April seems the perfect time to discuss cybersecurity trends and tips for keeping law firms and their data safe and secure. The year started with a bang as the largest data breach on record, aptly called the “mother of all data breaches,” was discovered. This list of accounts has more than 26 billion stolen records from sources such as X (formerly Twitter) and is readily available on the dark web.¹

The rapid progress of artificial intelligence (AI) technology since the start of 2023 is astonishing, and companies are increasingly integrating AI tools into their software, enabling faster and easier creation of content such as text, photos, videos, and audio with unprecedented accuracy. However, alongside the positive applications of AI, cybercriminals are also leveraging this technology for malicious purposes.

These two developments are not the only cause for cybersecurity concerns. Scams, both online and offline, have become increasingly sophisticated and challenging to detect. Individuals and businesses need to be vigilant in protecting themselves against these threats, including email scams targeting personal information and phone calls from scammers posing as friends, family, or coworkers. Let’s delve into the current cyber threat landscape and the prevalent scams circulating through different media channels.

Ransomware is Alive and Well

Ransomware has evolved significantly, becoming more sophisticated and capable of completely shutting down systems, as seen in the Colonial Pipeline ransomware attack in May 2021. Per Verizon’s 2023 Data Breach Investigations Report, ransomware remains a “persistent threat,” affecting businesses of all sizes and industries.² These attacks have led to credential exposure and subsequent data breaches, elevating the overall threat landscape.

Cybercriminals now efficiently share highly accurate information, enabling quicker and more effective attacks with fewer errors. Personally identifiable information (PII) is readily accessible on the dark web. Ransomware and malware as a service offer a range of tools like software, phishing materials, and even the option to hire hackers, making malicious activities accessible to those with ill intent and resources.³

Cybercriminals lock organizations out of their data and demand ransom payments and then might expose sensitive information obtained through ransomware attacks if demands are unmet. This malicious tactic, known as doxing (derived from the term “dropping documents”), involves the public release of private documents or threats to do so, exploiting data from ransomware incidents. This strategy poses a significant threat to businesses. Even targets with secure backups might be vulnerable because ransomware authors might turn to other forms of extortion, including threatening lawyers’ clients who are exposed by a ransomware attack.

Effect of Generative AI on Cyberthreats

While this advanced technology can streamline business operations, it is also susceptible to malevolent exploitation. Cybercriminals use generative AI tools, presenting complex challenges, particularly in combating email phishing attacks. AI’s language models excel at mimicking tone, making it difficult to discern unusual grammar or incongruent language in phishing emails. Furthermore, AI integrated into voice and video technologies has led to the proliferation of deepfakes, deceiving individuals with convincing calls from trusted sources. The dangers of such exploitation are evidenced by a U.K.-based energy company with a branch in Germany falling victim to a scam, resulting in a loss of $243,000. The German CEO initiated a call to the U.K. CEO, requesting funds to be sent to a Hungarian vendor (which turned out to be the scammer’s account).⁴

In another disturbing use of AI technology, a woman received a call from an unlisted number and heard what sounded like her 15-year-old daughter in the background, crying, saying “Mom, I messed up,” and pleading for help. The supposed kidnappers asked for a $1 million ransom. The woman stated that the voice “100% belonged to her daughter.”⁵

These instances demonstrate how cybercriminals actively use AI to enhance their effectiveness in scamming. They extensively search the internet, especially social media platforms, for individuals’ writing samples, voice recordings, and videos. By using this data in AI-driven tools, they can create written content and deep-faked audio and video clips that mimic the style of their targets and can customize them with details reflecting their interests and hobbies. This active manipulation makes it more challenging for individuals to distinguish between authentic and deceptive emails, phone calls, or videos.

Targeting Individuals Through Social Engineering

Individuals have become prime targets for hackers. The Hackmageddon blog has consistently reported a rise in personal data breaches, exploiting human psychology and social engineering to manipulate people into revealing sensitive information or unknowingly downloading harmful software. Social media platforms serve as fertile ground for such attacks, with scammers using fake profiles to deceive victims. The surge in remote work has exacerbated the issue, leaving individuals more vulnerable to phishing scams without the protective security measures of traditional workplaces.

Individuals are third on the list of most breached categories of targets, according to statistics compiled by Hackmageddon.⁶ Cybercriminals continue exploiting poorly patched or inadequately secured devices to access networks and data. However, more frequently, we, as individuals, inadvertently expose our data and networks by falling prey to these advanced techniques.

Web Applications as Vulnerable Targets

There has been a notable increase in attacks targeting web applications, in line with the growing popularity of web-based software. It is vital to dispel the misconception that the web lacks security. By implementing proper maintenance, security monitoring, and robust security measures, web applications can achieve a level of protection comparable to traditional in-house devices and even surpass them in many cases. Nevertheless, web applications are still a prime target.

