What are cyber criminals and hackers up to during COVID-19?

While we are preoccupied with COVID-19, cyber criminals are increasing their cyber-attacks. In Canada, phishing attempts doubled between 2018 and 2019,1 and one report out of the US indicates that phishing is up over 600% from 2018 to the end of February 2020.2 A remote work environment, in addition to law firms having their attention diverted on addressing COVID-related matters, potentially leaves data security matters less attended and creates potential system vulnerabilities.  In Manitoba, two law firms had their entire computer systems infected with ransomware, which blocked access to their computers, client lists, emails, accounting and financial information and other digital files. The firms were asked to pay an enormous ransom to regain access to their computers, which were likely attacked when a partner or employee clicked on a link in an attachment or email.

Common types of fraudulent emails

Fraudsters use common and urgent or compelling messages to get you to click and compromise your inbox, such as: Covid-19 Updates; COVID-19 outbreak maps; Covid Survey; Urgent Action Required; Storage Space Exceeded; Security Alert; Password Expiring; UPS Delivery Notice; Job Satisfaction survey; Working from Home Protocols; Canada Post: Failed Delivery Notice; ERROR Delivery Request; and Unable to deliver message.

The emails ask recipients to click links to open attachments that are infected with malware. Once you click on the email, the fraudster is in your system waiting for the perfect conditions and the right opportunity to pounce. Fraudsters often take action when key personnel go on vacation.

With many lawyers now working remotely, the increase in virtual access to work servers requires extra vigilance. To protect yourself and your law firm, be on alert and remind all staff to take the following precautions: 

  • Always think before you click;
  • Never open a link or attachment in an email or text message from someone you do not know;
  • If you receive a link or attachment that you are not expecting — even if it is from someone you know — call the sender using the telephone number you have on file (not the number listed in the message) to confirm that the message is legitimate; and
  • If you open a link or attachment that you should have avoided, and a box opens that asks for your password or other information — Stop. Close out. Immediately call your IT department to run a scan on your device(s).

Success of Hackers

Ransomware is the most common cause of cyber claims and it is on the rise. The report by anti-malware software company, Emsisoft, estimated that ransom demands in Canada exceeded $360 million dollars when factoring in both direct costs and business income loss for 2019.3

For a more detailed explanation of what ransomware is, see Dealing with Cryptowall Ransomware (Benchers’ Bulletin 2015: No 1 – Spring) – an in-depth review of the virus and how to avoid getting caught.

Can ransomware fraudsters be caught? No. Any fraudster with even a moderate degree of sophistication will not be caught. You will likely have no way to recover your losses apart from insurance. Hackers’ success is largely due to sophisticated encryptions, ease of implementation, and anonymous payment in crypto currency. And the encryptions holding your system hostage are unbreakable. You either pay the ransom or you rebuild your system. Even if you have backups protected from a ransomware attack, it will generally take 7-14 days to rebuild a system at considerable expense.

Ten simple steps you can take to protect your system against a data breach

Talk to your IT professional about our ten simple steps and other measures you can take to protect your systems and your data:

  1. Create secure passwords for each account. Change them regularly and never share passwords with anyone. Use two-factor authentication. A reputable password management system that includes a random password generator may assist.
  2. Properly configure a firewall between the firm’s system and the internet. Talk to your IT professional about conducting security audits.
  3. Use up-to-date antivirus and malware endpoint protection on computers, laptops and handheld devices.
  4. Backup your data – talk to your IT professional about frequency (including staggering).
  5. Use encryption to protect hard drives, laptops, removable media, and back up media. Enable remote wipe capabilities for mobile devices and laptops.
  6. Make sure all critical patches and security updates are applied as soon as possible.
  7. Actively monitor systems for suspicious activity and log and archive system events as an audit trail.
  8. Use VPN or other encrypted connection to access public wireless networks. Avoid public Wi-Fi, and do not use unsecured Wi-Fi to connect to your work server, to do any banking, or to send any confidential or personal information.
  9. Keep servers and equipment physically secure. Avoid working in public spaces where third parties may view screens or printed documents.
  10. Cancel access to the network when employees are terminated. Maintain abandoned domain names after law firm mergers or acquisitions.

Do you need cyber insurance?

Even if you have taken all the steps you can to protect your system, your clients and third parties can make your system more vulnerable. Technology cannot keep up with evolving threats. New cyber risks are constantly emerging, such as crypto-jacking, biometric information protection, and invoice manipulation fraud (aka ‘reverse social engineering’). Social engineering fraud losses are expected to rise due to increased electronic invoicing and wire payments during and after the lockdown ends.

When assessing the need for cyber insurance, the question used to be “Do you have confidential information to protect?” The questions now are “How important is your network to your operations? How long can you work without access to your network?  Do you have any insurance that will protect you against a significant loss?” Talk to your insurance broker about buying comprehensive cyber insurance for this risk (your policy provides limited social engineering coverage but does not respond to ransomware attacks or data breaches). We provide more information on cyber insurance and other commercial products here.

Footnotes:

1. 3 current scams to keep on your watch list—and avoid

2. Q1 2020 KnowBe4 Finds Coronavirus-Related Phishing Email Attacks Up 600%

3. EMISOFT Report: The cost of ransomware in 2020. A country-by-country analysis

Law Society resources

Dealing with Cryptowall ransomware – an in-depth review of the virus and how to avoid getting caught
Practice Tips (p. 17), Benchers’ Bulletin, 2015: No. 1 Spring

Cryptolocker ransomware alert – 10 steps to avoid getting caught by ransomware
Practice Resource, December 2013

Making your e-communications secure – tips to make your email communications more secure
Practice Tips (p. 10), Benchers' Bulletin, 2014 No. 3 Fall

Security practice tips – tips to improve the security of law firm IT systems
Practice Tips, Benchers’ Bulletin, 2014: No. 2 Summer

Tech security for lawyers – deals with a variety of security issues relating to technology, including malware
Practice Tips (p. 9), Benchers’ Bulletin, 2012: No. 1 Spring

Cloud computing due diligence guidelines and cloud computing checklist – due diligence and risk management information about the use of technology and third party data storage and processing

Law Office Administration – includes resources relating to technology and safety and security


Other resources

Cybercrime and Law Firms: The risks and dangers are real
LawPro Magazine, December 2013

The Government of Canada’s Canadian Anti-Fraud Centre’s (CAFC) website - includes resources such as the Get Cyber Safe Guide for Small and Medium Businesses

And remember section 3.3 of the Code of Professional Conduct regarding a lawyer’s obligations to keep a client’s information confidential and Law Society rules 10-4 to 10-5 regarding records and security of records. If you have questions about your professional obligations, please contact Practice Advice.

 

Last updated: June 2020