Defend Your Inbox: Recognizing and Preventing Phishing Scams This Cybersecurity Awareness Month

As October unfolds, it’s time to focus on a crucial aspect of our digital lives: cybersecurity. October is Cybersecurity Awareness Month, a perfect reminder to fortify our defenses against cyber threats. Whether you’re working in the office or remotely, the security of your personal and your firm’s data is paramount.

Just as you would build a solid legal case, constructing strong cybersecurity defenses is essential. Throughout this month, we’ll delve into strategies to keep you ahead of cybercriminals. Our focus areas include recognizing phishing attempts, using robust passwords, keeping software updated, and enabling multi-factor authentication (MFA).

Phishing emails are a prevalent method used by cybercriminals to infiltrate your inbox. Alarmingly, almost half of social engineering attacks are phishing-related, and a staggering 98% occur through email. However, these emails often carry signs that make them detectable.

Here’s how to spot a phishing email:

  1. Too Good to Be True Offers: If an email offers something unbelievable, like winning a contest you never entered, be skeptical.
  2. Urgent or Threatening Language: Emails that use alarmist language might be phishing attempts.
  3. Suspicious Email Addresses: Verify if the sender’s email matches the company it claims to be from.
  4. Requests for Personal Information: Never send personal information or click on unfamiliar links.

When in doubt, report suspicious emails to your IT team immediately. Your swift action could prevent a severe data breach, much like stopping an argument before it escalates.

Stay vigilant, and remember, your proactive defense is crucial to your firm’s security. Let’s work together to make this Cybersecurity Awareness Month a success!

The Essential Guide To Password Managers

Passwords – it’s a topic that gets discussed a lot, but surprisingly, many people still don’t use effective methods to manage their passwords.

A Common Mistake: The Post-It Note Dilemma

Let me tell you about an experience I had recently. I was at a client’s office, helping him complete an application that required access to his bank account. He turned around, grabbed a yellow Post-It note from his credenza, and handed it to me. I was taken aback. He had his banking password scribbled on that little piece of paper!

I didn’t say anything at first; we completed the application without a hitch. But before I left, I couldn’t help but bring it up. “You know,” I said, “there’s a much better way to keep track of your passwords.” He shrugged it off, saying it was no big deal and that he only wrote down the passwords he used the most.

The Risks of Traditional Password Storage

Storing passwords on Post-It notes or in a notebook in your desk might seem harmless, but it’s fraught with risks:

  • Easy Access for Intruders: Anyone who gains access to your office can easily find your passwords.
  • Loss or Damage: A Post-It note can fall off, get thrown away, or simply be misplaced, leaving you locked out of your accounts.
  • Lack of Security: Physical notes don’t offer any encryption or security features, making it easy for anyone to steal your information.

The Solution: Password Managers

That’s where password managers come in. A password manager is a digital tool that securely stores and organizes your passwords. Here’s why you should consider using one:

Benefits of Password Managers

  1. Security: Password managers use strong encryption to keep your passwords safe.
  2. Convenience: You only need to remember one master password to access all your accounts.
  3. Password Generation: Many password managers can generate strong, unique passwords for each of your accounts.
  4. Accessibility: Access your passwords from any device, anywhere.

How It Works

You enter all your accounts and passwords into the password manager, and it keeps them securely stored. The best part? It can create complex passwords for you, significantly enhancing your security. All you need to remember is one master password, and the password manager does the rest.

My Personal Experience

I use a password manager myself, and it has been a game-changer. No more scribbling passwords on sticky notes or worrying about losing access to my accounts. It’s a great tool, and I genuinely believe everyone should look into it.

So, if you’re still using Post-It notes or notebooks to store your passwords, it’s time to make a change. A password manager is a small investment for a huge payoff in security and peace of mind.

Stay safe online, and remember, I’m Don Ivol, your insurance guy.

Be prepared against cyber attacks

In the past 4 weeks, we have covered multiple cyber security exposures that are common to law firms, including:

We have also covered how to minimize the risk associated with them.

However, they all have one thing in common…a human element, which is almost impossible to safeguard 100%.  About half of all data breaches happen due to some type of human error.

This is why we recommend purchasing cyber liability insurance.

Cyber liability insurance provides a combination of coverage options and services to help protect businesses against data breaches and other cyber events as well as help to recover quickly if an attack does take place.

This insurance can help cover the costs associated with an attack or breach, such as:

  • Lost income due to cyber event
  • Customer notification 
  • Data recovery
  • Damaged computer repair
  • And more!

