Phishing Scam Hits OJD Users

Here are the details.

Imposter Fraud

Imposter fraud is perhaps the most common type of scam encountered by lawyers. As the FTC warns, it comes in many forms. Scammers pretend to be computer technicians, IRS officials, your banker, a client, or a law firm vendor. They may even pretend to be you!

No matter the method, the goal is always the same: to use social engineering to manipulate you into sending money. Here are nine tips from Webroot on how to avoid falling prey to phishing, vishing, and SMShing scams:

  1. Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review.
  2. Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number.
  3. Don’t let a link be in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
  4. Email hijacking is rampant. Hackers, spammers, and social engineers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control an email account, they prey on the trust of the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading.
  5. Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake.
  6. Foreign offers are fake. If you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam.
  7. Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam.
  8. Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizations on your own to avoid falling for a scam.
  9. Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so.  Use an anti-phishing tool offered by your web browser or third party to alert you to risks.

All Rights Reserved 2019 Beverly Michaelis

 

 

What Lawyers Can Learn from the Yahoo Email Hack

Yahoo, the second largest email service worldwide, reported a security breach last untitledweek which exposed personal information from sent email folders.

The Associated Press reports:

Yahoo Inc. said in a blog post on its breach that “The information sought in the attack seems to be the names and email addresses from the affected accounts’ most recent sent emails.”

That could mean hackers were looking for additional email addresses to send spam or scam messages.  By grabbing real names from those sent folders, hackers could try to make bogus messages appear more legitimate to recipients.

If you correspond with friends, family, clients, or colleagues who use Yahoo’s mail service, scrutinize incoming e-mail carefully to avoid phishing scams. 

This breach has another takeaway for lawyers – you are only as secure as your third party vendors.  The Yahoo and Target breaches were both the result of third-party vendor hacks.  In the case of Yahoo, the information was collected from a third-party database.  In the Target hack, credentials were stolen from a third party vendor.

Lawyers should take this to heart when evaluating their own cyber liability and security – specifically with regard to HIPAA compliance.  If your servers are hosted in the cloud, or you use cloud-based practice management, accounting, or backup solutions, inquire into the security procedures of your vendors.  Remember that encryption is your friend.  All data stored in the cloud should be encrypted – minimally by your vendor.  Better yet: go the extra mile.  Seek out cloud providers who permit you to add your own third party encryption, like Viivo or TrueCrypt, so that you (and only you) hold the final encryption key.

All Rights Reserved [2014]

Beverly Michaelis

LinkedIn Phishing Scam

If you receive a message entitled “LinkedIn Security Notice” informing you that your LinkedIn account has been closed for lack of activity, it is a known phishing attempt. 

I suspected as much and contacted LinkedIn

If you receive a potentially fraudulent email appearing to originate from LinkedIn, DO NOT CLICK ON ANY LINKS WITHIN THE EMAIL MESSAGE.  Promptly notify Customer Support.  Login to your LinkedIn account, scroll to the bottom of the page, and click on Help Center.  In the “Get Started Here” Search box, enter “fraudulent email.”  Click on the first Search result: “Possible Fraudulent Email.”  At the bottom of the page you will find a link to the Privacy Department.  Click on the link to complete an online contact form.  If possible, save a copy of the scam e-mail and attach it to the online contact form.

Phishing scams are nothing new.  It’s hard to know whether reporting them does any good, but it only takes a moment of your time. 

Copyright 2011 Beverly Michaelis