Many people have had their email accounts hacked-a third party has gained control over the email account.  Perhaps the most common sign is receiving emails or calls from many people who are in your email contacts saying they have gotten an email from you with an attachment that doesn’t seem right. With personal email accounts, this is often just seen as annoying. For lawyers, it can be a serious matter.

Phishing email from a law firm address that appears to be for a DocuSign document.

In one case, the email included a phony telephone number for the lawyer. We called, and they insisted we needed to open the document they had attached right away. This is of course annoying to clients, but may be a prelude to even worse actions.

Phishing email from a law firm address that appears to be for a DocuSign document.

Email response sent by hackers

Phishing

Phishing emails such as the one described above are often the cause of a breach in the security of a lawyer’s email, directly or indirectly. The email may trick a lawyer into clicking on a URL which then asks for a password to an online service. This may be an online email account, such as Gmail or Yahoo, or to online office suites such as G Suite and Microsoft Office 365. DocuSign has often been imitated in phishing emails.

Screenshot of phishing webpage collecting email passwords.

Screenshot of phishing webpage collecting email passwords.

Gaining access to such accounts gives hackers many options to make money from their pursuits. One of those options is to send phishing emails to all of the lawyer’s clients, to try to get their information. If someone has reused their password in many places, this can result in opening up additional online accounts to activity by hackers.

Website Security Failures

It is not uncommon for online email accounts to be compromised by hacking an ecommerce website. The entire Yahoo database was hacked several years ago, and only revealed in full detail recently. Typically, ecommerce websites require an email and password, and a hacker may discover lists of accessible email and password combinations. If passwords are reused on many different sites, this may give hackers access to all sorts of accounts. If the email and password combination works on a lawyer’s online email account, hackers may have hit the jackpot.

Wire Fraud

In many cases recently, hackers have gone beyond creating phishing attacks against lawyer’s contacts and have begun to seek bigger rewards. Rather than making their hack obvious, the hackers begin monitoring lawyer emails. They may create subfolders in a lawyer’s email account and start communicating with clients to trick them into redirecting funds to the hackers. The lawyer’s email program may redirect incoming responses to emails to these hidden subfolders, and never appear in the inbox.  The email chain may then be deleted to keep the fraud from being noticed. Transactions that involve exchanges of funds are a prime target.  Real estate transactions have been especially hard on lawyers.

In one recent case, a lawyer’s AOL account was hacked. The hackers tricked the client into wiring $1.9 million, the down payment for the client’s $19 million condo purchase in which the lawyer represented the client. The client found out about it when the seller’s lawyer indicated they had not received money. While most of the money was recovered, about $200,000 was not.

Wire frauds have occurred when a client’s email was hacked as well. In a case TLIE was involved in, a person in a foreign country was to sell their real estate note to another party. The seller’s email had been hacked. The hacker sent an email changing wiring instructions to a bank outside of the US. The money was not recovered. At trial, the judge determined no negligence issue should be submitted regarding the seller’s negligence in connection with the hack. The unknown hacker’s responsibility was submitted to the jury. The lawyer was found to be 100% negligent. Hacked client emails can thus present problems for lawyers, too.

Release and Other Use of Confidential Information

Two New York City law firms recently had their email systems breached. The hackers were looking for information about upcoming mergers involving law firm clients in order to make advantageous stock trades. The hackers apparently made about $4 million in illegal stock trades.

The recent Paradise Papers exposure of an offshore law firm’s documents reportedly resulted from an external hack, though whether it was an email hack is not known. In that case, the details of many client actions involved in setting up offshore transactions were exposed. Such details could easily be within an email system. While the damages are hard to quantify, there is little doubt that the information released will result in legal expenses involved in addressing criminal and regulatory investigations that otherwise would not have been necessary.

Handling an Email Breach

Many times, victims of an obvious email data breach simply change passwords by using the “Forgot Password” feature of their email and move on. While this is a necessary step, this may not be sufficient to protect clients and comply with the law in some situations.

A lawyer should determine if sensitive client information was accessed or accessible by email hackers. If a hacker had access to the lawyer’s address book, they most likely had access to all the email in the lawyer’s email account as well. If the lawyer has archived emails in the account, these, too, may have been accessible. Once the potentially affected clients are determined, the lawyer should consider whether to notify the client of the breach. While we have found no ethics opinions requiring client notification, withholding such information from clients can be seen as failing to apprise the client of an important fact about their representation in violation of the communication requirements of Texas Rule 1.03.

