Cyberthreats 101: The biggest computer crime risks lawyers face
Last March, attorney Jeffrey Wicks was being held at digital gunpoint. Wicks—head of a small firm handling criminal defense and civil and family law cases in Rochester, New York—was being extorted by cybercriminals who were holding his firm’s data for ransom.
Wicks had apparently opened an email attachment that locked down his computer and his firm’s network. The data was encrypted, and the hackers were demanding 20 bitcoins in return for the decryption keys to unlock the firm’s files. At that time, one bitcoin was worth about $1,200, meaning the cybercriminals were demanding about $24,000 for the safe return of Wicks’ data. (At press time, the bitcoin value was more than $11,000.)
After a few rounds of negotiations, Wicks ended up paying $5,000 for the network’s data. (He refused to pay for the locked data on his computer and lost two years’ worth of information.) He also had to spend $10,000 in IT fees and $5,000 for new equipment. Thanks to the foresight of his office manager, who had insisted that the firm have cybersecurity insurance, the $20,000 was covered by the insurance company.
Cyberattacks are on the rise, both in the number of incidents and the costs associated with the attacks. According to the ABA’s 2017 Legal Technology Survey Report, 22 percent of responding firms had been breached—an increase of 8 percentage points from the previous year’s survey.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
According to the ABA report, about 27 percent of firms with two to nine attorneys reported experiencing some sort of security breach, while 35 percent of firms with 10 to 49 lawyers and about one-quarter with 500 or more lawyers had suffered such an incident. In 2016, the FBI estimated that cybercrimes were on pace to be a $1 billion source of income to criminals for that year.
Law firms of all sizes are attractive targets, given the type and the amount of data they collect. “Law firms are the crown jewels,” says John Reed Stark, a former chief of the Securities and Exchange Commission’s Office of Internet Enforcement. “They have valuable confidential information on things like mergers and acquisitions and intellectual property,” he says. In 2016, Cravath, Swaine & Moore and Weil Gotshal & Manges were hacked by foreign nationals who used the stolen data for insider trading schemes that netted them more than $4 million.
Regardless of the size of the firm or the type of data they collect, cyber hackers use the same modus operandi for gaining access to firms.
The biggest threat is phishing, says Mark Rasch, a lawyer and former computer crimes prosecutor based in the Washington, D.C., metro area. “It’s the No. 1, No. 2 and No. 3 threat for law firms.”
In a phishing attack, emails with infected attachments are sent to large groups of individuals to get their passwords or gain access to their computers and networks. In most instances, the emails are generated by bots—a network of computers controlled by a bot master that gives it directions—and are looking to randomly attack individuals.
In a spear phishing attack, cybercriminals have identified an individual or a group of individuals to attack. For lawyers such as Wicks, the emails often look like they come from a client or another trusted party.
A whale phishing attack happens when the email is made to look like it comes from a managing partner or other senior executives. In one instance, says Jody Westby, CEO of Global Cyber Risk, hackers posing as a CEO sent a request for 1099s and W2 files to employees in a human resources department. Unfortunately, the files were sent and personal data was stolen by the hackers. “Before you respond, you have to ask yourself if it’s unusual for you to receive a direct email from a high-level executive,” she says. “If it’s an unusual request, report it to IT.”
Sharon Nelson, president of Sensei Enterprises, a digital forensics and cybersecurity company, says hackers have gotten smarter and more sophisticated in their attempts. “You used to see misspellings and poor grammar,” she says. “But now they hire English speakers and do their research on LinkedIn. They’ll know things like Andrew, the CEO, goes by Andy.”
Nelson also says the cybercriminal may phish both firms involved in a lawsuit. In one instance, one firm knew it was under attack but didn’t tell the other side. The uninformed firm received a fake email that changed the wiring instructions for a settlement, and it unwittingly paid settlement money to cybercriminals.
This article was published in the March 2018 issue of the
This article was published in the March 2018 issue of theABA Journal with the title “Cyberthreats 101: A primer on how lawyers and firms are getting breached and the biggest risks they face.”