[This post is the second in a series. The original post can be found here.]
Email has become a primary communications tool for the legal profession. It allows virtually instant sharing of information and documents between lawyers and their clients. Email is also one of the most dangerous tools in a modern law office. Infected attachments, spam and phishing attacks delivered by email make it easy for cyber criminals to deliver malware and breach law firm security protections. It is essential that you educate your lawyers and staff about these dangers and the steps they should take to use email safely.
Be wary of attachments
While email attachments are frequently used to share documents between lawyers, law firm staff, and clients, they are also one of the most common delivery mechanisms for malware. While most messages that have infected attachments will be stopped if your anti-malware software and/or spam filter are working properly and updated, some will make it through.
For this reason, everyone at a law firm should follow these two simple rules:
- No matter how interesting or enticing they appear to be (e.g., jokes, celebrity gossip or pictures), never open attachments from strangers.
- No matter how interesting or enticing they appear to be, never open attachments unexpectedly sent to you by people you know.
The reason for Rule #1 should be obvious – enticing attachments from strangers usually have a malware payload. The reason for Rule #2 might be less obvious: to trick you into feeling comfortable about opening an attachment, some types of malware will send an email with an infected attachment to all the address book contacts it finds on a computer that it has just successfully infected. This is done intentionally with hope that people getting such a message will be comfortable opening the attachment as it came from someone they know – and bingo – the person opening the attachment will become infected and all their contacts will get a similar message.
Use spam filters to avoid annoying and dangerous spam
On a daily basis you undoubtedly receive unsolicited commercial junk email, advertising or other offensive messages commonly known as spam. Spam is not only annoying – it is also very dangerous as it is commonly used to deliver malware (if you click on a link in the message) and phishing scams (see the next heading).
To combat spam, many firms use spam filters that are intended to detect unsolicited and unwanted email and prevent those messages from getting into a user’s inbox. Spam filters use various criteria to identify spam messages, including watching for particular words or suspicious word patterns, messages that come from websites that are known to send spam, etc. Anti-spam products also use “blacklists” that intercept messages from recognized spammers, and “whitelists” that let messages through only if they come from your personal list of recognized email addresses or domains (the domain is the main part of an email address or website, for example, lawpro.ca or gmail.com).
If your email program includes a spam or junk mail feature, you should turn it on.For additional protection, consider installing a third party spam filter. They are often included in anti-malware suites. See Lawyers Mutual’s article “Malware – It Can Happen To You” for more information.
While spam filters can significantly reduce the amount of spam you receive, they are not perfect. They will sometimes let spam messages through. Advise firm staff not to open or respond to spam messages, and to flag them as spam so that the spam filter can learn to recognize and prevent a similar message from getting through in the future.
Links in spam messages will often cause malware to be downloaded to your computer. For this reason, everyone at a law firm should be told to never click on links in spam messages, no matter how interesting or enticing they appear to be.
Don’t be fooled by phishing
Did you know that emails appearing to come from companies you trust may actually be from criminals trying to steal your money or identity? Because they are so successful at duping people, “phishing” emails have quickly become one of the most common and devastating scams on the Internet.
Phishing scams use spoofed (meaning faked or hoax) emails and websites to trick you into revealing your personal and financial information. By using the trusted brands and logos of online retailers, banks, or credit card companies, phishing scammers trick surprisingly large numbers of people. The phishing email directs users to visit a website where they are asked to confirm or update personal information such as: passwords; and credit card, social insurance and bank account numbers. In doing so, people are tricked into giving this information directly to cyber criminals, who, in turn, use it for identity theft, financial theft or other cybercrimes.
Legitimate companies will never ask you to update your personal information via an email message. Don’t get tricked by phishing scams.
Dan Pinnington is the Vice President of Claims Prevention at practicePRO. This article first appeared in the December 2013 issue of LawPro magazine. Reprinted with permission. For more cyber safety tips, visit www.lawpro.ca.