AOL, Dropbox and the Big “uh-oh”
An article came out highlighting a new suit against a law firm. Suits against law firms are not particularly rare and don’t make for compelling news. This suit, however, did.
A New York couple brought suit against their former law firm because it used an America Online account to transact firm business. If you are my age you probably remember that AOL and “You’ve got mail!” were the future—back in 1990.
Well, it turns out that this law firm and its AOL account were being used to help a couple purchase a $19.4 million cooperative apartment in Manhattan. Hackers had breached the firm’s AOL account and were monitoring its email traffic. The hackers then used the account to pose as the attorney working on the deal to direct the clients/couple to deposit $1.9 million by wire transfer into a hacker-controlled account. The hackers were kind enough to send the buyers/clients a receipt for the funds.
Once the fraud was detected the couple was able to recover all but $196,200 (plenty enough to still ruin my day). While this is a brand new suit, it should be warning enough. So, what are the lessons learned here?
1. Your company should provide thoroughly vetted and secure software tools for its employees. If you are using “personal” software (including email or file sharing services) or cloud-based software for company business that has not been affirmatively adopted by your company, you may ask yourself, “Is this a risk I want to take on my own? Does my name look good in headlines
2. Frequently these hacks take the form of “spoofed” email (i.e. email that looks like it is from a legitimate source, but is not). For example, you could receive an email from another employee within your company, requesting confidential information. Before hastily responding, click on the email address and carefully examine it. Often a spoofed email changes one letter or number within a familiar email. Tricky!
3. As to handing money in general via the Internet, you as the responsible citizen, should be very careful if you have any part to play in handling wire transfers (or any money). I suggest verbal communications to confirm instructions/accounts/timing in addition to written instructions. Pick up the phone and speak with your client to guarantee the details and discuss how the wire transfers will be handled. Better yet, avoid “handling the money” if at all possible.