Another key feature of the library in which I worked was that it was not sound-proof. What this means is that if you spoke over a whisper, you could be heard on the other side of the building.
Can you see where this is going?
One day, as I was going about my business I noticed an attorney conversing with his client. They were in the middle of a deposition and attorney was relaying attorney/client privilege stuff to his client.
NOTE: That's privilege as in they wouldn't want anyone to know what they were saying.
The problem was that attorney was speaking louder than a whisper and opposing counsel (who was situated on the other side of the building) could hear what was being said and was taking copious notes. I mentioned this to attorney annnnnnnnnnd attorney became upset stomping over to and started arguing with opposing counsel.
Of course, all this could have been avoided had attorney implemented safeguards to protect his client's interests such as lowering his voice to a whisper.
Back in the day, simply keeping your voice down was enough to safeguard secret client information. These days, however, low volume is not enough.
Picture it: Paralegal, “Sarah,” receives an email from “Attorney Michael” at your firm on a busy Thursday afternoon. The email reads:
Subject: URGENT: Client Wire Instructions Needed
From: michael.attorney@gnnail.com (looks similar to your firm’s domain)Hi Sarah,
We need to send out the wire for the Johnson closing today. Please open the attached PDF for the updated instructions and confirm you can process this ASAP so we don’t delay the client’s funding.
Thank you,
Michael
An attachment named “Johnson_Wire_Update.pdf” is included.
As it happens, Sarah knows Michael is working on the Johnson file. While the message feels rushed, that’s normal on closing days so she clicks the attachment without verifying that Michael actually sent the email.
As soon as she click's the attachment, malware capturing Sarah’s keystrokes installs to her computer sending her Office 365 credentials to the attacker. The attacker then logs into Sarah’s email, monitors communications, and sends modified wire instructions to the title company directing $150,000 of the client’s funds be wired to a fraudulent account.
Sound far fetched? I mean, things like this don't actually happen, right?
Turns out it happens all the time. There are a number of ways hackers (i.e. bad actors who steal people's information from their computers) can access data illegally. Following are some of the more popular methods:
Phishing
-
Fraudulent emails, texts, or messages tricking victims into clicking malicious links, opening infected attachments, or giving personal information.
-
Variants: Spear phishing (targeted), whaling (executives), smishing (SMS), vishing (voice calls).
Pretexting
-
Attacker creates a fabricated scenario (pretext) to obtain information, e.g., pretending to be IT support or a bank representative to get login credentials.
Baiting
-
Attacker leaves malware-infected devices (USBs, CDs) in public places hoping someone will use them out of curiosity. When the USB drive is inserted in an unsuspecting computer, the malware installs its self and facilitates the stealing of information.
Quid Pro Quo
-
Attacker offers a benefit (e.g., free software or IT help) in exchange for sensitive information.
So, in the example above involving unsuspecting Sarah, the method used was a phishing attack. There were a few things Sarah could have done to protect herself.
Red Flag #1 was the slight misspelling in the sender’s email domain (gnnail.com). It's looks close to "gmail" but is not quite right. Spider senses should be tingling.
Red flag #2 would be that it was contained urgent, pressure-filled language. Even if it was urgent that action be taken, there's always time to step back and look at the big picture.
Finally, Red Flag #3, think whether the sender would normally send wire instructions. If this is not a normal occurrence, then maybe wait to verify before acting.
So, what could Sarah have done to protect herself? Sarah could have used her mouse to hover over the sender’s email address to verify the email's authenticity. She could have confirmed with Attorney Michael in person or by phone before opening the attachment - especially for financial transactions.
History is replete with examples of organizations that have been attacked.
Example 1: In 2020, Grubman, Shire, Meiselas & Sacks (one of the premier entertainment and media law firms in the country) was attacked when an employee reportedly clicked on a phishing email, allowing REvil ransomware attackers to access the firm’s network. Consequently, the law firm experienced a theft of 756 GB of celebrity client data and a $42 million ransom demand.
A ransomware attack typically involves malware that locks users out of their computer files, systems, or networks, demanding a ransom payment for their restoration. Ransomware attacks involves a “one-two-punch” (1) cybercriminals lock your system; and (2) cybercriminals steal your most sensitive information.
