Cyber Security – Horrifying Stats and Tips for Dropbox Users

For the last two weeks, I have been featuring a potpourri of posts gleaned from tweets posted during the ABA TECHSHOW.  Today we explore cyber security with extra bonus tips for good measure.

Cyber Security – Numbers, Trends, Protecting Your Firm

Tips for Dropbox Users

  • Dropbox security: use third party apps – like Viivo – to encrypt. You own the key. @VIIVOkey happens to be in attendance.… @MrsMacLawyer RT @rocketmatter
  • Dropbox security: use 2 step authentication but put recovery code in safe place. It’s not retrievable. @larryport RT @rocketmatter
  • Also see my post, The 7 Rules of Using Dropbox and search this blog for related Dropbox posts.

Thanks 2014 ABA TECHSHOW tweeters for the tips!  And check out these resources for lawyers posted by the author on Scribd.

All Rights Reserved – Beverly Michaelis [2014]

13 Resources for Protecting Data – Courtesy of the FTC

With data breaches in the news on an almost daily basis, how do you protect your law firm’s assets? What advice should you give to your clients?

The FTC offers a list of 13 data security resources to help you get started. From mobile apps to digital copiers and shutting down spam, there is a ton of good advice to be culled from these posts and PDFs: Continue reading

What Lawyers Can Learn from the Yahoo Email Hack

Yahoo, the second largest email service worldwide, reported a security breach last untitledweek which exposed personal information from sent email folders.

The Associated Press reports:

Yahoo Inc. said in a blog post on its breach that “The information sought in the attack seems to be the names and email addresses from the affected accounts’ most recent sent emails.”

That could mean hackers were looking for additional email addresses to send spam or scam messages.  By grabbing real names from those sent folders, hackers could try to make bogus messages appear more legitimate to recipients.

If you correspond with friends, family, clients, or colleagues who use Yahoo’s mail service, scrutinize incoming e-mail carefully to avoid phishing scams. 

This breach has another takeaway for lawyers – you are only as secure as your third party vendors.  The Yahoo and Target breaches were both the result of third-party vendor hacks.  In the case of Yahoo, the information was collected from a third-party database.  In the Target hack, credentials were stolen from a third party vendor.

Lawyers should take this to heart when evaluating their own cyber liability and security – specifically with regard to HIPAA compliance.  If your servers are hosted in the cloud, or you use cloud-based practice management, accounting, or backup solutions, inquire into the security procedures of your vendors.  Remember that encryption is your friend.  All data stored in the cloud should be encrypted – minimally by your vendor.  Better yet: go the extra mile.  Seek out cloud providers who permit you to add your own third party encryption, like Viivo or TrueCrypt, so that you (and only you) hold the final encryption key.

All Rights Reserved [2014]

Beverly Michaelis

You and Your Clients Remain Vulnerable to Scams

In the July issue of the OSB Bulletin, Leonard DuBoff and Christy King offer new advice regarding the latest scams plaguing lawyers:

For example, one of the newer scams involves someone posing as a real estate buyer and contacting a mortgage broker or real estate houseagent instead of a lawyer. The broker or agent then refers the buyer to a lawyer, not realizing that the purported buyer is really a scammer. The attorney often knows the mortgage broker or real estate agent and so doesn’t question the legitimacy of the transaction. A variation on the scam occurs where the scammer asks a lawyer in one area of the country to provide a referral to a lawyer in a different region. Some scammers assume the identity of actual attorneys in order to perpetrate the fraud. They claim to be referring a client — often themselves — for claimed legal assistance.

Learning about the latest scams is one way to keep on your toes.  Here are some others:

All Rights Reserved Beverly Michaelis (2013)

Telephone Scam Hits Washington Lawyers

The Oregon State Bar is warning lawyers of a telephone scam underway now in Washington:

Scam Alert
OSB members:  The Washington State Bar Association is warning its members about a telephone scam in which callers claiming to represent the bar are asking its members for personal information. These calls are not from the WSBA. Although we have no reports of similar calls in Oregon at this time, it has happened in the past and could recur. If you receive such a call do not reveal any personal information.

Posted on the OSB home page August 12, 2013.

Mobile Security Tips from the ABA

Great tips at Law Technology Today on mobile security. Don’t take confidential client data outside the office without taking these precautionary steps:

Encrypt devices
Password protect all technology (phones, tablets, laptops)
Enable remote wiping capability
Limit what you carry when outside the office
Mark your property and don’t leave it unattended
Consider computer locks for laptops
Use less conspicuous carrying cases

Read the full post.

Washington State Administrative Office of Courts Hacked

The Associated Press is reporting that 160,000 social security numbers were exposed when the Washington State Administrative Office of Courts was hacked in late 2012 or early 2013.

“The breach happened due to vulnerability in an Adobe Systems Inc. software program, ColdFusion, that has since been patched, court officials said. The hack happened sometime after September but wasn’t caught until February…

Mike Keeling, the courts’ information technology operations and maintenance manager, said officials were alerted to the breach by a business on the East Coast that had a similar intrusion.”

Following the breach, new security measures were implemented, including encryption.

Court officials have confirmed that 94 social security numbers were obtained – those affected will be contacted directly. Names and driver’s license numbers may also have been accessed. People who were booked in a city or county jail during specified periods or those who had a DUII, traffic, or a superior court criminal case in Washington may also be affected.

