Confirming Identity at Law Firms: It’s Who You Know

in #cybersecuritylast year (edited)


A foundation of a law firm’s work is trusting identity. The documents going back and forth in a law firm contain sensitive information, like transactions, contracts, or negotiations. This information can’t be shared with the wrong parties and the industry needs to be cautious about validating identities of those sending and receiving this information.

Providers of legal services need to attain compliance and safeguard clients and their assets. The methods are changing with lawyers shifting from in-person conferences to digital document exchange. This article explores four areas in the digital age in which lawyers should be required to validate identity.

#1 Phishing Scams

No matter the industry, phishing is always a risk. Lawyers, associates, and paralegals risk inadvertently clicking on malware, especially since this field relies so heavily on attached documents being sent back and forth.

A cybercriminal could steal money by copying a vendor’s invoices. Everything would look the same, but payment details would deposit the money into the criminal’s bank account instead. They could even send an “urgent” message containing a web page link which looks credible. It may seem to be from a bank or government, but one or two characters in the URL may be different. Those who do not notice the slight difference in the URL will enter the sensitive account data into a form and the information is then sent to the bad guys.

Tip for Verification: Filters used firm-wide can check for malicious attachments before they reach people. Educate employees about always verifying all URLS before clicking on links. Hovering over the highlighted text will show the web address where the click will take the user when they click on it.

#2 Business Email Scams

Law firms are often the targets of business communication email scams. As an example, Jared Kushner’s lawyer exchanged emails with a person impersonating the ex-White House aide. Emails from [email protected] triggered the lawyer to share important information.

Tip for Verification: Before starting any email engagement, verify the private and secure email address of the client. Before responding to any email, always confirm the email address is the same as the one you have on file.

#3 Outgoing Email

Email automation can also lead to challenges. The associate permits Outlook to auto-populate the recipient’s email address from the address book. Too busy typing a quick note, he does not verify that he’s sending it to the right person. But Smith, John is a divorce attorney and Smithson, John is a client at a dental firm. They should not be receiving each other’s filings!

The law firm Wilmer, Cutler, Pickering, Hale, and Dorr sent files describing in detail a history of whistleblower claims at PepsiCo to the wrong person, a Wall Street Journal reporter. So much for client privilege.

Tip for Verification: Double-check your email address list. Configure your firm’s email application to prohibit any auto-populating of email addresses.

#4 Multi-Factor Authentication

Another area where you want to verify identity is staff access to systems and software. Reliance only on username and password credentials isn’t strict enough. People make mistakes. They share the information that makes their access credentials easy to guess. Your people might not pick complex passwords or change their access credentials. Data breaches could put professional accounts at risk when individuals reuse passwords.

Tip for Verification: The addition of multi-factor authentication makes it more difficult for the cybercriminal. Even two-factor authentication adds another significant level of security. Having the access credentials alone won’t be enough, the hacker also needs to obtain the personal device where the authentication code is sent.


Need help establishing robust digital practices through IT Policy and ITSM processes to confirm client and employee identities? Check out the ITSM Rhino.

If you have not read our eBook guide yet, here’s the link again ‘The Top 5 Tech Mistakes Lawyers Make.’


Posted from my blog with Exxp :