Fraud Alert
By: Tana Christianson, Director – Insurance
Lawyers Indemnity Fund at the Law Society of BC sent out an alert about several BC law firms who had recently fallen victim to cybercrimes. I thought I would share it with you because any of these scenarios could happen to lawyers in Manitoba.
Three Successful Frauds:
1. Malicious emails sent to clients from law firm’s email account
At one firm, the criminal spoofed a lawyer’s email address and sent a fraudulent invoice to the lawyer’s assistant for payment. The assistant asked the lawyer for a file number to process the invoice. They discovered the invoice and email were fraudulent, made no payment, and thought they were in the clear. However, on the same day, the hacker tried again and this time accessed the assistant’s email. The hacker caused 1,850 emails to be sent to about 850 people from the assistant’s account. The message asked recipients to click on a link. Several people emailed the assistant to check its legitimacy. The hacker intercepted those emails, and emailed them back saying that it was legit and that they should click on the link.
In a similar scam in Manitoba, a lawyer’s email account was hacked and the hacker was able to convince some recipients to purchase and send Amazon gift cards to an email address at the direction of the hacker.
2. Compromised email sends fraudulent instructions to law firm’s bank
At another firm, an in-house bookkeeper’s email was compromised. The hacker sent an email to the firm’s bank and requested that funds be sent to another bank. It was fortunate that in this case the bank contacted the firm personally to confirm the transfer to the different bank account and the firm was able to stop the transfer.
3. Lawyer logs into fraudulent email storage account
At a third firm, a lawyer received an email that he thought was from their storage provider stating that the firm’s disc space was full and including a log-in link. The email, link and login page were convincing but fraudulent, and a hacker gained access to the firm’s system because the lawyer clicked and then entered his password.
What do Hackers Want?
Hackers want your money and your clients’ money. They also want access to your contacts so they can source new victims, using your name and reputation as bait. They also want access to information you store in your computer systems so they can sell it or use it for their own evil purposes. And some of them just enjoy making your life miserable.
How can You Frustrate Hackers?
BC’s insurer makes the following recommendations:
Hover: If you sense anything unusual, hover over the name of the person sending you the email to ensure that the email address is correct. For example, an email from someone within your office should have the same domain you use.
Verify and confirm: If you unexpectedly receive a link or attachment – even if it is from someone you know – or sense anything unusual, call the sender using the telephone number you have on file (not the number listed in the message) to confirm the message is legitimate. Do not verify an email with an email.
Be private: Do not access private or confidential information in public spaces.
Routine backups: Regularly back up your systems and information to a location that is not connected in any way to your network.
Email security: Email is the single most- targeted point of entry into an organization for a criminal hacker. Have a competent IT professional on retainer and talk to your IT professional about measures to protect you from Phishing attacks. Most importantly, TRAIN YOUR LAWYERS AND STAFF to spot phishing and fraud.
Wire transfer verification: Do not accept emailed instructions to transfer funds unless your client has confirmed the instructions by phone or in person – and make sure you have an accurate phone number.
Password management: Create strong, unique passwords for each account. Change them regularly and never share passwords with anyone. Encourage employees to use a password manager. Don’t use the same password for different websites and programs. Avoid public Wi-Fi – Avoid using public, unsecured Wi-Fi. The person getting their hair cut to our left may be stealing your passwords.
Multi-factor authentication: Ensure two pieces of information are required to access email or your computer network. If a criminal acquires only one, your computer network may still be safe.
Think before you click: If you open a link or attachment that you should have avoided, or a box opens that asks for your password or other information, stop. Close out. Immediately: call your IT consultant, inform the people you work with (by phone or in person) and prepare to notify your cyber insurer.
Cyber Insurance
Buy cyber insurance for you and your firm, as an add-on either to your professional liability excess insurance or to your general office policy. The Law Society of Manitoba has purchased a small first response policy for Manitoba lawyers which offers limited coverage for Security and Privacy Liability, Data Recovery, Event Management Expenses, Data Extortion and Bricking. Details of the Law Society policy coverage are available on the Member’s Portal.
Most cyber insurers require, at the very least:
- Weekly backups of data, stored offsite, and tested at least annually.
- Installation of critical patches, anti-virus software, and anti-spyware made within a minimum of two weeks of release.
- Installation, maintenance and active monitoring of firewalls and endpoint protection.
Be careful. Be aware. Think about the security of your email and computer systems. You wouldn’t leave the door to your office unlocked and unattended so strangers could wander through at will. Take the same care to protect your computer systems and email.
For more information visit the Cyber Security Resource Library:
