This Div is a JS Trigger
Issue 69 | May 2021


This newsletter includes information to help lawyers reduce the likelihood of being sued for malpractice. The material presented is not intended to establish, report, or create the standard of care for lawyers. The articles do not represent a complete analysis of the topics presented, and readers should conduct their own appropriate legal research.
FRAUD ALERT: Recent Cyber Attack on NS Lawyer

Earlier this year a Nova Scotia sole practitioner received, in her email inbox, a note attaching confidential client information, threatening her and demanding a $50,000 ransom. Though there was a favourable outcome in the end, getting there took time. That process sheds light on how this preventable cyber attack occurred.

The start was the lawyer’s email system. A professional marketing company was hired to set it up. But it turns out they were not experts in cyber security and the lawyer did not make inquiries as to what safeguards should be in place. Trust was placed in the reputable contractor. But we now know that what the lawyer received, unbeknownst to her at the time, lacked enhanced security licences.

The hacker accessed the email system through Microsoft Exchange and created folders for itself. The lawyer’s was called “Archive” so it looked proper. In addition, the hacker put rules into place such as if the message included the word “payment” in the subject or body, the message would automatically be marked as read and moved to that Archive folder. The result was, unbeknownst to the lawyer, that all incoming emails with the word “payment” were diverted from the inbox and placed into the hacker’s folder. Another rule diverted email from a specific lawyer from whom the firm was waiting for a significant settlement meaning that the hacker was reading these specific emails in the Archive folder.

In addition, the hacker sent messages from the lawyer’s account. One instructed her assistant to advise all clients that the lawyer was no longer accepting cheques as payment and that all future payments were to be made through wire transfer to an account. However, even this did not lead to discovery as though the assistant thought it was odd and replied to the email for clarification, the response confirming came from the hacker. Fortunately – there is always a lucky event - the assistant also mentioned it to the lawyer in person. Finally, the hack was discovered.

Actually, it was not. They searched for the cheque email but the hacker had deleted it from the sent folder. There was no record in the outbox or trash. Thus, they just thought it was a scam and moved on. The hacker immediately deleted the sent messages and, from the rules, the assistant’s reply went to the Archive folder and was also promptly deleted.

But at this time, the lawyer did take correct action. Though confident that this was a scam, out of an abundance of caution, all staff changed their passwords on the email and client management programs. This knocked the hacker out. And three days later the blackmail email arrived with two draft client wills attached and a first name reference to the assistant.

Immediately on receiving the blackmail note, the lawyer contacted the police cyber crime unit to file a report. Then she contacted us and we provided information on our cyber coverage and where to send notice of the claim.

Concurrently and independently of our coverage, the lawyer also contacted a local cyber security expert who was able to determine how the hack occurred and increase her security protocols going forward. He was able to generate a report on what information was available to the hacker and how long they had access and provided the report to the insurer. In addition, he put a “dark web” notification into place in the event any information obtained from the hack goes to market. The lawyer has since arranged CPD programs on cyber security and enrolled the firm in a cyber security program that tests their cyber security on a random basis.

This lawyer was lucky. What if the assistant had not questioned the email in person? What if they did not change their passwords? What if the hacker was able to spend more time in their system?

Just because your software is from, or is set up by, a reputable source does not mean it is fool proof. Enhanced security is needed.

To avoid something like this from happening to you, some tips from the lawyer herself:

  • Hire a cyber security consultant to review your systems;
  • Be aware of your email folders, check them regularly and delete any you do not need or use;
  • Purchase enhanced security measures and accept minor inconvenience for necessary security;
  • Learn your programs and know how to check for rules and generate security reports (and review them regularly);
  • TALK to your staff and encourage them to talk to you (i.e., not through email) about any cyber concerns;
  • Occasionally check resources on cyber security including those available on LIANS’ website;
  • Use dual authentication in all your programs;
  • Have a separate “admin” licence/profile to do the admin procedures in your system rather than give admin authority to a user with an active email; and
  • Do not send unsecured documents through email attachments, use a program with a password or utilize a client portal in your client management program.