Practicing digital hygiene — preserving and protecting your digital footprint
James Oliver
There are a multitude of cyber threats facing attorneys, ranging from phishing attacks to malware-ridden attachments to unpatched software vulnerabilities—the list is endless. If that’s not enough, physical threats such as malicious hardware, disgruntled employees, and computer theft are ever present. Most attorneys are familiar with the obligations an attorney must undertake to protect personally identifiable information (“PII”) from being disclosed to the public. An attorney’s obligation to protect PII isn’t limited to court filings—it includes protection from access by third parties, too. This article provides practical advice on methods attorneys can employ to reduce the exposure of themselves and their clients to third-party bad actors.
Audit yourself
Is my information already on the internet? Are my login credentials compromised? How do I check? Security websites such as www.haveibeenpwned.com are a great source for determining whether your credentials may have been disclosed in a published data breach. The website is easy to use—you only need to enter your email to search known lists of information disclosed during data breaches to determine if any matches exist. The website also includes the scope of what was disclosed in the data breach, such as telephone number(s); usernames; passwords and addresses. The website is updated as new disclosures become public. Not all breaches are contained in the database, so it is not absolute as to the status of the security of your credentials, but it is nevertheless a valuable resource.
If your credentials have been reported as hacked, it’s a good idea to change your password across all accounts that share the same credentials. Bad actors typically use compromised credentials to attempt access to common accounts, such as bank accounts; email accounts; vendor profiles; or other platforms with sensitive information.
Do not use work email for personal use
This year, data breach incidents involving major organizations have been reported involving Capital One, North Face, Cartier, and The Washington Post. Bad actors will comb through the information obtained in such breaches looking for emails and passwords. Then they try that information in other locations, hoping to obtain even more sensitive information like banking credentials.
An email associated with a business will stand out considerably more than one from Gmail or Yahoo. It will be seen as an additional target to explore. Consequently, you expose yourself, your firm, and your clients to attacks by signing up for personal services using your professional email.
Be vigilant about correspondence
When you get an email from a colleague who typically calls instead of writing, or a message from vendor or service that typically proceeds without interaction, it should be a signal that something may be amiss. Fake emails have historically has been easy to spot due to grammatical mistakes and general sloppy appearance of logos, fonts, etc. In recent years, artificial intelligence has made spoofed emails appear significantly more real and, in some cases, virtually indistinguishable from real accounts. The first place I look after suspicion sets in is the email of the sender. It may be difficult at first to spot the differences between these two emails, especially if one is not suspicious of an attack.
[email protected] admin@micяosoft.com
Some languages have letters that appear similar but are encoded distinctly by computers, allowing for addresses that look similar but are controlled by criminals instead of the organization they seem to originate from. Cyrillic alphabets are commonly integrated with traditional English letters as a means of masking an assailant’s identity. Looking closely at the shape of letters can help you spot signs of a malicious email. When in doubt as to the authenticity of an email from a person or vendor, pick up the phone and call using the contact information you have or can verify online -- not the information contained in the suspicious email.
James Oliver practices with Carr Allison in Jacksonville and is a member of The Florida Bar Cybersecurity & Privacy Law Committee. The information provided is for general informational purposes only and does not constitute legal advice. Attorneys should conduct their own analysis and consider all relevant facts and circumstances for their clients’ specific situations.
