Compromised Emails and the Law

Try as we might to avoid it, let’s face it—we’re all going to need a lawyer at some point. When the time comes, there are a few basic principles that need to be respected. Attorney/client confidentiality is definitely one of them. But in this day and age, it’s not atypical for businesses and individuals to opt for digital correspondence rather than set up yet another (costly) consultation. But is that as secure?

Despite the obvious practicality of email, most people are unaware of how serious a compromised email account can be. In the tech world, it’s no secret that ransomware and Business Email Compromise (BEC) threats are on the rise.

Law firms have begun to hire teams of security engineers in an effort to secure their systems, ensuring that both their clients and the firm is protected against outside cyber threats. Unfortunately, it takes two to tango and all too often organizations may not be making email security a top priority. A recent survey of 600 IT managers across the globe, showed that while the majority of respondents, or some 65% recognize email as a major threat, about the same number admit they don’t feel confident in combating it.

In the absence of strong email infrastructure, clients can expose their legal counsel to security breaches. But it doesn’t stop there. Once they’re in, cyber criminals can gain access to a law firm’s entire employee and client base. Not to mention that targeting legal counsel has potentially huge implications for corporate litigation.

With an increase in access to highly sensitive information comes increase in nefarious activity.

Picture this: you receive an email from someone within your company—someone important—who requests a transfer of funds. You’re an accountant so monetary requests aren’t totally out of the ordinary. But it’s for a large amount, so you’re a little wary.

Here’s the catch: the email mentions some highly specific (and confidential) information.

So you make the transfer.

Big mistake.

Falling for an email scam may not be a new threat vector, but the added complexity of social engineering tactics increases the scope of the impact of successful attacks. The FBI’s Internet Crime Complaint Center began tracking BEC schemes of this nature in 2013. They estimate total losses exceed $960M in the US and over $3B worldwide.

Law firms that have foreseen the potential threat of cyber criminals—and appropriately shored up their security—have little recourse for enforcing their clients do the same. But it might be wise.