Held to ransomA cyber-alert issued earlier this month by the non-profit Center for Internet Security warns of a dangerous wave of malicious e-mails that are specifically targeting lawyers.  The fake e-mails are calculated to get your adrenaline pumping and to get you to open them and click on a link — because they’re personalized, they look urgent, and they’re disguised as coming from your own state’s disciplinary body or bar association.

Don’t fall for these e-mails

The CIS, through its Multistate Information Sharing and Analysis Center, reports that the subject and body of these phishing or spoofing e-mails look like they are from your board of bar examiners, bar association, or disciplinary counsel.  In the subject line and/or body, they claim that a disciplinary complaint has been filed against you, or that your bar membership has lapsed.  You are asked to respond by clicking on a link — which, according to the CIS, “leads to a malicious download, potentially ransomware.”

We tweeted out the warning when it came in from Minnesota, but other states where lawyers have been targeted, according to the CIS, also include AL, CA, FL, GA and NV.

Tweet2

Well-written, well-disguised

The CIS says that unlike the obvious Nigerian-lottery-type e-mails we know to avoid, this latest wave consists of e-mails that are “well-written and appear to originate from the appropriate authority,” and they are personalized, too, which of course boosts their effectiveness.

As a member of my local certified grievance committee, I know the procedure my home state of Ohio uses to notify lawyers of grievances — and it does not include e-mail.  I doubt that your jurisdiction’s process does either.

Your full name, bar membership status, bar number, office address and other professional details are publicly available, usually through your supreme court’s web listing of enrolled lawyers.  So it is easy for the bad guys to find you, and relatively easy to match you up with an e-mail address.  If  Avvo can do it, why not criminals?

Ways to be savvy

CIS recommends several steps in response to this latest threat:

  • Know how to identify spear-phishing e-mails.  “This particular series of emails includes what appears to be a link to the state bar association, but when the user hovers over the link it shows that the link is really to a different website.  Copying and pasting the link, instead of clicking on it, would defeat this social engineering attempt.
  • Back up all your systems regularly “to limit the impact of data loss from ransomware infections.  Backups should be stored offline.”
  • CIS is a § 501(c)(3) non-profit; check out its additional recommendations for protecting against and responding to phishing campaigns, available here and here.
  • Report any suspicious e-mails to the FBI’s Internet Crime Complaint Center (www.ic3.gov) as well as to the legal organization that is spoofed in the e-mail.

And a duty to be savvy

As we’ve noted before, not only is it obviously in your own interest to avoid scams that would lock up your own computer data — it can also be part of your ethical duty of competence to your clients.  Law departments have been identified as particularly susceptible to falling for scam e-mails.

Our complete dependence on our computers makes them a point of vulnerability — take the steps necessary to avoid being exploited.