Law firms use multiple types of technology that face cyber risk.  As this tech becomes more complex, so does the risk that comes with it.  This is why every business should be prepared with a cyber security plan/training as well as cyber liability insurance to help mitigate the risk.

Let INF help place you with the best cyber liability carrier for your firm’s needs.  To get started, give us a call at 412.563.2106 today.

Do you have multi factor authentication to verify your identity…because 44% of businesses don’t

Because October is Cyber Security Awareness Month, we thought that we would take the next few weeks to highlight cyber security exposures that are common to law firms.

Did you know that 44% of businesses don’t use multifactor authentication?

Your question back to me might be – What is multifactor authentication and why would I need it?

Multi Factor authentication or MFA is a security method that needs a user to use two or more authentication factors to prove who they are before they can use an organization’s network, check their email from a remote location, or use privileged or administrative accounts.  It helps make sure that you are who you say you are.

The most common use of MFA is when banks or credit cards require you to input a password as well as a code that they email/text/call you with.

MFA should be used by law firms with email accounts as well as accessing any network remotely.

In fact, according to Microsoft, 99.9% of account compromise attacks can be blocked by MFA!

Most email products as well as system access software have MFA built in, so be sure to enable and protect your data!

Questions about risk mitigation for this exposure?  Call us at 412.563.2106.

Next week, we will talk about how to protect your firm against multiple exposures!

Check to see if your email/password combination has been exposed in a recent data breach

Because October is Cyber Security Awareness Month, we thought that we would take the next few weeks to highlight cyber security exposures that are common to law firms.

This week’s topic – Passwords!

Did you know that there is a website that you can go to check to see if your email/password combination has been a part of a data breach?  It’s called “Have I Been Pwned?” and you can access it here: https://haveibeenpwned.com/

It contains over 12 BILLION username/password combos that have been exposed in recent hacks.

Go to the site and enter your email address to see if you have been exposed.  If so – change your password immediately for the account that was hacked.

Want to create a good password?

Try using these 7 criteria:

  • 12 characters or more in length
  • Contains an uppercase letter
  • Contains a lowercase letter
  • Contains a number
  • Contains a symbol
  • Does not contain real words that could easily guessed by a dictionary attack
  • Hasn’t been used before as a password by your email address

Need help remembering each unique password?  Invest in a password manager, like 1Password or KeePass.

Questions about risk mitigation for this exposure? Call us at 412.563.2106

Next week, we will discuss multi factor authentication!

Do you know about the email wire fraud scam affecting lawyers and law firms?

Because October is Cyber Security Awareness Month, we thought that we would take the next few weeks to highlight cyber security exposures that are common to law firms.

This week we wanted to talk about wire fraud.  Despite the fact that wire fraud scams target a wide range of professionals, attorneys who handle real estate transactions and/or wire money are particularly at risk.

Lawyers should be aware of any fraud schemes that could cost them and/or their clients hundreds of thousands of dollars if they transfer money to or on behalf of clients. The Federal Bureau of Investigation (FBI) estimates that scammers have stolen up to $1.33 billion just in the United States.

Here’s how the scheme normally works:

  • The scammer will gain control of an email account from at least one of the parties in a transaction.  Typically that transaction will be in real estate.  They will use this access to gain details.
  • The scammer will send a set of emails that appear to be legitimate discussing the details of the deal to build trust
  • Then, the scammer will send wire instructions OR make changes to a previously supplied set of instructions
  • The scammer will say this matter is “urgent” and that everything “needs to be done today”.  This is so the normal set of checks and balances will be bypassed, thus eliminating the normal scrutiny requests like these should get
  • Then, the attorney would unknowingly wire the money to the scammer’s account and the scammer will typically move that money immediately to an overseas account so it cannot be stopped

There are a few ways that attorneys can prevent wire fraud – 

#1 – Be hyper-vigilant

First, attorneys should be on the lookout for wire fraud scams and be skeptical whenever money is being wired to finish any kind of transaction. Wire fraud scams that use emails can involve anyone in a transaction, from someone the attorney has worked with for 40 years to someone they have only met briefly for one transaction. Because of how email works, it is much easier to hide a person’s true name through email than over the phone or in person.

#2 – Use a second authentication factor

Use a phone call as the second authentication factor to easily check on all wire transfer requests.

Before any money is moved out of the law firm for a transaction, an attorney can find out about most possible fraud scams by calling the person who is supposedly sending the email. Attorneys should always use the contact information they already have for the person instead of the information in the email, which could be fake. Lawyers can also call someone else at the company. The main point is to do something outside of the email chain that could be hacked.

