Why Anti-Virus is Not Enough
In a recent TLIE claim, a lawyer was engaged to close a transaction. On the day before closing, the lawyer received an email from the seller asking for the funds to be wired to a different bank than originally requested. The lawyer complied with the request, but the seller later complained he had not received the money, and that he had not sent the email with new wiring instructions. A jury found the lawyer 100% liable for the loss of the funds.
A case like this makes clear that lawyers simply cannot farm out all technology issues to technology professionals and assume that they will be protected. Lawyers and their staff must be trained to spot unusual occurrences and avoid misuse of technology. The nature of threats which may not be prevented by anti-virus and other security software varies greatly.
Content of Emails
The content of emails can come back to haunt lawyers in malpractice cases. In a recent Texas case which resulted in a $200 million verdict, emails among lawyers which mocked the client appear to have influenced the verdict. Lawyers should remember that emails are often discoverable, even when the lawyers might think they are protected as internal discussions. A body of law is developing nationally permitting lawyers to discuss potential ethical or malpractice concerns with either an internal counsel or an outside lawyer under privilege, but no Texas cases have yet opined on the availability of a privilege for such discussions here in Texas.
Malicious attachments and websites
A Toronto law firm lost six figures in an email related hack. The firm’s accountant was presented with an email which purported to be from the bank, with a link asking the accountant to log in. Clicking on the link, the accountant saw a screen which looked just like her usual bank screen, and she tried to log in. However, she received an error message, with instructions to call a number. The webpage presented to the accountant was not in fact the bank’s website, but rather one designed to steal her password information.
Emails frequently either have links to websites that they are not what they purport to be. The links may either execute an attachment to the email which will infect the computer in some manner, or will lead to a phony website designed to steal user information (phishing). The infections may include
- Trojans: Software designed to create a backdoor to the computer to allow installation of still more malicious software.
- Keystoke loggers: Software that captures passwords and other typed information
- Screen scrapers: Software that takes pictures of your screen, perhaps with confidential information.
Sometimes security software will catch these infections, and sometimes it won’t. Keystroke loggers and screen scrapers are actually included in software designed to monitor child use of computers. Users must be aware that hackers will try to trick them into installing software or visiting fake websites.
We frequently see emails in our office designed to steal passwords to Google Apps and Docusign. Typically, such emails indicate that there are documents for the user on the service’s website, and that the user needs to log in to see the information. In many cases, hovering over a link with a mouse allows the user to see where the link actually goes. A recent Google Apps link lead to a website in India in one recent email, and another led to a website in Chile for Docusign.
Conclusion
In this short article, we can only scratch the surface of methods that can get around anti-virus to hack into law firm systems. Hackers may try subterfuge such as posing at repairmen or pretending to be people they are not on the phone in order to gain access to law firm systems. It is vital that all law firm employees be alerted to potential technology security issues, and to the importance of using technology wisely. Firms should further have a comprehensive technology security plan designed to use effective safeguards, both technical and practical.
