The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1130923
w w w . c a n a d i a n l a w y e r m a g . c o m J U N E / J U LY 2 0 1 9 21 of individuals who can have access to finan- cial accounts. "They spend an average of 18 to 36 days on the environment, so they can read the emails, they see who you're talking to, so they under- stand who you're going to pay," he says. Once they identify the right opportunity, they look for the right time, and then the carefully writ- ten email is dispatched, as if to continue the conversation thread. "This is a very effective way of stealing money. It's easier than robbing a bank and you don't get shot." The email may come from a domain name that can be easily mistaken for the legitimate sender — but careful examination will reveal a slight change, the letter "l" in the original email or domain name might become the number "1" in the hacker's spoofed account. The Dentons situation highlights the vul- nerability of emails and points to the import- ance of both technical and administrative con- trols to keeping money and information safe. Part of the deception may lie in social engin- eering, which is psychological manipulation. Tobok says his company handles about 50 such situations every month. Hackers can now try millions of passwords in a short per- iod of time, meaning they have greater ability to access email accounts. He says two-factor authentication — in which a combination of two different factors is required to get access, such as a bank card or a cellphone text and a password — has become essential as a basic prevention tool. "Most people think of hackers as the grab- and-smash characters of the hood. They still have a hood, [but] it's no longer about grab and smash," he says. "That's really where the method- ology, the strategy on the side of the threat actors, really changed. That's the reason why just firewalls don't work anymore, because firewalls were cre- ated for brute-force attacks. "Social engineering, phishing — that's really where the criminals are playing today because they realize they cannot fool machines, but they can fool people." The challenge, says David Fraser, a Halifax internet and privacy lawyer with McInnes Cooper, is that employees and lawyers travel with mobile devices and working remote- ly is further accommodated through the now common commercial use of cloud computing. The process further allows for relatively easy remote access for employees using a web browser. "You might not be able to log in to somebody's accounting system, you might not be able to log in to their docu- ment management system, but there's always an interface that you can prob- ably find for their email system. Those are kind of invisible doors on the inter- net to get into a company," says Fraser. Disabling access from out of the coun- try can help on the prevention front, par- ticularly from perpetrators looking for easy opportunities. "The effort that goes into that shows you how lucrative these are," he adds. Sometimes, "social sleuthing" by figuring out who to target requires no breaches at all. He points to one example in which a perpetrator impersonated someone else to communicate with the comptroller of a law firm to move money. Ian Hu, counsel for claims preven- tion and practicePRO at Ontario legal insurer LawPro, says the average cost of fraud is double that of any other claim and typically ranges from $200,000 to $400,000. And many of those frauds are perpetuated through a few different approaches, all turning on the penetration of email with ever increasing sophistication. Once access to email conversations is achieved, the hacker patiently watches until they see the opportune moment to pounce. "They will wait and wait. . . . When the issue resolves and there's money to be put into the account . . . the hacker, posing as the client, will send an email to the lawyer saying thanks for doing a great job, can you send the funds to this account . . . which is not the client's account, it's the hacker's account." Another scenario LawPro sees is the email that appears to be coming from a colleague, often at around the lunch hour or just before a long week- end, simply asking if you happen to be around. The fictitious colleague will then explain that they're not in the office but they need to transfer money quickly and then request help. A legitimate email from a colleague can also serve as a cloak through which a virus is passed, meaning that links and attachments from otherwise trustworthy accounts must also be scrutinized. And the old bad cheque scam continues, although with a bit of a digital twist. A potential client arrives via email, instead of in person, hands over trust money through a bad cheque and then suddenly needs to get the money back Cybercriminals target law firms Law firms have been targeted for money and information. A 2018 American Bar Association survey reports that 23 per cent of firms have been hacked at one time or another. Here are some of the more dramatic breaches: • Panama Papers is considered on of the largest-ever leaks of financial records from accounts based in offshore locales from the global law firm of Mossack Fonseca, which subsequently closed. • Dark Overlord, claiming to have thousands of documents obtained from law firms involved in 9/11 claims, threatened to make them public if money wasn't paid. • Oleras, based in the Ukraine, threatened in 2016 to target nearly 50 law firms involving documents revealing information about pending corporate deals. • DLA Piper was targeted by a ransomware attack that took down phones and computers at the firm's offices in multiple countries. "Social engineering, phishing, that's really where the criminals are playing today, because they realize they cannot fool machines, but they can fool people." Daniel Tobok, Cytelligence Inc.