Is Anyone Phishing for Your Firm?

Posted on by

In 2022, cyber criminals have sent about 3.3 billion phishing messages and caused over 4000 data breaches. This exposed about 22 billion personal records. 

What is Phishing?

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legit institution to lure individuals into providing sensitive info. And such as PII banking and credit card details and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

How do we fight phishing? 

Knowledge

Humans are the number one cause of phishing schemes to succeed. So knowledge is definitely going to be one of your big tools. Make your employees knowledgeable about phishing attacks, the common phishing attacks that are happening now and answer any questions that they might have about these different security issues.

Safeguards

Over 50% of the attacks were caused by humans, but that other 40 something percent was caused by issues in the system. So having safeguards in place, such as a really good spam filter, can help fight against phishing.

And what’s interesting is, Google actually has better safeguards in place than Microsoft Office. So organizations that use Office 365, are more than three times as likely to experience a business email compromise when compared to Google Gmail for business. 

One reason that’s probably true is because Microsoft only has access to their small amount of data that is Microsoft specific, whereas Google has access to 90% of the world’s data on the internet. So it would make sense that the Google spam filter and their email filters are much, much stronger, because they have access to so much more data.

Ways to spot phishing schemes

It contains an offer, that’s, that’s too good to be true

If you’ve ever received an email that said “click here to claim your $500 reward”, they want you to go to a website and put in your name and your bank account so they can deposit that $500 reward. 

Language that’s urgent, alarming or threatening

In one week, we had three different clients send an email that says the subject line is urgent, your site has been hacked. And the email goes on to say, deliver $3,000 in Bitcoin, or we will take your website offline, and put something else up in its place. So anytime you receive anything like that, that’s definitely a big key to spotting phishing. 

Poorly crafted writing with misspellings and bad grammar

Now, this next one, it’s not as prevalent anymore with AI becoming a lot more in tune. More of, you know, chat, GBT, stuff like that. You and I know that no financial institution and no attorney is going to send out anything that has bad grammar. So that’s definitely a way to spot a phishing email. 

Greetings that are ambiguous or very generic

You may receive an email that says hello gentleman, or welcome lady. Ignore these.

Requests to send personal information. 

This happens a lot with people pretending to be banks, or pretending to be PayPal. They’ll say, oh, there’s an issue with your account, click here to sign in and put in your financial information so we can verify it. Don’t do that. PayPal and banks have come out and said, we will never send you an email that’s like that, so that’s definitely an email to ignore. 

Urgency to click on unfamiliar hyperlinks or an attachment

A real website for a bank, credit card company, or other business won’t look or feel like it’s trying too hard. You won’t find important messages spread all over these sites. If you go to a site and it seems to have a lot of urgent messages that don’t seem to fit, you should check the URL to make sure you’re in the right place. Phishers use this kind of urgency to make it more likely that people will share sensitive information quickly and willingly.

Strange or erupt business requests

In this type of phishing attack, the victim is sent an email from an address they know, like the CEO, the Human Resources Manager, or the IT support department. The email tells the victim that they need to act quickly and transfer money, update information about their employees, or install a new app on their computer.

Fuzzy or low resolution images

A company will never send you an email where their logo looks bad. If their logo looks bad or fuzzy, whoever sent it didn’t have access to the high resolution version of it. So it’s not from them. 

The sending email address doesn’t match the company where it’s coming from

So if they say, Hi, this is PayPal, but the address says PayPal1234@outlook.com, those two don’t mesh. And so, you know it’s not from PayPal.

What does a phishing email look like?

As an example, we have this email where you can see this isn’t the actual PayPal logo, it’s a little bit different. It’s missing a few features. And then it says response required. Then you can see here it says service.epaypal@outlook.com. The purpose of this email is they want you to click this login and put in your username and password, so they have your paypal username and password.

Common phishing schemes

Account deactivation

Compromised credit card

Funds Transfer

Social media requests

Google Docs fake login 

IT support request 

Social engineering

Questions about anything in this article?  Contact Stacey Ivol at 412-563-2106 or email her at sivol@integrityfirstins.biz

What Makes a Good Password?

Posted on by

Did you know that, according to Pew Research, 39% of people use the same password for everything? Why is that bad? For example, Sony got hacked a few years ago, and what was really interesting was that the incidence of fraud didn’t just happen with Sony, but it went up at target.com and it went up at amazon.com. It went up kind of across the board, about 35 to 40%. And why is that? Because when one thing is hacked, the people that steal the data, actually take all of that information and try to use it online at as many places as they possibly can because they know that about a third of people use the same password for everything.

With that said, it’s really important to have a good password. And not only that, it’s important to have a different password for each account.

What constitutes a strong password? 

A strong password is typically at least 12 characters, and it consists of uppercase letters, lowercase letters, numbers and symbols. Now, we know that’s going to be a little bit difficult to remember. So typically, we recommend using songs or other other things that are familiar with you to remember your passwords. For instance, say you are a Frank Sinatra fan. So, one of your passwords might use the phrase “fly me to the moon”, then adding a symbol and some numbers.

So, make sure that your passwords that you have to remember are something that’s easy for you to remember. 

Using a password manager

The average American has over 120 passwords. Now, you can’t be expected to remember 120 passwords with 12 characters, uppercase letters, lowercase letters, numbers and symbols. One thing that we do recommend is a password manager. With a password manager, you only have to remember one password to get into the password manager, and then you can actually store all of your passwords within the password manager itself. 

What’s really nice about a password manager is it will help you create passwords that are secure as well. When you create a new password, you actually would just click on new, and then it will fill in the password for you if you want it to.

Good password manager examples

We’ve only put Password Manager examples on this list  that have not been compromised in the commercial market. There are some other password managers on the market that have been compromised, so they didn’t make this list. Some examples are Dashlane, 1Password, Bitwarden, Keeper and KeePass. INF and Integrity First Technology Solutions both use KeePass. 

You can see in the photo above, in a password manager you have your list of passwords, then you’ll have your username and your password. So let’s say you want to login to your bank. You will go to your bank’s website, you double click on your username, and then you click paste. And it would go right into the browser and then you would double click on the password, click paste, and then it would sign you in. 

So you just have to remember that one password to open your password manager, and then you have access to all of your usernames and passwords.

Two Factor Authentication

Another thing that goes along with passwords is two factor authentication, or you might have seen it as 2FA. Two factor authentication is an extra layer of security that actually would have helped all those people that had the same password for everything. So not only do you have to enter your username and password, but then there’s an extra step. This is most likely something that you have seen before. You’ll put in your username and password and then they’ll ask if you want to receive a phone call, a text message or an email with your one time verification code. 

Once you choose your verification method, they will send you your verification code just like it’s shown in the picture above. You would put the verification code in and then you can sign in to your account. 

We definitely recommend turning this on when you’re given the opportunity to do so, because it really is a very strong extra layer of protection, and it protects your accounts from hacks. If a company were to get hacked, they would get your username and password but they wouldn’t get access to your two factor authentication, they wouldn’t get access to your phone, or your email, so this would definitely help protect your account from any hack that happened.

The weakest link in the security chain

“Companies spend millions of dollars on firewalls, encryption and secure access devices and it’s money wasted. None of these measures address the weakest link in the security chain.” – Kevin Mitnick. What do you think is the weakest link in the security chain? If you said humans, you are correct!

Questions about anything in this article?  Contact Stacey Ivol at 412-563-2106 or email her at sivol@integrityfirstins.biz

Why Is Encryption Important?

Posted on by

There’s ranges of encryption, but having encryption present is extremely important.

For instance, there was a person from an insurance company who went to a football game in Detroit and when he went to the restroom, he sat his phone down. He didn’t have it locked, and he didn’t have any encryption on it. Whenever he left the restroom, he forgot his phone and they actually ended up having a large data breach because whoever had the phone was able to access all his emails and any files that he had access to.

So device encryption is so important. Something as innocuous as “Oh, I left my phone in the restroom” could cause something huge. So how do you go about implementing that type of encryption?

Encrypting Apple Devices

If you have a Mac, encryption actually comes built in. So all you have to do, if you don’t already have it turned on, is turn on Filevault. You’ll go to your security and privacy settings, go to Filevault, and then you’ll click turn on Filevault. When you turn on Filevault, you’ll be able to see your computer encrypting your data – it’ll just be a little progress bar. 

