This may not be at the top of your holiday preparation list, but The Florida Bar’s Practice Resource Institute is reminding all Bar members to protect themselves from holiday phishing scams or malware campaigns.
A 2017 Cyber Monday Phishing Survey by DomainTools found that 38 percent of respondents had fallen victim to an online phishing attack. This is despite more than 90 percent of respondents stating that they are familiar with phishing.
“This goes to show how clever these criminals have become with their schemes,” said Bar President Michael Higer. “During the holiday season, lawyers — just like everyone else — need to pay extra attention and be mindful of online scams.”
The U.S. Computer Emergency Readiness Team — a division of the Department of Homeland Security — reminds the public to remain vigilant when browsing or shopping online this holiday season. Emails and ecards from unknown senders may contain malicious links. Fake advertisements or shipping notifications may deliver attachments infected with malware. Spoofed email messages and phony posts on social networking sites may request support for fraudulent causes.
How Can You Protect Yourself?
• Do business with reputable vendors – Before providing any personal or financial information, make sure that you are interacting with a reputable, established vendor. Some attackers may try to trick you by creating malicious websites that appear to be legitimate, so you should verify the legitimacy before supplying any information. (See Avoiding Social Engineering and Phishing Attacks and Understanding Web Site Certificates for more information.) Attackers may obtain a site certificate for a malicious website to appear more authentic, so review the certificate information, particularly the “issued to” information. Locate and note phone numbers and physical addresses of vendors in case there is a problem with your transaction or your bill.
• Make sure your information is being encrypted – Many sites use secure sockets layer (SSL) to encrypt information. Indications that your information will be encrypted include a URL that begins with “https:” instead of “http:” and a padlock icon. If the padlock is closed, the information is encrypted. The location of the icon varies by browser; for example, it may be to the right of the address bar or at the bottom of the window. Some attackers try to trick users by adding a fake padlock icon, so make sure that the icon is in the appropriate location for your browser.
• Be wary of emails requesting information – Attackers may attempt to gather information by sending emails requesting that you confirm purchase or account information. (See Avoiding Social Engineering and Phishing Attacks.) Legitimate businesses will not solicit this type of information through email. Do not provide sensitive information through email. If you receive an unsolicited email from a business, instead of clicking on the provided link, directly log on to the authentic website by typing the address yourself. (See Recognizing and Avoiding Email Scams.)
• Use a credit card – There are laws to limit your liability for fraudulent credit card charges, but you may not have the same level of protection for your debit cards. Additionally, because a debit card draws money directly from your bank account, unauthorized charges could leave you with insufficient funds to pay other bills. You can minimize potential damage by using a single, low-limit credit card to making all of your online purchases. Also use a credit card when using a payment gateway such as PayPal, Google Wallet, or Apple Pay.
• Check your shopping app settings – Look for apps that tell you what they do with your data and how they keep it secure. Keep in mind that there is no legal limit on your liability with money stored in a shopping app (or on a gift card). Unless otherwise stated under the terms of service, you are responsible for all charges made through your shopping app.
• Check your statements – Keep a record of your purchases and copies of confirmation pages, and compare them to your bank statements. If there is a discrepancy, report it immediately. (See Preventing and Responding to Identity Theft.)
If you believe you are a victim of a holiday phishing scam or malware campaign, consider the following actions:
File a complaint with the FBI’s Internet Crime Complaint Center (IC3).
• Report the attack to the police and file a report with the Federal Trade Commission.
• Contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
• Immediately change any passwords you might have revealed and do not use that password in the future. Avoid reusing passwords on multiple sites. (See Choosing and Protecting Passwords for more information.)
Jonathon Israel, director of The Florida Bar Practice Resource Institute, also said the PRI website’s cybersecurity page maintains a list of tips and resources lawyers can use to help protect themselves.