#3 – Be skeptical of last minute changes

Be careful when a party in a deal suddenly changes how they usually do things. This could mean moving money to a different account, using a personal email address instead of a work one, or talking to someone else at the company. All of these things could be signs of a possible scam. 

Questions about risk mitigation for this exposure?  Call us at 412.563.2106

Stay tuned for next week where we will send you a website where you can check to see if your email/password combination has been exposed in any major hack.

50% of all businesses are worried about ransomware – are you?

Because October is Cyber Security Awareness Month, we thought that we would take the next few weeks to highlight cyber security exposures that are common to law firms.

A common question that we hear from our insureds is – What is ransomware and can it affect me?

Ransomware is a type of harmful software (also known as “malware”) that online thieves use to access a victim’s network. Typically, this happens via a download by an employee that was tricked.  Once they are into the system, they’ll encrypt it so you can no longer access anything.

Finally, the thieves will demand a ransom, generally in bitcoin, in exchange for the decryption key.

Attackers using ransomware have recently increased their aggressivity, requesting six-, seven-, and even eight-figure ransom payments from organizations. It is more difficult for organizations to recover from such an attack as a result of these criminals deleting backups and, in some circumstances, issuing threats to reveal critical or confidential material.

Can it affect law firms? YES!  In fact, here is a link to an article discussing a ransomware attack that is common to the legal industry: https://www.logikcull.com/blog/maze-ransomware-law-firms

One way to prevent ransomware affecting you is to make sure that your employees are well-trained on spotting suspicious emails and attachments.  This way, they won’t download malicious files.

Another way to prevent ransomware is to make sure that you have a complete backup of your system that can be restored within 24-48 hours.  This will enable you to put your system back up and lose minimal time without needing to deal with the criminals.

Questions about risk mitigation for this exposure?  Call us at 412.563.2106

Stay tuned for next week where we will discuss wire fraud.

What Makes a Good Password?

Did you know that, according to Pew Research, 39% of people use the same password for everything? Why is that bad? For example, Sony got hacked a few years ago, and what was really interesting was that the incidence of fraud didn’t just happen with Sony, but it went up at target.com and it went up at amazon.com. It went up kind of across the board, about 35 to 40%. And why is that? Because when one thing is hacked, the people that steal the data, actually take all of that information and try to use it online at as many places as they possibly can because they know that about a third of people use the same password for everything.

With that said, it’s really important to have a good password. And not only that, it’s important to have a different password for each account.

What constitutes a strong password? 

A strong password is typically at least 12 characters, and it consists of uppercase letters, lowercase letters, numbers and symbols. Now, we know that’s going to be a little bit difficult to remember. So typically, we recommend using songs or other other things that are familiar with you to remember your passwords. For instance, say you are a Frank Sinatra fan. So, one of your passwords might use the phrase “fly me to the moon”, then adding a symbol and some numbers.

So, make sure that your passwords that you have to remember are something that’s easy for you to remember. 

Using a password manager

The average American has over 120 passwords. Now, you can’t be expected to remember 120 passwords with 12 characters, uppercase letters, lowercase letters, numbers and symbols. One thing that we do recommend is a password manager. With a password manager, you only have to remember one password to get into the password manager, and then you can actually store all of your passwords within the password manager itself. 

What’s really nice about a password manager is it will help you create passwords that are secure as well. When you create a new password, you actually would just click on new, and then it will fill in the password for you if you want it to.

Good password manager examples

We’ve only put Password Manager examples on this list  that have not been compromised in the commercial market. There are some other password managers on the market that have been compromised, so they didn’t make this list. Some examples are Dashlane, 1Password, Bitwarden, Keeper and KeePass. INF and Integrity First Technology Solutions both use KeePass. 

You can see in the photo above, in a password manager you have your list of passwords, then you’ll have your username and your password. So let’s say you want to login to your bank. You will go to your bank’s website, you double click on your username, and then you click paste. And it would go right into the browser and then you would double click on the password, click paste, and then it would sign you in. 

So you just have to remember that one password to open your password manager, and then you have access to all of your usernames and passwords.

Two Factor Authentication

Another thing that goes along with passwords is two factor authentication, or you might have seen it as 2FA. Two factor authentication is an extra layer of security that actually would have helped all those people that had the same password for everything. So not only do you have to enter your username and password, but then there’s an extra step. This is most likely something that you have seen before. You’ll put in your username and password and then they’ll ask if you want to receive a phone call, a text message or an email with your one time verification code. 

