Law firms are tempting targets for cybercriminals. Learn how to keep your data safe.
In May of 2020, New York-based entertainment firm Grubman Shire Meiselas & Sacks made the type of headline that causes lawyers everywhere to knock on wood and – for the particularly savvy – invest in upgrades to security technology. The hacking group REvil announced that they had obtained 765 gigabytes of the firm’s data and demanded $21 million not to expose the private information of a client list including Madonna, Bruce Springsteen, and Mary J. Blige.
This breach is an example of a phishing scam. Phishing scams are attacks that imitate legitimate business communication in an attempt to trick unsuspecting users into downloading malware or giving out confidential information.
Because they handle so much sensitive data, law firms are a particularly enticing target for scammers. For lawyers, these scams can range from being duped into wiring money to the wrong bank to having your firm’s data stolen and held for ransom – as was the case with Grubman Shire Meiselas & Sacks.
Losing all of your data, or having it leaked, is a true nightmare scenario for a law firm. Luckily, following best practices in cybersecurity and investing in the right software can help keep your data safe.
Here are a few suggestions:
Use a Virtual Private Network
Have you ever checked a work email from a coffee shop? If so, you definitely need a Virtual Private Network (VPN). VPNs offer encrypted communication, which helps keep your data secure. They also increase privacy by preventing anybody from surveilling your online activity, meaning that VPNs are a smart choice for law firms even if you never access information on public networks.
Use Multi-factor Authentication
This step can stop somebody with your passwords from gaining access to your account.
Multi-factor authentication links your information with at least two separate devices. When you attempt to login on a new device or from a new location, the system will verify your identity by sending a login code to one of your other devices. In order to login to your email, a hacker would need to have access to not only your email password, but also the passcode for your phone, and likely even your physical cell phone.
Don’t Slack on Updates
Software makers continuously improve their products to keep abreast of new developments in antivirus technology. Use a good antivirus software—and keep it updated—to protect your clients and yourself.
Go in Fear of Emails
Email scams are one of the ways that hackers try to get you to willingly turn over your information. If you think you would never fall for this, consider the fact that a well-crafted phishing scam can look like a link sent from a colleague or an exact replica of your bank’s login page. All you have to do is click the link or attempt to login to your bank as usual, and you will have inadvertently done the hackers’ work for them.
Here are some red flags to look out for.
A strange “from” address. The email address reflects the sender’s name and shouldn’t be a strange variant of what you’d expect. For example, if your firm’s URL is @smithgreggers and you get an email from @smithgroggers, it isn’t a mistake—it’s an attempt to trick you into opening a link that may install malware on your computer.
Suspicious vagueness. Did a potential client open an email with “Hi” instead of “Dear Ms. Larson?” This may be a sign that the email was sent to hundreds of people in an attempt to solicit engagement. This especially true if the vagueness continues—e.g., if it references living “in your area” or needing to connect about “a matter you recently discussed” instead of including concrete details that can only apply to your situation.
The news is too good. We all know the classic outlines of a con: if somebody offers you a lot of money for very little work, chances are there’s no money (and a world of hurt) awaiting those who engage.
It doesn’t sound right. Let’s say you get an email from someone in your firm that says, “Hi! I thought you’d want to open this link. ;)” If this doesn’t sound like an email your partner would write, then it probably isn’t. This likely means that hackers already have control of the email address of somebody at your firm, and they are using that email address to try to gain access to your data. It’s best to call IT immediately.
A strong cybersecurity program requires both employee education and investment in the right technology. Following these practices will help you avoid having your data compromised.