How Our Client Got Scammed (& How We Played a Part in It)
|
January 17, 2019
Perhaps I should have thought long and hard before posting this, as Mockingbird unwittingly played a part in one of our clients dealing with a huge online headache. But…I’d rather share our experiences so that others might avoid them, than cover things up to make us always look great.
Here’s the story:
One of our clients had their email account hacked. Hackers set up forwarding rules on that email account so that anything coming from us bypassed the client and were forwarded to them. They then replied to an existing current email thread with us, asking for a password to the website backend to make some basic content changes. The client had unfortunately used that same password for a variety of different accounts. Chaos ensued….
How to Guard Against This….
- Use a sophisticated password management system. (We use LastPass).
- I’d strongly recommend that law firms connect with your agencies and put in place a strict policy of ONLY sharing passwords over the phone.
There have been an increasing number of scams impacting small businesses – especially the legal community, if the chatter on solosez is any accurate indication. Protect yourself.
I’d also add two-factor authentication to your most valuable accounts, which definitely includes email accounts (because once hackers have access to that, they can usually reset most other accounts’ passwords with the “forgot password” method). Either use a Google Authenticator-like app that generates a new 6-digit code every 30 seconds, or even better yet, use a YubiKey token.
Another good safeguard is to share passwords only within LastPass itself. Or add a second layer to the sharing (phone call, SMS, etc.).