It’s Who You Know: Verifying Identity at Law Firms
Trusting identity is foundational to a law firm’s work. In a law office, the documents going back and forth contain sensitive information, and contracts, negotiations, or transactions can’t be shared with the wrong parties. The industry needs to be cautious about validating identities.
Legal service providers need to achieve compliance and protect clients and their assets. Techniques are changing as lawyers move from in-person conferences to digital document exchange. This article examines four digital-age areas in which lawyers need to validate identity.
#1 Phishing Scams
Phishing is always a risk, no matter the industry. Paralegals, associates, and lawyers risk inadvertently clicking on malware, especially as this field relies heavily on attached documents going back and forth.
A cybercriminal criminal might steal money copying a vendor’s invoices. Everything looks the same, but payment details put the dollars in the crook’s bank account. Or they will send an “urgent” message containing a link that goes to a Web page that looks credible. It might seem to be from a bank or the government, but one character in the URL is different. Those who don’t notice the difference will enter sensitive account details into a form that goes to the bad guy.
Verification tip: Firm-wide filters can check for malicious attachments before they reach people. Educate employees about always verifying the URL before clicking on a link. Hovering over the highlighted text will show the address where a click will take the user.
#2 Business Communication Email Scams
Business communication emails scams also often target law firms. In one example, Jared Kushner’s lawyer exchanged emails with someone imitating the ex-White House aide. Emails from kushner.jared@mail.com prompted the lawyer to share newsworthy information.
Verification tip: At the beginning of an engagement, verify the client’s private, secure email address. Always confirm that the sender’s email address is the same as you have on file before responding.
#3 Outgoing Email
Email automation can also lead to problems. The associate allows Outlook to auto-populate the recipient’s email address from the address book. Too busy typing a quick note, he doesn’t confirm that he’s sending it to the right person. But Smith, John is a divorce attorney and Smithson, John is a client at a dental firm. They should not be getting each other’s filings!
The law firm Wilmer, Cutler, Pickering, Hale, and Dorr sent files detailing a history of whistleblower claims at PepsiCo to the wrong person, a Wall Street Journal reporter. So much for client privilege.
Verification tip: Check and double-check your email address list. Set up your firm’s email program to disallow any auto-populating of email addresses.
#4 Multi-Factor Authentication
One other area where you want to verify identity is when staff access your systems and software. Relying on username and password credentials only isn’t strict enough. Humans make mistakes. They share information that makes their access credentials easy to guess. Your people may not pick complicated passwords or change their access credentials. Data breaches can put professional accounts at risk when people reuse passwords.
Verification tip: Adding multi-factor authentication makes it more difficult for the cybercriminal. Even two-factor authentication adds another important level of security. Having the access credentials alone isn’t enough. The hacker also needs to get their hands on the personal device where the authentication code is sent.
Need help establishing robust digital practices to confirm client and employee identities? A managed service provider can help. Our IT experts can review risks and suggest simple, affordable solutions. Improve your identity experience. Contact us today at 508-617-1310.