As the transition to cloud-based applications continues, it is crucial to understand that security in the cloud shares similarities with security for law firm and business in-house devices and software. Fortunately, cloud-based software shifts a significant portion of IT responsibility from the law firm (and the firm’s IT department) to those vendors. Nonetheless, it remains essential to practice sound account management, such as deleting outdated accounts from the software, granting users only the necessary access for their tasks, implementing additional layers of security like multifactor authentication (MFA), and enforcing good password practices.

Evolution of Email Scams: Business Communication Compromise (BCC)

Experts anticipate that there will be a notable shift in email scams in 2024. Business email compromise (BEC) attacks are evolving into business communication compromise (BCC) attacks, as cybercriminals leverage AI and deepfake technology to replicate trusted individuals within organizations. This advanced approach increases the challenge of distinguishing fake communications from authentic ones, raising cybersecurity risks. Furthermore, these threats extend beyond emails to encompass social media messages, phone calls, and text messages.⁷

Similar strategies used to combat emails can be applied when assessing other forms of communication. Keep in mind the principle of “trust but verify” before taking any action. Links in text messages pose similar risks to those in emails, and even a phone number you recognize might not always be what it seems because of number cloning, the ability to make a call appear to be coming from a number it is not.

Even more challenging is that while one can reduce email threats with efficient filtering software, the tools to combat scams and fraud committed with social media, text messages, and phone calls are either lacking or in early development stages. These platforms demand vigilance and caution, relying on human beings to scrutinize and confirm the validity of these communications.

The Internet of Things (IoT)

I recently purchased a new washing machine. It has Wi-Fi connectivity and a phone app for remote control, and the washer requires firmware updates. The evolution of household appliances, for example, refrigerators, thermostats, washing machines, light bulbs, garage door openers, doorbells, cameras, and personal assistant devices such as Amazon’s Alexa, is remarkable. The range of connected devices continues to expand, reflecting the ongoing advancements.

Current estimates project that internet-connected devices will surge to 30.9 billion by 2025, surpassing the 13.8 billion in 2021, 19.8 billion in 2023, and the expected 24.4 billion in 2024.⁸

Our IT company encounters a common issue when dealing with IoT devices: misconfiguration or leaving devices in their default state. Misconfiguration frequently involves default usernames and passwords that individuals can quickly discover online. Every device added to a network, whether at home or in the office, introduces another potential entry point for exploitation. Properly configuring these devices, and maintaining and regularly updating them, are crucial for safeguarding the benefits of this technology and preventing unauthorized access by cybercriminals.

Your Account Credentials are Under Attack

In a 2019 report, Microsoft stated that there were over 300 million fraudulent sign-in attempts every day that targeted Microsoft services.⁹

Accounts on Microsoft, Google, PayPal, eBay, Amazon, and nearly every other business have security threats. Cybercriminals are selling credentials on the dark web and attempting to access accounts using stolen data, especially reused passwords.

As an IT company monitoring hundreds of Microsoft accounts daily, we’ve noticed increased sign-in attempts from different countries trying to breach those accounts.

Microsoft emphasizes that activation of MFA can thwart over 99.9% of unauthorized login attempts, even if the attacker has obtained a password. Despite this, the practice of enabling MFA across various accounts, such as social media platforms like Facebook and LinkedIn, remains uncommon. Many individuals perceive each added security layer as a hassle and hence neglect to implement them. Setting up MFA to require verifying your identity via a phone or an app, a seemingly minor inconvenience, could make the difference between a data breach occurring or your information being protected.

How to Fool the Foolers

Here are some specific steps to take to combat cybercriminals in 2024 and beyond.

• Never reuse a password. Password reuse is one of the most common ways to make it easier for hackers to access accounts. With nearly every major organization already exposing billions of account credentials via data breaches, cybercriminals are now compiling, aggregating, and reselling these records on the dark web. Accessing accounts becomes child’s play for cybercriminals who purchase a database and then use credential stuffing (trying passwords repeatedly in hopes that an account owner has reused one) to gain entry.

• Use complicated passwords. Nonsensical, long passwords (over 12 characters) that contain a random mix of upper- and lower-case characters, numbers, and symbols are essential. Password managers like LastPass can help you remember and securely share these if needed, but passwords remain the weakest point in many networks and accounts.

• Enable MFA everywhere. Using an authentication app like Duo, Microsoft, or Google, authenticators, or even a text message or email to verify your identity significantly reduces data breaches (as pointed out by Microsoft above.) Authenticator apps and biometric authentication, such as fingerprint readers and facial recognition like that used in Microsoft’s Hello, can even securely replace passwords.