Every time you then turn on your computer, you’ll have to put in your password twice, once for unlocking the computer and then once for unlocking the encryption. You’ll actually be able to again, see a little progress bar and it’ll say decrypting data. So you’ll see that it sits at rest in an encrypted state. If somebody were to steal your Mac, your data would be encrypted. 

Now with your iPhone, as long as you have iOS version 8.0 and up, and about 95% of devices do have iOS 8.0 and up, the iPhone actually encrypts as soon as you add a passcode or password. The way to check that you have your passcode or password turned on, number one, is whenever you open your phone, you have to be able to put in a password. And number two, if you go to your settings, and then click on face ID and passcode and you scroll all the way down to the bottom, you’ll see this little sentence that says data protection is enabled. As long as data protection is enabled, that means that your iPhone is sitting encrypted. 

Encrypting Microsoft Devices

Now, let’s say you have a Microsoft device. If you have a Microsoft device with Windows Pro on it, BitLocker is the encryption software that they use. If you have a Windows machine, that is the pro version, all you have to do is go to the Control Panel, look up BitLocker, and then you’ll just turn on BitLocker. And again, a progress bar will show and you’ll see that the device will now have the data sitting encrypted. 

Now, if you have Windows Home and not Windows Pro, you are able to upgrade. The upgrade costs anywhere between $100 to $120, depending upon the sales that they have going on at the time. Once you go from home to pro, then BitLocker will become available, and you can turn BitLocker on and encrypt your Microsoft device. 

Encrypting Android Devices

Finally, if you have Android devices, and you have Android 4.4 or lower under security, what you’ll need to do is add a pin and then enable encryption. If you have an Android device, that is the OS 5.0 or greater, most devices are actually encrypted by default with a password. And all you have to do is again, check your security menu to see that option. Go to your security menu and then scroll down and it will say encryption is on. So as long as you see “encryption on” your Android device is protected. 

Bonus Tip – Set Phone Notifications So They Don’t Appear On Your Lock Screen

Now, as kind of a bonus tip, one thing that can happen that you’ll show data that it’s inadvertent is if your phone is locked and your phone notifications show. So it’s possible that you could have your phone out or on a table or with another client and you could actually have a notification show on your lock screen. 

It might say you have an email from someone, it might show you the first line depending, it can show you all the text from an actual text. Depending upon your situation, you don’t typically want other people to be able to see your notifications. So we recommend turning those off. That way your notifications won’t be visible unless a password is entered. 

Learn how to do this on an Apple device

Learn how to do this on an Android device

Once you set this up, if your phone is off or in lock mode, you will not get any type of notifications that show anything without your password being entered. 

Have any questions about the topic discussed in this article? Contact us today at 412-563-2106.

Top 5 Things To Look At When Purchasing A Legal Malpractice Policy

Posted on by

When it comes time to purchase or renew a legal malpractice policy, most people focus on price, which is not a bad thing. If it’s not the top priority, it is certainly in the top five. There are, however, other items that should be included on that list. Today, I want to give you my top items on my list in no order of importance. 

1. Prior acts coverage. Why is that important? Most claims filed against lawyers stem from professional services they provided five or more years ago. You don’t want a policy that excludes that type of claim.

2. Definition of professional services. Many lawyers wear many hats when providing professional services, acting as an arbitrator, mediator, trustee, Guardian, and title agent, just to name a few. Make sure that these services are not excluded in the policy that you purchase. 

3. Speaking of exclusions, number three is exclusions. I’ve long said that if you’re going to read only one section of the policy, read the exclusion section. At least this gives you some idea of what is not going to be covered under the policy. I have seen policies that have less than 10 exclusions. I’ve seen policies that have more than 25 exclusions. I’m not saying that the policy with 25 exclusions is any worse than the one that has 10 exclusions, but you need to read them and make sure if any of them apply to you. 

