A Scam in Time for Christmas

Law firms routinely collect and issue W9 and 1099 forms. But if you receive an email requesting a tax form and weren’t expecting it, think twice. Ask yourself:

  • How did the email arrive? Via a website contact form, via your blog, or addressed to a specific person in your firm who would deal with such matters?
  • Do you recognize the sender?
  • Does the sender’s domain exist?
  • Does contact information given in the email match what you find on the web?
  • Do your records reflect that you did business with the sender this year?
  • Does any part of the email message seem “off?”

Remember scams can seem innocuous, even apologetic:

We are updating our new financial software and see that we don’t have a current W-9 or your tax id number in our system. If we could get this at your earliest convenience that would be wonderful. We realize and understand that you are tax exempt, but we would love to have the information fully entered into your new system. Thank you for your help and understanding. If you would like you can fax it to XXX-XXX-XXXX.
Have a great day!

When a request seems fishy (we understand you are tax exempt?) or oddly worded (we would love to have the information fully entered into your new system?!) take the time to independently verify legitimacy. Check your records, run a web search on the purported sender, and pick up the phone. Don’t use the contact information given in the suspicious email. Avoid replying, submitting a fax, or clicking on any links the message may include. Most importantly, educate staff on all levels and keep your antennae up for new variations of scams.

All Rights Reserved 2019 Beverly Michaelis

Cybercrime: An Ongoing Threat to Law Firms

In the most recent issue of Law Practice Today Sheri Davidoff describes how hackers exploit weak security measures to steal from you and your clients. The most common targets: your email, logins, and files.

Email hacks

Once a hacker gains access to your email, he or she may download your entire mailbox, set up a rule to forward your messages to their account, or use email content to begin victimizing clients.

Preventive steps

Use proper passwords

Pass phrases (sentences) are the best. Otherwise, choose passwords at least 14 characters in length which contain symbols and numbers. It is critical to create unique pass phrases or words for each login to limit the scope of a security breach. Do not share them. Do not write them on sticky notes posted to your monitor. A password manager can make the job easier.

Turn on two-factor authentication

This sounds fancy, and if you’re not familiar with it, intimidating. It is neither. Login as usual, have your smartphone or cell phone handy, and enter the code texted to you to complete your login. It’s that easy.

Biometrics

You can use your face or your fingerprint to login if your device or software supports it. A quick Google search generates pages of “pros and cons” posts, which I will avoid repeating here.

Limit substantive content in email

Consider limiting what you say by email when the information is sensitive. Pick up the phone or send the client a message prompting them to login to your secure client portal instead. As Davidoff points out in her post, “Hackers commonly search your correspondence for ongoing conversations of interest—such as a real estate purchase or other upcoming financial transaction. Then, they actively monitor these conversations to maximize their ability to intercept a payment.”

Malware and ransomware abound

The most likely way to get infected with malware or ransomware is to click on a suspicious attachment or link. Use common sense before you click and if in doubt: don’t! Even if the message appears to come from a trusted source. Pick up the phone or compose a new message and ask the sender if he/she sent the email. (Don’t ask by forwarding the suspicious message – you are only spreading the threat.)

The US Department of Homeland Security has valuable tips on combating malware and ransomware. Also, take a few minutes and peruse the resources available at the ABA Law Practice Division (search: “malware”) or checkout the Professional Liability Fund CLE, Data Security/Data Breach: What Every Lawyer Needs to Know to Protect Client Information.  

All Rights Reserved 2019 Beverly Michaelis

Phishing Scam Hits OJD Users

Here are the details.