In certain cases, state and federal law requires notification of those whose information may have been compromised in a data breach, regardless of whether they are clients are not. Laws requiring such notification vary greatly between states, but most require at notification when information that could lead to identity theft is compromised. The federal Health Insurance Portability and Accountability Act, HIPAA, includes regulations that apply to attorneys who represent health care providers, such as doctors, hospitals and insurers. Not only is disclosure of breaches required, but fines can be levied for failure to train or have adequate safeguards. In Texas, the Texas Medical Privacy Act imposes similar duties on any business that stores health information.  Financial clients such as banks and insurance companies often are required by regulation to assure that vendors have adequate security and must report breaches of information held by vendors such as attorneys.

Determining exactly what information has been compromised could be a time consuming and expensive task. With email, attachments must be reviewed as well as the body of the email. In addition, a law firm should be as certain as possible what may have led to the breach. Forensic analysis and review of the firm’s computing infrastructure may be in order. If information sufficient to result in identity theft has been compromised, it may be appropriate to consider providing credit monitoring to those whose information was compromised. Cyber liability insurance may cover the expenses necessary to properly address email hacking.

Preventing Email Hacks

Here are a number of steps lawyers can take to avoid email hacks and their consequences such as the ones described in this article.

  • Communicate early with clients about the best way to communicate with them electronically. Warn them about the need for them to assure that their email and computer systems are not compromised, and to let you know if that happens so you can communicate in another way.
  • Avoid communicating with individual clients on work email systems, and consider advising clients to change email addresses and passwords in divorce and separation situations.
  • Use strong passwords on all accounts, and even stronger ones on internet based accounts. Length is the most important characteristic of a strong password. Lack of recognizable words within passwords helps, too.
  • Do not use the same password for multiple sites. It is a hassle to have a different password for each site. Software can help. Keepass, for example, generates unique passwords and keeps them in an encrypted database.
  • Use good anti-malware software. This is not a cure-all, but it can help. Keyloggers are sometimes used to steal passwords and gain control over email accounts, and may not always be found by anti-malware software. Anti-malware software that notes bad websites may not be up to date and may notes phishing websites.
  • Firewalls on your network and your computer may help prevent phishing servers from being accessed if the firewall is configured to filter out known bad websites and countries where hackers operate more freely.
  • If you are considering clicking on a link in an email, hover over it with your mouse to see where the link actually leads. It may lead to a different website than you are expecting. In the example above, the link led to a music recording website for a business in Colorado, not to a DocuSign server. We have noted similar phishing emails that led to sites in India and Chile. These servers have often been compromised without knowledge of the owners.
  • Just because a URL looks good at first glance doesn’t necessarily mean it is ok. Bit.ly and other shortened URLs may go to bad websites. You can check a bit.ly and tinyurl target websites here. However, a bit.ly URL that looked like a legitimate Google link in a Google alert email was used to hack Colin Powell’s email last year.
  • Never enter a password or other information on a website clicked in an email. Often, phishing emails are disguised as warnings about your account, ironically they may be suggesting that you should change your password. Instead of clicking such a link, go to your browser and type in the correct link.
  • Never enter a password or other information in a browser unless “https://” appears in the URL in your browser. Https signifies that the transmission to and from the website is encrypted. In addition, make sure that the certificate for the website is up to date an appropriate. In most browsers, https will appear in green when certificate information matches. Https alone is not a guarantee of security; a bug in the software used by many websites called the Heartbeat bug allowed decryption of encrypted information.
  • Do not rely solely on email for wiring or other financial disbursement information. Confirm information by telephone as well, making sure that you have the correct telephone number from earlier information provided by clients or parties to the transaction.
  • Periodically check email folders to make sure new ones have not been created.
  • Understand both the lawyer’s and client’s responsibilities under state and federal law for protection of information, and encrypt required information.
  • Use client portals for transmission of client information.

Conclusion

The steps described above are only part of an overall computer security program that is appropriate for most law firms. Please see our articles on The Implication of ABA Opinion 477 for Texas Lawyers’ Use of the Internet for Communication and What a Good Data Security Program Looks Like for more information. For TLIE insureds with Cyber Insurance through NAS, go here to gain access to their detailed loss prevention information.