This was what happened in the attack on GSMS. The REvil group demanded a ransom payment to
release encrypted files as well as an additional payment to permanently
remove stolen information from their own system. Increasingly, even when a ransom is actually paid, these attackers still release small pieces of stolen data to their
website and make it available for purchase by the public to encourage payment.
Example 2: In 2019 at a mid-sized real estate law firm in Texas, an employee clicked a phishing email that led to credential harvesting. Hackers accessed the attorney’s email and modified wire transfer instructions for a real estate closing, diverting client funds (about $150,000) resulting in a malpractice claim filed which was resolved with cyber insurance payout.
Example 3: In 2020, Goldman, Campbell, Brain and Spine fell victim to a ransomware attack when employees fell victim to a phishing email, allowing ransomware to encrypt the medical law firm’s systems. The type of information stolen included names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and gender.
Example 4: In late 2024, Cloud security firm Wiz faced a deepfake attack. Criminals used AI technology to clone CEO Assaf Rappaport's voice and then sent voicemails to dozens of employees asking them for their credentials.
Example 5: Lee Enterprises (February 2025): Attackers using Qilin ransomware targeted the media company, disrupting production and claiming they stole 350 GB of data. The company was warned of imminent leaks if the ransom payment wasn’t made.
Example 6: Medusa Ransomware on Critical Infrastructure (March 2025): Over 300 organizations across sectors (healthcare, education, manufacturing, government) were attacked by Medusa, using spear phishing and unpatched software vulnerabilities to steal and encrypt data, then threaten leaks (double extortion).
Example 7: Ingram Micro (July 2025): Ransomware detected on internal systems of the global IT supplier Ingram Micro, causing multi-day outages that disrupted customer orders and operations. Investigations and law enforcement notification are underway. Knowing that there are hackers and thieves out in cyberland, what can you/we do to protect yourself?
Whether you are a CEO, law firm, or regular, everyday person, you can protect yourself using simple, time tested methods such as:
- Do not (as in never) click unfamiliar or suspicious links or attachments. If you do not recognize the sender of the email, don't click on any attachments. In fact, send straight to spam.
- Always verify wire instructions via phone using known numbers.
- Use strong, unique passwords for each system. A strong password is one that is designed to be hard for a person or program to guess. It's long and uses a mix of uppercase and lowercase letters, numbers, and symbols, and avoids common words or personal information. A strong password should also be unique to each account.
A good rule of thumb is to create strong passwords that are longer than 12 characters (some corporate passwords are 50+ characters that are changed every 3 months). The problem is, how can you remember a unique 12+ character password with upper/lower case letters, numbers, etc?
Actually, there are a few techniques you can use to help remember a long password.
You could use a passphrase. Maybe a sentence of words like what you can remember. Maybe something like:
My dog Spot loves to chase squirrels, especially in the park!123@
ThisIsMyP@$$word!
You could also try using a mnemonic devise like an acronym. If you have trouble coming up with something, you can try using Chatgpt. Suggested examples might include:
- SysAdm!n2025_Pro (This example combines a common
abbreviation for "System Administrator" with a special character, a
year, and an abbreviation for "Project,")
- Cyb3r$ec.Net-Guard (a play on Cybersecurity)
- Innov8@ion.Hub+XYZ (This blends "Innovation" with a number, a special character, and a generic identifier
- Glob@l.Biz_SoluTns (This example blends "Global Business Solutions")
You could use a password manager to store all your user names/passwords like what most browsers offer. The problem with that is that if your system is ever hacked, the hacker now has access to all your passwords.
Finally, and I can't count the number of CISO's who'll flip out on this, but you can just write your passwords down on paper. Just be sure to put the list somewhere not publicly accessible (i.e. not just sitting out for everyone to see).
One Caveat: NEVER use "password" or "12345678" (or any related derivatives) as your password as they are the most used passwords and are the first thing cyber criminals try when trying to break into a network.
Yep, there are a whole lot of sneaky buggers out in cyberland. Best to keep a weathered eye out for bad actors so that you don't become an easy mark and lose all your data.
I'm just sayin.
No comments:
Post a Comment