Spear phishing and other forms of cybercrime are targeting law firms and businesses, and these firms need to be prepared, and need to prepare clients and customers to avoid being victims of cybercriminals who just want to steal their money. For lawyers, who are required to have technological competence, that means far more than just using antivirus software.
In this edition of The Legal Tech Podcast, Attorney & Techno-Ethics Expert Daniel J. Siegel explains some of the latest criminal activity targeting clients, and suggests that, at a minimum, any law firm or business whose clients may need to wire or transfer funds, or make any other online transactions, must implement safeguards to prevent fraud. The easiest safeguards are client education and implementation of multifactor authentication. In other words, there must at least two ways to verify transactions and information.
Join Dan Siegel as he provides a concise summary of the problem and offers more of his practical, easily-implementable solutions that are the hallmark of the ethics and techno-ethical services and guidance provided by the Law Offices of Daniel J. Siegel, LLC and Integrated Technology Services, LLC.
Welcome to the latest edition of the Legal Tech Podcast. I'm attorney Dan Siegel and I'll be speaking to you today about why lawyers and anyone else dealing with financial information need to employ multifactor authentication. Your podcast is sponsored by the law offices of Daniel J. Siegel, LLC and Integrated Technology Services, LLC, both based in suburban Philadelphia. Our law firm and our consulting firm provide guidance, including techno-ethical guidance to law firms and businesses throughout the country, and legal advice to firms in Pennsylvania and New Jersey. But today I want to talk about something that many of us don't want to think about. It's the fragility of our lives and how we work with technology and numbers and finance. Let me explain. Lawyers have a duty to be competent, and the Model Rules of Professional Conduct were amended to require that competence means understanding the basic levels of technology relevant to practice. Well, that's changed a lot since when the rules were originally written, technology didn't even really exist, certainly not anything like the technology we have now. And I always lecture and say, would you want to go to a doctor who said, I'm not going to schedule or prescribe one of those newfangled MRIs because they weren't around when I was in medical school? Your answer would be, no, of course not. You want a doctor who's using the latest technology. But the problem is cyber attackers are out there and they are smart and they are prepared and they are willing to do anything to get their hands on lots of different information. Nothing more valuable, however, than bank accounts and financial data. So this podcast is really focused on issues that impact lawyers and anyone else who works with clients or customers where you're trading in financial information. So let me explain what I mean. There is a concept called spearphishing, and that's not looking for fish out on the ocean. That is very sophisticated. Cyber attackers and criminals who are trying to access and obtain information, but not in the way of the old emails that say, I've got a million dollars from some prince in some country. Now, these are people who are much smarter and more sophisticated. They gain access to email accounts. They are able to spoof email accounts and other items and send emails that look exactly like they came from you or your office. It happens all the time. So let me give you two scenarios and then I'll talk about what I recommend as a minimum level of practice and of competence. The first is a law firm that represents individuals and estates. After people have died, one of the obligations the estates have is to pay inheritance tax. So in one instance, a law firm's email was hacked and spoofed, copied so that the hackers were able to send emails that looked identical to those from the law firm. And they sent them to a client and advised the client to wire money to pay inheritance taxes to a particular bank, giving all of the relevant information. The client not knowing better and having not been informed from the first meeting with the law firm that we will never write to you for any of this type of information, just like your banks tell you. The client wired the money about $50,000. Then an hour or two later, the client got a second email saying there's an additional amount due, please wire more money. At that point, the client called the law firm. The law firm didn't know anything about the emails, of course, but the client did. And the client didn't send that second wire, but the money in the first was gone. What should the law firm have done? The law firm should have, at first, when they met with the client, explained, just like you hear in the recorded messages when you call, your bank will never ask for your password. Law firms should be telling clients, and anyone else dealing with financial information should be informing clients that we will never call or email you, or we will never do X, Y or Z in order to ask for your financial information or to wire money, whatever the circumstances. But now let's look at a more sophisticated cyber attack that actually cost the company millions. And this is what happened. They gained access to a law firm's email. After they gained access to that email, they wrote to the law firm's client and to other counsel, explaining where a wire transfer should go, except for