4. Extended reporting periods or extended reporting coverages. It’s commonly referred to as tail coverage. In the event that you quit practicing law, or you retire from the private practice of law, this provision will allow you to purchase an endorsement that allows you to report future claims that are filed against you for services that you performed in the past that would have been covered under your last policy. 

5. We’re going to come full circle and back to price. Price is important. Nobody wants to overpay for a policy. But please remember your objective when you first started the process. Your objective should have been to find a policy that provides the coverage you need and protects both you and your client all at a reasonable cost. 

There you have it, my top five list for now.

Use These Tips When Filling Out Your Renewal Application

Posted on by

Every year, most insured lawyers are asked by their carrier to complete a renewal application. Now, I can hear the collective moans coming from the offices before we even send out the renewal application. I’ll be the first to admit that the applications can be long and contain confusing questions. But keep in mind, this is the only time the carrier can get a complete picture of your firm, you need to take advantage of this. 

You need to let the carrier know what your practice is, how your practice is doing, and what you are doing to reduce risk in your office. You do this by answering all of the questions on the application completely. Unanswered questions or incomplete details only cause more questions and increase the back and forth between client and carrier. Take the time to read each question. Don’t assume you know what the carrier is asking for. 

There is one question on the application that I think causes concern, or at least causes me concern. And that is the area of practice grid. That’s the chart on the application that you are asked to put a percentage in, in the areas of where your firm is playing. Now, some carriers will ask for that percentage to be listed as a percentage of your time spent. Other carriers will ask for that percentage to be listed as a percentage of the revenue of the firm. Answering that question one way or the other will create a substantially different picture of your firm and definitely have an effect on the premium that you pay. 

So please, again, make sure that you’re reading each question and answering those questions completely. You’ll be glad that you did.

Early Reporting of Claims and Potential Claims

Posted on by

Many of our risk management video tips are surrounding the need for early reporting of claims and potential claims. A very important risk management tip. In this same vein, I want to talk about the angry client. 

Many insureds have had this situation where a client unexpectedly shows up at the office, or calls you on the phone to express their displeasure about something you did or something that has happened. 

Perhaps their case is taking too long. They haven’t heard from you in a few weeks, their phone call wasn’t returned, or they’re just not feeling the love from your office. Don’t just shrug this off as that’s just Joe being Joe, or they just want to blow off steam, or you convince yourself that nothing you did was wrong or incorrect and it’ll blow over. 

Unfortunately, many insureds take this approach and find themselves embroiled in a legal malpractice suit down the road. As with any claim or potential claim, report the issue, let the carrier know about it and let them decide if it meets the definition of a claim or potential claim. And if you don’t report it, at least call the malpractice hotline that may be available to you from your carrier. Most insurance carriers do provide a hotline for this type of situation and you would be well advised to use it. It is part of the benefits program of being an insured.

Don’t be the cautionary tale of an unhappy client.

Legal Malpractice Avoidance Tips – Don’t Go Into Business With Your Client

Posted on by

Conflicts of interest have always been a concern to underwriters of legal malpractice insurance. Conflicts come in different shapes and sizes and can oftentimes be difficult to identify. Most attorneys won’t represent both parties in an auto accident or the husband and wife in a divorce matter, but sometimes are quick to jump into a business venture with a client. I don’t know why, but it seems to me that recently, attorneys are more willing to overlook or downplay the serious nature of getting into business with a client. 

Whether you want to invest in the client’s business or take an active role in operating the clients business, both are fraught with legal malpractice dangers. Usually, in the end, it’s just not worth the risk or the friendship to be in business with a client. Now, I can’t tell you not to go into business with a client, but I can tell you that if you do decide to do it, make sure you are well aware of the dangers of doing so and review and dissect all of the pros and cons. 

Review the insurance policy; how does this affect the insurance coverage? Talk to your insurance broker and other professionals such as your accountant and business consultant and call the legal malpractice hotline of your insurance company. You can discuss the situation with a legal malpractice attorney. This benefit is usually included in the policy for insureds of most insurance companies. Find out all the insurance information good and bad before jumping into business with a client.

