While we are preoccupied with COVID-19, cyber criminals are increasing their cyber-attacks. In Canada, phishing attempts doubled between 2018 and 2019,1 and one report out of the US indicates that phishing is up over 600% from 2018 to the end of February 2020.2 A remote work environment, in addition to law firms having their attention diverted on addressing COVID-related matters, potentially leaves data security matters less attended and creates potential system vulnerabilities. In Manitoba, two law firms had their entire computer systems infected with ransomware, which blocked access to their computers, client lists, emails, accounting and financial information and other digital files. The firms were asked to pay an enormous ransom to regain access to their computers, which were likely attacked when a partner or employee clicked on a link in an attachment or email.
Common types of fraudulent emails
Fraudsters use common and urgent or compelling messages to get you to click and compromise your inbox, such as: Covid-19 Updates; COVID-19 outbreak maps; Covid Survey; Urgent Action Required; Storage Space Exceeded; Security Alert; Password Expiring; UPS Delivery Notice; Job Satisfaction survey; Working from Home Protocols; Canada Post: Failed Delivery Notice; ERROR Delivery Request; and Unable to deliver message.
The emails ask recipients to click links to open attachments that are infected with malware. Once you click on the email, the fraudster is in your system waiting for the perfect conditions and the right opportunity to pounce. Fraudsters often take action when key personnel go on vacation.
With many lawyers now working remotely, the increase in virtual access to work servers requires extra vigilance. Ensure you provide cyber security awareness for your staff. To protect yourself and your law firm, be on alert and remind all staff to take the following precautions:
- Always think before you click;
- Never open a link or attachment in an email or text message from someone you do not know;
- If you receive a link or attachment that you are not expecting — even if it is from someone you know — call the sender using the telephone number you have on file (not the number listed in the message) to confirm that the message is legitimate; and
- If you open a link or attachment that you should have avoided, and a box opens that asks for your password or other information — Stop. Close out. Immediately call your IT department to run a scan on your device(s).
Success of Hackers
Ransomware is the most common cause of cyber claims and it is on the rise. The report by anti-malware software company, Emsisoft, estimated that ransom demands in Canada exceeded $360 million dollars when factoring in both direct costs and business income loss for 2019.3
For a more detailed explanation of what ransomware is, see Dealing with Cryptowall Ransomware (Benchers’ Bulletin 2015: No 1 – Spring) – an in-depth review of the virus and how to avoid getting caught.
Can ransomware fraudsters be caught? No. Any fraudster with even a moderate degree of sophistication will not be caught. You will likely have no way to recover your losses apart from insurance. Hackers’ success is largely due to sophisticated encryptions, ease of implementation, and anonymous payment in crypto currency. And the encryptions holding your system hostage are unbreakable. You either pay the ransom or you rebuild your system. Even if you have backups protected from a ransomware attack, it will generally take 7-14 days to rebuild a system at considerable expense.
Ten simple steps you can take to protect your system against a data breach
Talk to your IT professional about our ten simple steps and other measures you can take to protect your systems and your data:
- Create secure passwords for each account. Change them regularly and never share passwords with anyone. Use two-factor authentication. A reputable password management system that includes a random password generator may assist.
- Properly configure a firewall between the firm’s system and the internet. Talk to your IT professional about conducting security audits.
- Use up-to-date antivirus and malware endpoint protection on computers, laptops and handheld devices.
- Backup your data – talk to your IT professional about frequency (including staggering).
- Use encryption to protect hard drives, laptops, removable media, and back up media. Enable remote wipe capabilities for mobile devices and laptops.
- Make sure all critical patches and security updates are applied as soon as possible.
- Actively monitor systems for suspicious activity and log and archive system events as an audit trail.
- Use VPN or other encrypted connection to access public wireless networks. Avoid public Wi-Fi, and do not use unsecured Wi-Fi to connect to your work server, to do any banking, or to send any confidential or personal information.
- Keep servers and equipment physically secure. Avoid working in public spaces where third parties may view screens or printed documents.
- Cancel access to the network when employees are terminated. Maintain abandoned domain names after law firm mergers or acquisitions.
Do you need additional cyber insurance?
Even with Coalition’s cyber policy and even if you have taken all the steps you can to protect your system, we strongly recommend that you consider purchasing additional or excess cyber insurance. Talk to your insurance broker about buying more coverage for this risk. We provide information on commercial products here.