Once you choose your verification method, they will send you your verification code just like it’s shown in the picture above. You would put the verification code in and then you can sign in to your account. 

We definitely recommend turning this on when you’re given the opportunity to do so, because it really is a very strong extra layer of protection, and it protects your accounts from hacks. If a company were to get hacked, they would get your username and password but they wouldn’t get access to your two factor authentication, they wouldn’t get access to your phone, or your email, so this would definitely help protect your account from any hack that happened.

The weakest link in the security chain

“Companies spend millions of dollars on firewalls, encryption and secure access devices and it’s money wasted. None of these measures address the weakest link in the security chain.” – Kevin Mitnick. What do you think is the weakest link in the security chain? If you said humans, you are correct!

Questions about anything in this article?  Contact Stacey Ivol at 412-563-2106 or email her at sivol@integrityfirstins.biz

Why Is Encryption Important?

There’s ranges of encryption, but having encryption present is extremely important.

For instance, there was a person from an insurance company who went to a football game in Detroit and when he went to the restroom, he sat his phone down. He didn’t have it locked, and he didn’t have any encryption on it. Whenever he left the restroom, he forgot his phone and they actually ended up having a large data breach because whoever had the phone was able to access all his emails and any files that he had access to.

So device encryption is so important. Something as innocuous as “Oh, I left my phone in the restroom” could cause something huge. So how do you go about implementing that type of encryption?

Encrypting Apple Devices

If you have a Mac, encryption actually comes built in. So all you have to do, if you don’t already have it turned on, is turn on Filevault. You’ll go to your security and privacy settings, go to Filevault, and then you’ll click turn on Filevault. When you turn on Filevault, you’ll be able to see your computer encrypting your data – it’ll just be a little progress bar. 

Every time you then turn on your computer, you’ll have to put in your password twice, once for unlocking the computer and then once for unlocking the encryption. You’ll actually be able to again, see a little progress bar and it’ll say decrypting data. So you’ll see that it sits at rest in an encrypted state. If somebody were to steal your Mac, your data would be encrypted. 

Now with your iPhone, as long as you have iOS version 8.0 and up, and about 95% of devices do have iOS 8.0 and up, the iPhone actually encrypts as soon as you add a passcode or password. The way to check that you have your passcode or password turned on, number one, is whenever you open your phone, you have to be able to put in a password. And number two, if you go to your settings, and then click on face ID and passcode and you scroll all the way down to the bottom, you’ll see this little sentence that says data protection is enabled. As long as data protection is enabled, that means that your iPhone is sitting encrypted. 

Encrypting Microsoft Devices

Now, let’s say you have a Microsoft device. If you have a Microsoft device with Windows Pro on it, BitLocker is the encryption software that they use. If you have a Windows machine, that is the pro version, all you have to do is go to the Control Panel, look up BitLocker, and then you’ll just turn on BitLocker. And again, a progress bar will show and you’ll see that the device will now have the data sitting encrypted. 

Now, if you have Windows Home and not Windows Pro, you are able to upgrade. The upgrade costs anywhere between $100 to $120, depending upon the sales that they have going on at the time. Once you go from home to pro, then BitLocker will become available, and you can turn BitLocker on and encrypt your Microsoft device. 

Encrypting Android Devices

Finally, if you have Android devices, and you have Android 4.4 or lower under security, what you’ll need to do is add a pin and then enable encryption. If you have an Android device, that is the OS 5.0 or greater, most devices are actually encrypted by default with a password. And all you have to do is again, check your security menu to see that option. Go to your security menu and then scroll down and it will say encryption is on. So as long as you see “encryption on” your Android device is protected. 

Bonus Tip – Set Phone Notifications So They Don’t Appear On Your Lock Screen

Now, as kind of a bonus tip, one thing that can happen that you’ll show data that it’s inadvertent is if your phone is locked and your phone notifications show. So it’s possible that you could have your phone out or on a table or with another client and you could actually have a notification show on your lock screen. 

It might say you have an email from someone, it might show you the first line depending, it can show you all the text from an actual text. Depending upon your situation, you don’t typically want other people to be able to see your notifications. So we recommend turning those off. That way your notifications won’t be visible unless a password is entered. 

Learn how to do this on an Apple device

Learn how to do this on an Android device

Once you set this up, if your phone is off or in lock mode, you will not get any type of notifications that show anything without your password being entered. 

Have any questions about the topic discussed in this article? Contact us today at 412-563-2106.