Legal Malpractice Avoidance Tips – Be Sure To Advise Your Client Correctly On Social Media

Posted on by

In litigation settings, a lot of issues occur where a client comes into the lawyer’s office and says, “oh, well, I hurt my leg and I think we have a lawsuit against whoever for my injury.” But then you go on their social media and see they have a bunch of different pictures of themselves doing various things that might compromise the claim. Number one, you have to adequately scrutinize that to determine if the client really has a potential manner of telling you the truth. 

A lot of questions come up with “what do I tell my client?” “Can I advise my client to change their privacy settings?” Yes, you can advise your client to change the privacy settings for the use of social media and there you’ll see the PBA ethics opinion 2014-300. Now, it’s a little bit dated at this point, but it does give you a general overview about advising clients on the use of social media.

Meet Scott Eberle

Scott Eberle is on several insurance carriers defense panels. He’s been doing this type of work for many years. In my opinion, he’s one of the best presenters of legal malpractice and how to prevent it. So I think you’re in for a treat in terms of taking back some good information that you can implement in your firms.

Scott Eberle Attorney

“My name is Scott Eberle, I am an attorney at Burns White in Pittsburgh where my practice focuses on representation of professionals, lawsuits and ethics matters. I’m focused on representation of lawyers in legal malpractice lawsuits, as well as ethics issues either in front of the office of disciplinary Council, or just general ethics consultation. I help attorneys navigate the issues that come up in their practice and I’m able to provide guidance on what you need to do to follow the rules of professional conduct to not get yourself in potential trouble with the disciplinary council.”

Legal Malpractice Avoidance Tips – You Must Stay Current With Technology

Posted on by

Staying current with technology is included in comment eight of 1.1 competence rule. In other words, everyone, I think, is familiar with the 1.1 competence rule of professional conduct that says a lawyer shall provide competent representation to the client. Commenting to that rule 1.1 says to maintain the relevant knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including benefits and risks associated with relevant technology. 

A lot of the issues that come up today that I see are either lawyers’ use of technology as far as utilizing Facebook, Twitter and things like that in their own practice, as well as advising a client as to their use of technology. And there is a pretty good ethics PBA opinion that describes the lawyer’s role with regard to technology and the lawyer’s role in the use of technology on behalf of the lawyer and also representing the client and advising the client on the use of technology.

Meet Scott Eberle

Scott Eberle is on several insurance carriers defense panels. He’s been doing this type of work for many years. In my opinion, he’s one of the best presenters of legal malpractice and how to prevent it. So I think you’re in for a treat in terms of taking back some good information that you can implement in your firms.

Scott Eberle Attorney

“My name is Scott Eberle, I am an attorney at Burns White in Pittsburgh where my practice focuses on representation of professionals, lawsuits and ethics matters. I’m focused on representation of lawyers in legal malpractice lawsuits, as well as ethics issues either in front of the office of disciplinary Council, or just general ethics consultation. I help attorneys navigate the issues that come up in their practice and I’m able to provide guidance on what you need to do to follow the rules of professional conduct to not get yourself in potential trouble with the disciplinary council.”

Legal Malpractice Avoidance Tips – Write Down All Of Your Work

Posted on by

If you don’t have any writing about what work you did, it’s pretty difficult to justify the work that you did perform.

I suggest this to everybody. Even if you’re not billing hourly it’s easier to write down what you did because if you get in that situation later, it’s a lot easier to say this is the work I did and I earned that fee; I know that because I wrote it down.

And you don’t need to, but if you write down and send the work that you are doing to your client periodically, it’s even better.

Scott Eberle is on several insurance carriers defense panels. He’s been doing this type of work for many years. In my opinion, he’s one of the best presenters of legal malpractice and how to prevent it. So I think you’re in for a treat in terms of taking back some good information that you can implement in your firms.

Meet Scott Eberle

Scott Eberle Attorney

“My name is Scott Eberle, I am an attorney at Burns White in Pittsburgh where my practice focuses on representation of professionals, lawsuits and ethics matters. I’m focused on representation of lawyers in legal malpractice lawsuits, as well as ethics issues either in front of the office of disciplinary Council, or just general ethics consultation. I help attorneys navigate the issues that come up in their practice and I’m able to provide guidance on what you need to do to follow the rules of professional conduct to not get yourself in potential trouble with the disciplinary council.”