As published in the Daily Report.  Written by Jeb Butler and Sameer Joshi.

Practical Cybersecurity for Busy Law Firms

Cybersecurity protection is like health insurance: you don’t miss it until you need it.  By then, it’s too late.

Internet thieves are attacking Georgia’s legal community.  On January 17, the Daily Report described how an impostor tricked an insurance company into depositing over $3 million into the wrong lawyer’s bank account by spoofing the policyholder’s email address.  Over the past six months, the personal injury firm where I practice, Butler Tobin, has been the subject of a half-dozen attacks targeted specifically at our six-person firm—and two of them nearly succeeded.

What to do?  If you have the budget, you can hire my friend and co-author, Sameer Joshi, who consults on cybersecurity with Systems Evolution, Inc.  If you don’t, there are a few simple steps that you can take to dramatically lower your risk of ending up on the wrong side of a cybersecurity article in the Daily Report.

Passwords

Have you been using the same password at different websites for years?  If so, stop now.

Even if you haven’t done anything to leak your password, some website where you once used the password probably has.  For instance, LinkedIn was hacked in 2012, and over 100 million users’ email addresses and passwords were compromised.  Four years later, those email addresses and passwords were discovered for sale on the dark web.  There have been many such security breaches at many different websites—some known and some unknown.  Chances are high that your password has been among them at least once.

And if you used that same password for your bank, your file storage account, or Amazon.com?  You’ve got trouble.

Want to know if your password has been part of a known breach?  Go to pwned passwords and type in your old password.  The password that I used in college has been compromised 207 times.  That’s why you should have unique passwords and change them regularly.

There is no practical way to remember unique passwords for every account you have.  The solution is to use a “password manager” that will save all of your passwords securely and will enter them in login fields for you after you give your “master password.”  Using a password manager allows you to use passwords that are both unique and hard to guess (e.g., “hsdjsps3dYP*hbc”) because you won’t ever have to remember them yourself—the password manager does that for you.

Butler Tobin’s cybersecurity policy requires every employee to have and use a password manager, which Sameer advises.  “Lastpass” and “1Password” are two of several reputable options.


Have you been using the same password at different websites for years?  If so, stop now.

Employee Education

Some of history’s most prolific hackers, like Kevin Mitnick, relied less on technological wizardry and more on what cybersecurity professionals call “social engineering.”  Basically, they tricked people—usually lower-level employees—into giving them what they wanted.

The solution is education.  Your firm has to have a cybersecurity policy, and people have to follow it.  It need not be fancy—Butler Tobin’s cybersecurity policy is a 4.5-page Word document.  Among other things, it says that when someone spots a hacking attempt, he or she should sound the alarm for others.

The $3 million scam mentioned at the outset of this article used a simple, common tactic that cybersecurity professionals call “business email compromise.”  Thieves have recently tried this tactic on our firm, so what follows is a real-life example.  Below is an email that a would-be thief sent to each of the paralegals at our firm a few weeks ago:

This email looks like it came from me, but it didn’t.  The hacker made his or her name appear as “Jeb Butler,” but the actual email address isn’t mine—my email address is “jeb@butlertobin.com,” not “lawfirmlc00@gmail.com.”  The hacker created this fraudulent email account, then sent this email while I was away at a hearing in a wrongful death case in Ohio and not around to sort things out.

One of our paralegals didn’t recognize this email as fraudulent, and she engaged the hacker in extended correspondence.  Following the directions of the hacker—who was still posing as me—she bought $500 in iTunes gift cards on our firm’s credit card.  But before she could send the gift cards or share their codes with the hacker, another paralegal at our firm who had received the same fraudulent email forwarded the email around the firm with a warning.  The first paralegal was embarrassed, but no harm was done.  Except that we still have the gift cards.

You can lessen this risk.  The best way is teaching employees to look at actual email addresses, not just names.  (If the insurance company mentioned at the outset of this article had done that, they would have saved $3 million.)  You can also use Office 365 to block the spoofing of internal email accounts, which Butler Tobin now does at Sameer’s suggestion.

Anyway if you get an iTunes gift card from my firm as a gift, you’ll know where it came from.

Multi-Factor Authentication

Multi-factor authentication (also known as “MFA,” “two-factor authentication,” or “2FA”) can keep your account safe even if a hacker acquires your password.  MFA works by requiring something other than a password to log in—either a code that has been generated by your phone or texted to you, or something biometric like a fingerprint.

This can be hugely important.  A few weeks ago, a would-be thief ran up some credit card debt, then tried to auto-debit Butler Tobin’s bank account to ‘pay’ those charges.  Incredibly, all anyone needs to auto-debit any bank account is the bank account number, the name on the account, and the bank’s routing number—all of which is printed on every check you have ever written.  What that means—again, incredibly—is that anyone who has ever seen a paper check from your bank account can auto-debit that account to pay credit card debt.

That’s what happened to Butler Tobin.  Here is a screenshot showing the fraudulent charges that a would-be thief posted to our law firm’s bank account:

Fortunately, this scam went nowhere because my law partner noticed the charges and called our bank.  But suppose the would-be thief had online access to our bank account?  He or she could have presumably verified the charges before we noticed anything.

Thanks to MFA, it would be very difficult for a hacker to gain access to Butler Tobin’s bank account.  Our firm uses MFA on financial, file storage, purchasing, and certain other accounts.  In order to break in, a hacker would not only have to know the password—which is unique, long, and locked inside a password manager—but would also have to have physical possession of the device that generates MFA codes.

Related Posts