If you believe your information may have been exposed, call 1-800-448-5584 or visit this site.

Read more here.

Scam Alert – Professional Liability Renewal Spoof

If you receive the following e-mail it is a scam:

Subject line: Professional Liability Renewal April – May 2013:

I would like to review and Possibly lower your Professional Liability Insurance Premiums. I developed a relationship with a firm ( A rated companies and better ) that have saved 20-30% and thousands of dollars for some friends. To review yours, all we need is your last years application and declaration page. (fax 214.853.5846) If interested, email my assistant Ms Mindy Harris at mharris@universalfg.com or call me at 972-386-6639.

Mark S. Pincus
JP Morgan International Plaza III
14241 Dallas Parkway, Suite 650
Dallas, Texas 75254
mark@universalfg.com
www.universalfg.com

This e-mail is a phishing scam

  • An independent Google search of “Universalfg” returns no pertinent results.
  • Following the link listed in the signature line takes the user to www.universalfg.com, a poorly written site with grammar and punctuation errors.
  • While the phone numbers on the site match those listed in the spoof e-mail, there is no physical address included on the site. No legitimate insurer would fail to include a physical address on its Web site.
  • The About Us page lists Mindy Harris as a partner – not an assistant – contradicting the e-mail.
  • The About Us page contains an outdated photograph caption from 2011.
  • The About Us page lists two employees – a managing partner (the purported sender of this e-mail) and Mindy Harris, identified as a “partner.” There are no other employees, which seems odd for the scope of services provided by this “business.”
  • The last blog post on the site is dated July 2011.
  • The Address Bar icon that appears in the URL of the blog is a black and white4-23-2013 7-10-08 PM glamour shot of a woman. This is inappropriate imagery for a professional insurer.

The Professional Liability Fund is the sole provider of primary
malpractice coverage for Oregon lawyers

  • There are no private insurers from whom you can purchase the statutorily required coverage in Oregon.
  • Coverage rates are proposed by the Professional Liability Fund Board of Directors and approved by the Oregon State Bar Board of Governors.
  • Oregon lawyers do not complete an “application form” for primary plan coverage. [Granted, there is a form for Excess Coverage.]
  • “Renewals” of Professional Liability Fund coverage occur annually at year-end, not in “April-May.” Some lawyers elect to pay their assessment on a quarterly basis. E-mail notices are usually sent to bar members in November for the coming year. Additional e-notices follow. Payment is made through the secure member login on the Oregon State Bar Web site.

If you have questions regarding your Professional Liability Fund payment, please contact the PLF Accounting Department at 1-800-452-1639.

If you have been a victim of an Internet scam or have received an e-mail that you believe was an attempted scam, please file a complaint with one of the following:

Consider attending our CLE: Protecting Your Firm and Your Clients from Scams, Fraud, and Financial Loss – May 16, 2013.

Law Firm Falls Victim to Scam, Sued by Bank

If this headline doesn’t catch your attention, I’m not sure what will. Here is Sharon Nelson’s latest post on Ride the Lightning:

“It continues to amaze me how law firms fall for phishing scams, sometimes believing that they might have a potential client and sometimes, as here, clicking where they shouldn’t click. The latest law firm is Wallace & Pittman PLLC in North Carolina who reportedly got scammed to the tune of over $300,000.00. And it only went downhill from there.

The scam started with a batch of e-mails in May supposedly from an industry group saying that a transaction hadn’t cleared properly. These e-mails directed readers to click on a link to resolve the problem. Apparently, someone at the law firm did, which allowed hackers to install a keylogger on at least one law firm computer.

After figuring out the law firm’s online banking passwords, the hackers directed their bank, Park Sterling, to send a $336,600.01 transfer through JPMorgan Chase & Co. to a “Konstantin Pomogalove” in Moscow, according to a legal document filed by the law firm. As soon as the law firm received a confirmation of the transaction, it called the bank to cancel it, but it was too late. The bank initially refunded the stolen funds to the law firm’s account.

Later, the bank demanded the funds be returned. State and federal law does not compel banks to restore funds lost through fraudulent activity for commercial customers so long as the bank has reasonable security in effect.

But before the bank could debit the fund, the law firm obtained a restraining order against the bank, removed its funds and closed the account, igniting a lawsuit by the bank.

Park Sterling argues in court papers that Wallace & Pittman did not use an extra layer of security that would require two people to authorize wire transactions and that the request looked legitimate. It also said its customer agreement with the firm places the burden of loss on the customer.

Though the firm uses wire transfers regularly for real estate transactions, this was the first to go outside the country which the firm argues should have raised suspicion enough to put a hold on the transactions. Unsurprisingly, the firm questions the security practices of the bank.

Trial is scheduled for the fall.

There are conflicting cases on whether banks can be held liable, though most have found that they can be, putting a higher burden on information security for banks. My initial take, without having all the facts, is that a bank which suddenly received a high-figure transfer out of the country from a firm which has never done that before should sure as heck have flagged the transaction as potential fraud. And Wallace & Pittman needs to institute two-person authorizations and do some serious employee training!”

Learn how to avoid falling victim to such scams by attending “Protecting Your Firm and Your Clients from Fraud, Scams, and Financial Loss” on May 16 at the OSB Center. Registration open now – visit the PLF Web site > Upcoming Seminars.