Originally published on Law Technology Today on November 14, 2016.
On Friday evening, September 23rd, Jack’s email access was about to change. His Yahoo email account, the one that he had since law school, received a password reset request. Since it is an email account that is not checked frequently, Jack didn’t notice. But, since the account was used as his backup account in case he forgot his password, he didn’t know it now, but Jack’s law firm email had been hacked.
Jack’s paralegal received an email from him indicating that a wire needed to go out to a client. In his criminal law practice, this is not an everyday occurrence but certainly not unusual. His paralegal replied back to his email letting him know that the bank puts much more scrutiny on wire transfers then they used to and they would have to jump through some hoops to the wire to go through.
This email exchange was not between the paralegal and the attorney, but the paralegal and the email hacker. The hacker, using the same short email correspondence and email signature that Jack would normally use with his paralegal, did not raise any suspicions. The hacker continued the correspondence with the paralegal and told her to proceed with the wire and to get whatever authorization was needed both from the bank and from his partner since he would not be in the office. She responded back that she would start working on it.
Then, Jack walked through the office door.
His paralegal told him as he walked in the door that she was working on the wire and he replied, “What are you talking about?” She replied that she was working on the wire that they had been talking about over email. He replied again asking, “What email? What wire?”
She showed him the emails that she had received from his email account. He did not send the emails and there was no record of the emails in his Sent Items on his iPhone. They immediately called me knowing something was wrong.
I asked him to log into his email account to immediately change his password. He tried, but he said he couldn’t remember his password. I tried to log into his Google Apps for Work account with the last password that I knew. The “Forgot Password” page said it was changed 11 days ago. Jack said that he didn’t change his password 11 days ago. He wasn’t even in the office that day. It also hadn’t prompted him to change it on any of his mobile devices or in Outlook.
Luckily, we were able to recover his email account using the last password he knew and a text authentication to his phone. We were able to change his email password and take a look at what had happened.
We discovered that filters were put in place that would delete any email traffic between his paralegal and his email account. In addition, any emails that included the word “transfer” would be automatically marked read and deleted as well. The filters in his Google Apps account looked like this:
We were able to change all the passwords for everyone involved, remove the filters and confirm that no other access had come from his account. In checking his account, we could see where someone else had accessed his account:
They were all locations in the U.S., but Jack hadn’t been to any of them. Was this a US based hack? Probably not, but most likely someone was bouncing their access off of infected machines in those locations.
In this case, this attorney was lucky. We were able to catch this hack early, before any wired funds had been transferred.
Is this the end of it? I don’t know. Jack still has a Yahoo email account. Was that compromised? It could have been. There has certainly been lots of internet traffic about Yahoo accounts being for sale on the Dark Web.
What can you do to protect yourself from a hack similar to this? Consider the following:
- Confirm that your computer and browser are up to date with updates and virus protection. This is your first line of defense. It may not protect you from all hacks and malware, but it is a good start.
- Check to see if your email has been compromised. In Google Apps, you can check here to confirm that all of the authorized access is yours. In Office 365, you can check here for steps to take if you think you have been compromised.
- Use a password manager like LastPass or KeepPassx to help remember, update and create secure passwords.
- Enable two-step authentication. This is an authentication system that requires two steps to make changes to your account, like password changes. Two step authentication would have sent a text to a phone with an additional code to authenticate account access. We had talked about implementing two-step authentication, but had not set it up yet. Most online systems including Quickbooks, Dropbox, and most practice management systems offer two-step authentication. If it is available to you, be sure that it is turned on.
In Jack’s case, we have changed all of the passwords for all accounts, scanned computers for malware, changed the backup email account and implemented the two-step authentication that we had been discussing.
We are still watching Jack’s email for suspicious activity. So far, nothing has come up, but we certainly don’t want it to happen again. The scary part is, was someone monitoring his email for 11 days? Possibly. Many hackers will infect machine and networks and wait days, weeks or months before they do something. Is your machine or network compromised? Check your accounts today and implement practices to protect yourself and your firm.
It really can happen to you.