August 4, 2021

Volume XI, Number 216

Advertisement

August 03, 2021

Subscribe to Latest Legal News and Analysis

August 02, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Rise in Cyberattacks on Professional Services Firms

We has seen an alarming uptick in cyber-criminal activity targeted at professional services firms, particularly accounting firms. As described in more detail below, the criminal activity follows a very specific pattern. We take this opportunity to remind all professionals of the need to be wary and skeptical of what communications they receive electronically. Consider starting the New Year with training and education for yourself as well as your partners, staff and employees on cyber risk and how to best avoid an attack and mitigate any damages if an attack occurs. In the past three months, we have noticed a pattern of activity targeted at small to midsize professional services firms. Attackers attempt to gain access to computer systems containing sensitive financial information, which may result in a legal duty on the part of the professional to notify their clients that their confidential information was or may have been exposed.

So what does an attack look like?

In one scenario, a professional services firm’s partner or employee receives an email offering a free download of a program such as Microsoft Office 365, Windows 10 or some other desirable program. The email appears to be legitimate, and when the user clicks on it, a pop-up message provides a number for the user to call. The number connects the user with what seems to be a legitimate company. The cyber-criminal responding to the call then asks for access to the user’s computer, citing a need to check for viruses or to see if the computer is compatible with the download, or some other legitimate-sounding reason. Once the user provides access, the cyber-criminal tells the user that the computer is infected, and tries to sell an anti-virus or anti-malware software for about $350.

Even if the sale is rejected by the user, once access is granted, the cyber-criminal has full access to the files on the computer. Even if the hacker does not access or download sensitive information, the mere fact that the server was hacked could trigger client notification obligations under state laws, since it is not always possible to conclusively prove whether the cyber-criminal did indeed access or download the information.

While this activity seems to be targeting accounting firms, it is likely that any organization that handles sensitive client information will be targeted.

So how do you protect yourself?

Education, training and diligence. Partners and employees alike need to be educated about cybersecurity risks and trained to identify them. Everyone with a password into the system needs to think twice about the communications they receive, the sites they visit and the access they are willing to give third parties (i.e., strangers) to their computers. If you receive an email that offers a branded product for free, contact the named company before downloading or clicking on any links or attachments in the email. Use a telephone number from the official website (rather than from the email) to see if this is a legitimate offer. If it sounds too good to be true, it most likely is.

© 2021 Wilson ElserNational Law Review, Volume VI, Number 20
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Gregory Bautista, Wilson Elser, Civil Litigation Lawyer, Data Privacy matters Attorney
Partner

Gregory Bautista is an experienced civil litigator with a focus on data breach response. He is keenly aware of the growing importance of assisting clients in developing and implementing data security risk management measures related to the receipt and use of highly sensitive and confidential data. Greg provides his clients with knowledge and guidance on information governance and e-discovery matters. He has embraced the concept of information governance, which melds the disciplines that exist in all businesses into a powerful enterprise-wide strategy.

914.872.7839
Advertisement
Advertisement