Lawyers should review their data and fraud protection strategies regularly, argues Kevin Cheung
Recent media coverage on Canadians being scammed online, by phone, and behind their backs has been fairly intense. The Canada Revenue Agency (CRA) phone call scam sees fraudsters demanding payment for alleged tax arrears from unsuspecting victims. Imposters have been so bold as to masquerade as local police in an attempt to obtain payment.
While the CRA scam generally targets the elderly and other easily manipulated victims, the SIM swap scam has a much wider target: from the CEO of Twitter to a police officer to everyday Canadians. In this scam, an imposter convinces your phone carrier to switch your number to the imposter's SIM card. This is shockingly easy to do, and should terrify anybody who has used their phone for two-factor authentication. Once the imposter has control over your phone number, he accesses various accounts, selects the ‘forgot password’ option, and direct the new password be sent by text to the phone number now associated with their SIM card.
All this recent publicity surrounding scams should serve as a reminder for lawyers to review their data and fraud protection strategies regularly.
Our computers and phones are the most vulnerable to data theft. Of course your devices should be password protected, either with traditional (but still comprehensive) passwords, fingerprint recognition or retina ID. Switching passwords periodically is important. If you have recently had a staff member leave, passwords must be changed across all devices. Consider using a password manager for your online accounts; this saves the hassle of memorizing multiple passwords, and gives you peace of mind in knowing you have a strong password for any given account.
Minimize risk of SIM scam
Many sole and small-firm lawyers use their personal phone to conduct business. The recent heightened awareness around SIM swapping reveals how risky this can be. It is difficult to protect against SIM swapping since our phones are the hub of so much of our online activity and we often direct secondary security authentication protocols to our phone numbers.
One step that can be taken is to have a PIN or password on your cell phone account. This would require the input of the PIN/password before any changes are made to the account. And if you realize that you no longer have access to your phone number or text messages and calls are not going through, contact your cell phone carrier immediately. Follow this with an audit of all bank accounts for suspicious transactions, and change passwords for all accounts, from banking to email and social media.
Ensure staff are diligent in data protection
Periodically remind staff about the importance of protecting data online. Three key things they should be doing are:
- Being vigilant about phishing emails. Emails from unknown or unexpected sources should be treated with caution. Never click links from unknown sources; and use the cursor to hover over the link to see the URL before clicking.
- Make it a habit to log off from online services such as email, cloud storage, cloud access to networks, list serves and more at the end of each day. Never choose the automatic login or "remember me" feature. While this may seem tedious, if the computer is stolen, at least the thieves will not have access to whichever sites and accounts one regularly logs into.
- Adhere to proper password procedures that you establish.
While some of these suggestions may seem familiar to lawyers, as they have been drilled into our brains in professional development courses, your staff may be less familiar with them. Perhaps you have new staff and they have not been exposed to the same lessons that you have. Unfortunately, it is not enough to rely on staff to read a policy and procedures manual; there is simply too much information in these manuals for a new staff member to adequately absorb it without practice. (Moreover, it should come as no surprise that not all staff read the manuals.)
So, for something critical like data and office security, you cannot afford to wait for new staff to learn key features through practice or by reading about it. You must actively educate them on what is required to protect firm data. Scheduling regular meetings (once a quarter or twice a year should be sufficient) is a good practice, to ensure there are no gaps in staff education and awareness.
When entities such as hospitals and municipalities have fallen for data-stealing scams, smaller businesses must be extra vigilant to guard their data. Small law firms are especially vulnerable, as the information we have is highly valuable and we do not have the same resources as larger firms, such as an IT department, to protect data. As such, we must take at least the most basic of steps to minimize the risk that our data falls into the wrong hands.
Take the time during this early New Year’s lull to review what procedures you have in place, and where improvements can be made.