Please ensure Javascript is enabled for purposes of website accessibility
Home / Editors' Picks / Gone phishin’: Hackers find new weak point in calendar invites

Gone phishin’: Hackers find new weak point in calendar invites

Phishing concept

Since the COVID-19 pandemic began nearly two years ago, attorneys and other professionals have increasingly conducted business via digital means, including email and videoconferencing.

Unfortunately, this increase in digital activity means cybercriminals have begun pursuing new avenues of attack beyond the typical spam email caught by a majority of email filters.

These new cyber threats are of great concern to attorneys and law firms because they are often entrusted with a client’s private or classified information that could be valuable to a cybercriminal.

“Lawyers are rich targets for cyber criminals because many possess both the financial and health information of their clients,” said Virginia Beach attorney Kellam T. Parks, who specializes in cybersecurity. “Adding to the rich spoils, many solo and small-firm attorneys are behind the curve when it comes to cybersecurity.”

Calendar fraud attacks

While email attacks have been the preferred modus operandi of cybercriminals for decades, today’s hackers began casting wider nets as the general ­public became more suspicious of ­unsolicited or suspicious emails.

In recent years, calendar fraud attacks have become a preferred method for cybercriminals to wreak havoc on unsuspecting digital users.

A study conducted by cybersecurity and antivirus provider Kaspersky Lab, focusing mainly on Google Calendars, found that users are less likely to ignore calendar invitations and events, and more likely to open links on the fly that they assume to be sound.

“The hope is that you have a default setting where an appointment automatically shows up on your calendar,” Roanoke attorney Elizabeth Burgin Waller said. Waller, who chairs Woods Rogers’ Cybersecurity and Data Privacy Practice, added that the cybercriminal hopes an unsuspecting, busy lawyer clicks the malicious link in their calendar and falls prey to their scheme.

“These calendar invites then have links somewhere, often a videoconference that appears legitimate,” Parks said. “Once you click that link, all sorts of bad things can occur.”

Norfolk cybersecurity and data privacy attorney Jonathan Gallo said that, in the case of calendar fraud attacks, cybercriminals are taking advantage of attorneys who have increased the amount of work they do on their cell phones.

“One of the very important things for attorneys to think about when dealing with any type of scam is that attorneys now work a lot on our phones,” Gallo said. “You’re looking at a much smaller screen. Sometimes you can’t see the full message and, a lot of times when we’re working on our mobile devices, we have a tendency to just click on things to see what they say.”

In order for attorneys to protect themselves, Waller advises looking into the default appointment settings and reminding staff to not accept any random appointment.

Parks added that the calendar phishing attack is especially prevalent among Google Calendar users, as the site defaults to accepting those invites.

Ethical concerns

Beyond the obvious security concerns created by a cyberattack, allowing certain information to become compromised can result in a violation of a lawyer’s ethical duty.

“Not only should lawyers secure their offices, they have a duty to do so because lawyers have an ethical duty to safeguard client information,” Parks said, citing Rule 1.6(d) of the Virginia Rules of Professional Conduct. The rule requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information protected” under Rule 1.6. Such protected information includes information protected under attorney-client privilege.

Gallo said ethics concerns for Virginia attorneys extend beyond Rule 1.6, adding that Rule 1.1 (Duty of Competence) and Rule 1.15 (Duty to Safeguard Property) must also be considered in cases of a potential digital breach.

“Lawyers have a special obligation to make sure that they take reasonable steps to protect the client’s property and client information confidentiality,” Gallo said.

“If a threat actor got into your inbox — what would they find? Would they find Social Security numbers if you are a tax attorney? Or protected health information if you are a medical malpractice attorney?”

— Roanoke attorney Elizabeth Burgin Waller

“If a threat actor got into your inbox — what would they find? Would they find Social Security numbers if you are a tax attorney? Or protected health information if you are a medical malpractice attorney?” Waller said. “Virginia lawyers are no longer ethically allowed to play ostrich with their head in the sand about technology.”

Avoiding cyber threats

According to the 2020 American Bar Association TechReport survey, 21% of respondents did not know if their law firm had ever experienced a security breach, while the ABA reported that one-third of firms with 100 or more attorneys had been victimized by cybercriminals.

And threats extend beyond firms.

Twice in 2021, the Virginia State Bar issued a warning to its members to avoid clicking on “phony emails” from a fake email account registered to spoof the VSB. The accounts claimed to be from the VSB Ethics Department despite not using an official VSB email address. According to the VSB, the phishing site used in the scheme was reported and shut down in September.

To prevent falling victim to phishing schemes and other cyber threats, Gallo advises training within firms.

“That type of training is very important, because that’s a weak link. People are a weak link when it comes to social engineering scams,” Gallo said.

Parks advised that law firms should “at minimum” have quality IT assistance and “strongly consider” implementing both a data breach avoidance plan and an incident response plan. Those plans, Parks said, would both lower the chances of a breach and minimize the impact if a breach occurs.

Another way for firms to prepare for cyber-attacks is through purchasing proper insurance, separate from typical liability insurance, that covers cybersecurity threats.

“It doesn’t substitute for good training and due diligence, but cyber liability insurance is very important as a backstop to protect an organization in the event that a breach occurs,” Gallo said. “Law firms should seriously consider obtaining cyber liability insurance.”

Gallo, who along with Parks co-chairs the VSB Special Committee on Technology and the Future Practice of Law, said attorneys should also be aware that there are resources available to help.

“No lawyer, no law firm, no sole practitioner should think that they have to go in alone. There are resources out there to help,” Gallo said.

Ultimately, these attorneys stressed the importance of preparation, as work on the front end can avoid potentially disastrous security breaches caused by simple calendar invitations or email attachments.

“As a cybersecurity attorney, I can’t tell you how many stories I’ve heard where one employee takes down an entire office by mistake,” Parks said.