Pandemic amplifies hacking risk at law firms

Many firms do not have the level of cybersecurity needed

By Barbara L. Jones
BridgeTower Media Newswires

MINNEAPOLIS, MN - You may be sheltered in place while you're reading this. Be aware that hackers and cybercriminals are also tucked up in front of their computers and that could be devastating to you and your clients.

The world of cybercrime hasn't really changed so much as it has amplified thanks to COVID-19, said Minneapolis attorney Adam Smith. With people working from home, opportunities to invade computers have expanded, and subtle changes to email addresses or web locations may go unnoticed among all the other rapid changes in virtual society, Smith said.

Smith, before joining Faegre Drinker, served as the operational planning lead for the Department of Homeland Security's (DHS) Headquarters Office of Infrastructure Protection (IP), Smith coordinated the drafting and exercising of three federal plans for cyberattacks, biological incidents and natural disasters. He also worked with law enforcement and business to prepare responses to cyberattacks.

-----

Cybercrime is zooming

Some cybercrime is evolving to play on people's present vulnerabilities, Smith said. Fake charities may request money, scammers may request bank account information to "expedite" receipt of federal assistance checks, and persons making fraudulent job offers may ask for personal information or money, he said. "Hackers just like business adapt to changing times. They create frauds in response to needs."

Many law firms don't have the cybersecurity they need, given their access to clients' money and information, Smith said. While it's often hard to convince people to invest in preventive measures, he noted, law firms, and even solo practitioners, should have a plan for response to cyberattacks, Smith said. That includes putting the right technology in place ahead of time.

Especially now that more employees are working from home, it's important to make sure that the firm or company's remote access is fully patched and accessed from a secure encrypted router, he said. Also, make sure than the virtual private network is secure as well as the access point in the home or workspace, Smith continued.

Furthermore, the software must be up to date and properly configured. Anti-virus protection and firewalls also must be properly configured and updated.

It would be best if people accessing the networks have multi-factor authentication, Smith continued. Change passwords often and don't use the same one for different platforms.

Other, less technical fixes, can address other confidentiality concerns. Think about devices in the home, not only Alexa but also baby monitors, Smith said. Be careful with conference calls-know who you are dialing. If you share dial-in information, it could wind up in the hands of a hacker.

Zoom is the new conference call technique, and an attack is known as a Zoom bombing. Reportedly, Zoom conferences have been interrupted by individuals shouting racial slurs or other offensive language, or by pornographic images. Part of the problem is that information about Zoom meetings has been shared on social media. The best practice is that only the host should share the Zoom screens, which allows more than one image to be posted at a time, Smith said.

Perhaps the best advice is to slow down your response time on the web and think about what you are doing and with whom you are communicating, Smith said. "Be patient with yourself and other people," he advised. Check the email addresses and confirm them if necessary, but don't confirm them by calling a phone number that's in the email. Check the part of the email address that comes after the "at" sign-that identifies the network. Check the sender's address for extra letters or dots that subtly change it and direct you to a false site. "Be careful because these thieves are spending time thinking about getting your emails," Smith said.

-----

Who you going to call?

If an attack happens, the impulse may be to go public immediately, in the interests of transparency and good business practices.

Don't do that, Smith advised. The reason is that you are unlikely to know the extent of the problem or the reason for it until law enforcement has a look. "Communicating the wrong thing is the worst thing," he said. If it involves malware or ransomware it may be very complex.

If the worst happens, the first call should be to the FBI, the FCC or the state Attorney General's Office, Smith advised.

The FBI Internet Crime Complaint Center, known as IC3, is at https://www.ic3.gov/default.aspx. That web site also provides information including crime prevention tips and a list of 18 crime schemes.

IC3 states, "As of March 30, 2020, the FBI's Internet Crime Complaint Center (IC3) has received and reviewed more than 1,200 complaints related to COVID-19 scams. In recent weeks, cyber actors have engaged in phishing campaigns against first responders, launched DDoS attacks against government agencies, deployed ransomware at medical facilities, and created fake COVID-19 websites that quietly download malware to victim devices. Based on recent trends, the FBI assesses these same groups will target businesses and individuals working from home via telework software vulnerabilities, education technology platforms, and new Business Email Compromise schemes."

The FCC is at https://consumer complaints.fcc.gov/hc/en-us. It warns that phone scammers are preying on consumer fears with a variety of calls and texts offering free home testing kits, promoting bogus cures, and selling health insurance. It also provides information on home network tips during the pandemic.

But this should not be your first call to law enforcement, Smith said. One of the things you should have included in your plan was an introductory phone call to the authorities to introduce yourself, he said. Then, "watch their publications, keep their phone numbers updated, follow their ongoing best practices," Smith said. The state level is often the best place to start, he said. "The state attorney general is where you want to have connections," he said.

Smith said that other sources of information include the federal Cybersecurity and Infrastructure Security Agency, which has developed an "Essential Critical Infrastructure Workforce" advisory list. This list is intended to help state, local, tribal and territorial officials as they work to protect their communities, while ensuring continuity of functions critical to public health and safety, as well as economic and national security, the CISA website explains at https:// www.cisa.gov/publication/guid ance-essential-critical-infrastructure-workforce.

Published: Tue, Apr 14, 2020