Here is a guest post from my colleague Laura A. Calloway, Director of Service Programs for the Alabama State Bar. She has been a practice management advisor for a few weeks longer than I have (and, even after all these years, she never lets me forget it.) These latest spear phishing attacks that purport to be from local bar association leaders will likely be duplicated in other regions in the future. So thanks to Laura for letting us republish her sound advice on this topic.
Protect Yourself from Spear Phishing and Ransomware
by Laura A. Calloway
Some Alabama State Bar members were targeted earlier in the week by a spear phishing email with a ransomware payload, so it’s a good idea to remind lawyers be aware of this type of malicious electronic attack and to take appropriate precautions against it. So what does this mean, in plain English?
Almost everyone is familiar by now with phishing attacks, which involve a scammer sending an email with a spoofed address. The email is made to appear to be from someone you know or do business with, in the hope that you will open an attached document or click on a web link within the email, allowing a program embedded in the email or link to install a virus or other malicious software on your computer. We’ve all received an email from a bank we don’t do business with, saying that we need to log in immediately and change our password or update other information. Those are easy to spot. Spear phishing takes this practice to a higher level by seeking out information about the target in order to make the email message seem more likely to really be from someone he or she know, increasing the chances that the recipient will hurriedly and unthinkingly click the link or open the attachment.
In this case, it appears that the scammers obtained email addresses from several local bar associations, probably from online directories, and then targeteded email to the members, purportedly from the local bar president, stating that there was complaint for violation of the rules of professional conduct pending against the member. Needless to say, some people were tricked into opening the links or attachments. And this is where the ransomware comes into play.
Ransomware is a malicious program which, when downloaded to a computer, encrypts all of the data on the computer’s hard drive. The computer owner is unable to access any of his or her data, and usually receives a demand for payment, either through bitcoin or PayPal, within a certain period to time. Often, the payment demand is structured so that if payment is not made by a certain time the ransom goes up and, after a couple of escalations, the computer owner is told that he or she has permanently lost the opportunity to have the data unlocked.
So what can busy lawyers do to protect themselves from this type of attack? Here are a few quick tips:
- Make sure that your operating system and all software applications are up to date and completely patched. Malicious software often takes advantage of flaws in older or unpatched software in order to download itself and run.
- Purchase one or more good antivirus programs and make sure that both the program and the virus signatures are updated regularly.
- Develop a good backup system, including a backup component that is not constantly connected to your system and the internet. Most ransomware programs are now capable of encrypting not just the computer they are installed on but also data on networked drives, including backup drives.
- Test your backup system regularly, including reinstalling data from the backup to make sure that it will work in the event of an attack.
- Most important, remind yourself and your staff to carefully review every email – especially ones that are not expected – before clicking on web links or opening or downloading attachments. If you have any doubt at all, call the sender before opening the attachment or clicking on the link.
Note from Jim: Following Laura's advice and discussing all of this with your staff can help you avoid huge headaches. Thank you, Laura, for sharing with all of us.