Cybersecurity protection is like health insurance: You don’t miss it until you need it. By then, it’s too late.
Internet thieves are attacking Georgia’s legal community. On Jan. 17, the Daily Report described how an imposter tricked an insurance company into depositing over $3 million into the wrong lawyer’s bank account by spoofing the policyholder’s email address. Over the past six months, the personal injury firm where I practice, Butler Tobin, has been the subject of a half-dozen attacks targeted specifically at our six-person firm—and two of them nearly succeeded.
What to do? If you have the budget, you can hire my friend and co-author of this piece, Sameer Joshi, who consults on cybersecurity with Systems Evolution Inc. If you don’t, there are a few simple steps that you can take to dramatically lower your risk of ending up on the wrong side of a cybersecurity article in the Daily Report.
Have you been using the same password at different websites for years? If so, stop now.
Even if you haven’t done anything to leak your password, some website where you once used the password probably has. For instance, LinkedIn was hacked in 2012, and over 100 million users’ email addresses and passwords were compromised. Four years later, those email addresses and passwords were discovered for sale on the dark web. There have been many such security breaches at many different websites—some known and some unknown. Chances are high that your password has been among them at least once.
And if you used that same password for your bank, your file storage account or Amazon.com. You’ve got trouble.
Want to know if your password has been part of a known breach? Go to pwned passwords and type in your old password. The password that I used in college has been compromised 207 times. That’s why you should have unique passwords and change them regularly.
There is no practical way to remember unique passwords for every account you have. The solution is to use a “password manager” that will save all of your passwords securely and will enter them in login fields for you after you give your “master password.” Using a password manager allows you to use passwords that are both unique and hard to guess (e.g., “hsdjsps3dYP*hbc”) because you won’t ever have to remember them yourself—the password manager does that for you.
Butler Tobin’s cybersecurity policy requires every employee to have and use a password manager, which Sameer advises. “Lastpass” and “1Password” are two of several reputable options.
Some of history’s most prolific hackers, like Kevin Mitnick, relied less on technological wizardry and more on what cybersecurity professionals call “social engineering.” Basically, they tricked people—usually lower-level employees—into giving them what they wanted.
The solution is education. Your firm has to have a cybersecurity policy, and people have to follow it. It need not be fancy—Butler Tobin’s cybersecurity policy is a 4.5-page Word document. Among other things, it says that, when someone spots a hacking attempt, he or she should sound the alarm for others.
The $3 million scam mentioned at the outset of this article appeared to use a simple, common tactic that cybersecurity professionals call “business email compromise.” Thieves have recently tried this tactic on our firm, so what follows is a real-life example. A few weeks ago, a would-be thief sent to each of the paralegals at our firm an email that came from “Jeb Butler.” It said: “I’m on a conference call & its not likely to end soon, Wondering if you could help me dash to the store quickly?”
This email looked like it came from me, but it didn’t. The hacker made his or her name appear as “Jeb Butler,” but the actual email address isn’t mine—my email address is “firstname.lastname@example.org,” not “email@example.com.” The hacker created this fraudulent email account, then sent this email while I was away at a hearing in a wrongful death case in Ohio and not around to sort things out.
One of our paralegals didn’t recognize this email as fraudulent, and she engaged the hacker in extended correspondence. Following the directions of the hacker—who was still posing as me—she bought $500 in iTunes gift cards on our firm’s credit card. But before she could send the gift cards or share their codes with the hacker, another paralegal at our firm who had received the same fraudulent email forwarded the email around the firm with a warning. The first paralegal was embarrassed, but no harm was done. Except that we still have the gift cards.
You can lessen this risk. The best way is teaching employees to look at actual email addresses, not just names. (It looks like if the insurance company mentioned at the outset of this article had done that, they would have saved $3 million.) You can also use Office 365 to block the spoofing of internal email accounts, which Butler Tobin now does at Sameer’s suggestion.
Anyway, if you get an iTunes gift card from my firm as a gift, you’ll know where it came from.
Multifactor authentication (also known as “MFA,” “two-factor authentication,” or “2FA”) can keep your account safe, even if a hacker acquires your password. MFA works by requiring something other than a password to log in—either a code that has been generated by your phone or texted to you, or something biometric like a fingerprint.
This can be hugely important. A few weeks ago, a would-be thief ran up some credit card debt, then tried to auto-debit Butler Tobin’s bank account to ‘pay’ those charges. Incredibly, all anyone needs to auto-debit any bank account is the bank account number, the name on the account and the bank’s routing number—all of which is printed on every check you have ever written. What that means—again, incredibly—is that anyone who has ever seen a paper check from your bank account can auto-debit that account to pay credit card debt.
That’s what happened to Butler Tobin. More than $2,300 in fraudulent charges by a would-be thief posted to our law firm’s bank account. Fortunately, this scam went nowhere, because my law partner noticed the charges and called our bank. But suppose the would-be thief had online access to our bank account? He or she could have presumably verified the charges before we noticed anything.
Thanks to MFA, it would be very difficult for a hacker to gain access to Butler Tobin’s bank account. Our firm uses MFA on financial, file storage, purchasing, and certain other accounts. In order to break in, a hacker would not only have to know the password—which is unique, long, and locked inside a password manager—but would also have to have physical possession of the device that generates MFA codes.
Jeb Butler handles personal injury cases involving wrongful death, sexual abuse, and serious injuries. He is a founding partner of Butler Tobin.
Sameer Joshi provides consulting services to local Atlanta clients with professional experience ranging from program management to cybersecurity. He is a principal consultant for Systems Evolution Inc. in Atlanta.