technological infrastructure to be able to know who the insurance provider was, had the city official examined the hyperlink and recognized that it did not take him to the insurer’s website, he would not have paid the bogus invoice.
Which brings us back to the core of this column, the need for phone calls and personal communication. All too often, we default to email when, at times, it is more effective and safer to make a phone call. HubSpot has outlined six situations when a phone call is preferable to an email:
The last item applies to financial transactions such as those here. Any transaction involving money, which generally involves disclosing account numbers, should be handled, or at a minimum confirmed, by phone. That type of two-factor or multifactor authentication (MFA) is not only practical, it is a best practice. After all, when I learned about each incident, my first thought was, “What were they thinking? A phone call would have prevented everything.” You readers hopefully had the same thought.
Therein lies the answer. As CISA explains, “Users who enable MFA are significantly less likely to get hacked, according to Microsoft. Why? Because even if a malicious cyber actor compromises one factor (like your password), they will be unable to meet the second authentication requirement, which ultimately stops them from gaining access to your accounts.”
It is time that lawyers and law firms recognize that, despite the convenience of technology, including email, at times there is no substitute for a phone call—the type of personal authentication that is almost certainly not going to be hacked.