Footnotes:
1. 3 current scams to keep on your watch list—and avoid
2. Q1 2020 KnowBe4 Finds Coronavirus-Related Phishing Email Attacks Up 600%
3. EMISOFT Report: The cost of ransomware in 2020. A country-by-country analysis
Law Society resources
Dealing with Cryptowall ransomware – an in-depth review of the virus and how to avoid getting caught
Practice Tips (p. 17), Benchers’ Bulletin, 2015: No. 1 Spring
Cryptolocker ransomware alert – 10 steps to avoid getting caught by ransomware
Practice Resource, December 2013
Making your e-communications secure – tips to make your email communications more secure
Practice Tips (p. 10), Benchers' Bulletin, 2014 No. 3 Fall
Security practice tips – tips to improve the security of law firm IT systems
Practice Tips, Benchers’ Bulletin, 2014: No. 2 Summer
Tech security for lawyers – deals with a variety of security issues relating to technology, including malware
Practice Tips (p. 9), Benchers’ Bulletin, 2012: No. 1 Spring
Cloud computing due diligence guidelines – due diligence and risk management information about the use of technology and third party data storage and processing
Practice Resources – includes resources relating to technology and safety and security
Other resources
Ransomware: How to Prevent and Recover (ITSAP.00.099) (cyber.gc.ca)
Cybercrime and Law Firms: The risks and dangers are real
LawPro Magazine, December 2013
The Government of Canada’s Canadian Anti-Fraud Centre’s (CAFC) website - includes resources such as the Get Cyber Safe Guide for Small and Medium Businesses.
And remember section 3.3 of the Code of Professional Conduct regarding a lawyer’s obligations to keep a client’s information confidential and Law Society rules 10-4 to 10-5 regarding records and security of records. If you have questions about your professional obligations, please contact Practice Advice.
Last updated: June 2020
-
- Practice Management & Wellness: Risks & Tips
- Acting as an Escrow Agent, Stakeholder or Trustee
- About to act for family and friends? (Resist - it's just too risky!)
- Baby boomer blues: The practice risks of aging
- COVID-19 Related Measures Act
- Delegation: The buck stops here!
- What to do Before and After a Disaster Strikes
- Economic downturns: Managing risk in a troubled economy
- Email: Preventing a Mailstrom
- Health and Wellness
- Indemnities and Dispute Resolution Agreements
- Giving independent legal advice? Stop. Read this first.
- Managing the risks of a limited scope retainer
- Mobility: Managing the risk
- Smooth Sailing to Settlement: Avoiding Common Mistakes
- Risks and tips when using video-conferencing technology
- Witnessing a signature? Stop. Read this first.
- Risk management videos
-
- Fraud Prevention
-
- Fraud Alerts
- Fraud Alert: March 25, 2021
- Fraud Alert: March 4, 2021
- Fraud Alert: October 22, 2020
- Fraud Alert: August 6, 2019
- Fraud Alert: July 10, 2018
- Fraud Alert: December 15, 2017
- Fraud Alert: October 11, 2017
- Fraud Alert: July 6, 2017
- Fraud Alert: January 19, 2017
- Fraud Alert: August 4, 2016
- Fraud Alert: August 6, 2015
- Fraud Alert: May 7, 2015
- Fraud Alert: April 8, 2015
- Fraud Alert: December 31, 2014
- Fraud Alert: August 28, 2014
- Fraud Alert: December 21, 2012
- Fraud Alert: August 1, 2012
- Fraud Alert: June 1, 2012
- Fraud Alert: January 6, 2012
- Fraud Alert: December 15, 2011
- Fraud Alert: July 21, 2011
- Fraud Alert: May 2, 2011
- Fraud Alert: March 23, 2011
- Fraud Alert: June 2, 2010
- Fraud Alert: June 19, 2009
- Fraud Alert: May 14, 2009
- Fraud Alert: December 15, 2008
- Fraud Alert: September 16, 2008
- Fraud Alert: June 10, 2008
- Fraud Alert: May 5, 2008
- Fraud Alert: January 22, 2008
- Fraud Alert: August 10, 2005
- Fraud Alert: July 8, 2005
- Fraud Alert: March 11, 2005
-
- Bad cheque scam
- Bad Cheque Scam: List of Names and Documents
- Bad Cheque Scam: Steps to Manage Risk
- Bad Cheque Scam: Twists and Developments
- Bad Cheque Scam: Common Characteristics and Red Flags
- Bad Cheque Scam: What To Do If You Suspect a New Client May Be a Scamster
- Bad Cheque Scam: Report Actual or Possible Trust Fund Shortages
- The Ruses
- Bad Cheque Scam Publications
- Other Social Engineering Scams, Including Phony Change in Payment Instructions
- Real Estate: Value, identity and other frauds
- Cybercrimes