one little thing. They had advised the client where the money should go, but the email address they used, even though the email looked identical, instead of being Xyzlaw.com, was Xyzlavv.com. The lawyer whose client was involved was contacted by the client, saying, can I provide the information regarding the wire? And the lawyer agreed. And then the lawyer took the next step of sending the information to the other side, not knowing that he was actually sending it to someone who had taken over his client's email and had been writing the client with one email address and writing to the lawyer with a different little confusing. Simply put, all that happened was the hackers took over one email account and spoofed the other, and were able to get the wire information from the buyer that was to the hacker's account, not to the sellers. This is a real problem. How do you avoid it if you're in the business, whatever it is, you could be doing real estate transactions, you could be handling any type of transaction where people are sending money electronically, which is how it's done all the time. Now, you could handle any of those, but what should happen there should be a multifactor level of authentication, just like that text message you get every time you log into your bank account. And you could say to your clients, before we ever give wire instructions, before we do x, Y or Z, we are going to call you and verify the accounts that are going to be used. That way you could compare that information with what was in an email and if it matches, you have a higher level of confidence. If it doesn't match, then you know there's a problem. This also highlights why you have to explain to clients to be vigilant, they need to be careful when they look at emails, even though they may look real. The difference between L A W and L A V A is minor visually, especially on a computer screen, but it makes a huge difference on the internet when you are sending email because it's going to go to Lavv.com, not law.com. So my solutions are simple.They are:
lawyers, real estate, title companies and anyone else involved in finance needs to use and advise clients and customers who are using their services that we always verify any type of financial information in two methods, even if it's sent by email. We will always call you and verify information over the phone and if need be, if people are concerned, and you can do this with your banks too, I've set it up. You can give clients a code word or they can specify one for you, so that when you call, if they're concerned that they don't know you well, don't recognize your voice, don't know your paralegal's voice, or someone from your office's voice, that they have to give you a word. Now, this may seem cumbersome, but we are not living in the days when email was just a group of AOL disks. We are living in a world of sophistication, and nothing is easier for smart hackers to attack than email. So you need to take these precautions unless you want to disconnect from the web, and no one's going to do that. In this day and age, you can't survive as a law firm, you can't survive as a business. So you need to set up multiple ways of verifying any type of financial information or transactions just to be sure. You also need to educate your clients and your customers up front, so that in our office, if we're dealing with an estate, we always write a check or have the client write a check. We don't use wire funds at all in those circumstances. And we explain to clients if there may be issues with money needing to be transferred. We will always call you. We will never just send you a blind email or one sort of out of the blue. That's what you need to do. You need to be thinking about how do we protect the clients, the customers and yourself. Is it possible that your liability insurance may not cover this? It is distinctly possible. Will your cyber insurance policy cover it? Probably. But you need to look at the terms. And if you're sitting there listening and saying, what's my cyber insurance policy? I don't have that. Well, it's time for you to go and explore purchasing that coverage, it has become essential. It is not generally the best coverage if you just add it onto your liability coverage. There are many companies who provide separate cyber insurance policies at a greater cost than as a rider to your policy, but often they cover far more. So it's time that the days of competence, meaning you understood that maybe I need antivirus software, those days are gone. We're now looking at sophisticated individuals who are trying to steal not only data, but money. And the way to stop that is to do what? According to major companies like Microsoft say, the best way to prevent fraud is multi factor authentication. And yes, we think about it with our bank accounts, but you should also be thinking about it with every other type of electronic financial communication. I'm Dan Siegel. I'm an attorney and principal of the law offices of Daniel J. Siegel, LLC and the president of Integrated Technology Services, LLC. You can contact me by email at firstname.lastname@example.org. That's danieljsiegel.com. Or you can contact us at our website for our technology firm, which is tech. T-E-C-H lawyergy. Lawyergy.com. However you want to contact us, we're here. We provide ethical and techno-ethical guidance to law firms and small businesses to help you avoid the horror stories that are the basis for today's Legal Tech podcast. Thank you again for listening for today's edition of the Legal Tech podcast. Thank you.