• Trust but verify. In the example above of the person who received a phone call asking that a “ransom” be paid for a kidnapped family member, the woman knew her daughter was on a trip, and despite the trauma caused by the situation, she was able to contact her daughter directly to verify whether she was safe. In the CEO AI voice scam mentioned, using a secondary form of authentication before doing anything else could have thwarted the disaster. Ignore links in emails, attachments, phone calls, and other requests, especially those requesting money or disclosing confidential information, until they can be verified by other means, such as a phone call to a known number for the sender.

• Education is vital. As a tech provider, I advise clients that hardware or software security measures are not foolproof. Often, individual users’ actions make them vulnerable to breaches, like falling for phishing scams. Prioritize ongoing cybersecurity training with a trusted IT vendor to enhance your defenses.

• Actively monitor. Even small firms should consider working with IT vendors that offer robust and constant monitoring of suspicious activities on the firms’ networks and computers and with accounts. For example, we monitor Microsoft accounts for unusual behavior, such as logins from other countries, settings or permission changes, or nonstandard behavior.

• Use EDR. Outdated antivirus software is no longer effective. Traditional solutions rely on a virus database and fundamental-behavior analysis. In contrast, endpoint detection and response (EDR) software offers superior protection compared to standard commercial and home products. With the integration of AI for enhanced security, EDR reacts swiftly and more intelligently than its predecessors. Considering the rise in cyber liability insurance assessments, EDR is now the minimum recommended antivirus defense.

• Consider a cyber liability policy. Having an insurance policy for cybersecurity-related losses has two key advantages. The first is the availability of financial and legal assistance in case of a data breach or cyberattack. Additionally, the application process itself offers another benefit. Nowadays, most underwriters require strong security measures to be in place either to secure a policy or to lower premiums for small businesses. By having these security measures in place and accurately completing the insurance questionnaire, a policyholder increases the chances of a successful claim payout in the event of a breach and ensures compliance with insurance requirements.

• Hire an IT professional. The landscape of cyberattacks has undergone significant changes in recent years, posing greater challenges for DIY enthusiasts. Contact a trusted IT advisor for assistance with strategizing, implementing, and overseeing your cybersecurity solution.

Conclusion

It is not a question of whether you will experience a cyberattack but when. The constantly evolving tactics of cybercriminals require everyone to be vigilant and proactive in protecting personal and business information. By following these tips and working with knowledgeable IT professionals, people can stay ahead of the game and reduce the risk of becoming victims of cybercrime.

The Computer Center has created a free resource center for this topic at https://info.computer-center.com/commonscams.

Endnotes

1 Brooke Kato, “Mother of All Breaches” Data Leak Reveals 26 Billion Account Records Stolen from Twitter, Linkedin, More, N.Y. Post (Jan. 23, 2024), nypost.com/2024/01/23/lifestyle/extremely-dangerous-leak-reveals-26-billion-account-records-stolen-from-twitter-linkedin-more-mother-of-all-breaches/.

2 Verizon Bus., 2023 Data Breach Investigations Report, www.verizon.com/business/resources/reports/dbir/ (last visited Feb. 21, 2024).

3 Ray Fernandez, Top 7 Cybersecurity Threats for 2024, TechRepublic (Dec. 20, 2023), www.techrepublic.com/article/top-cybersecurity-threats/.

4 Catherine Stupp, Fraudsters Used AI to Mimic CEO’s Voice in Unusual Cybercrime, Wall St. J., Aug. 30, 2019, www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402.

5 Grace Dean, A Mother Reportedly Got a Scam Call Saying Her Daughter Had Been Kidnapped and She’d Have to Pay a Ransom. The ‘Kidnapper’ Cloned the Daughter’s Voice Using AI, Bus. Insider, www.businessinsider.com/ai-scam-voice-clone-fake-kidnap-call-mother-money-ransom-2023-4 (last visited Feb. 21, 2024).

6 Paolo Passeri, The Biggest Data Breaches of 2023, HACKMAGEDDON (last modified Mar. 5, 2024), www.hackmageddon.com/2023/03/02/the-biggest-data-breaches-of-2023/.

7 Michal Salát, What 2024 Holds for the Future of Cybersecurity, Norton (Dec. 12, 2023), us.norton.com/blog/emerging-threats/2024-predictions.

8 Lionel Sujay Vailshery, Global IOT and Non-IoT Connections 2010-2025, Statista (Sept. 6, 2022), www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide/.

9 Melanie Maynes, One Simple Action You Can Take to Prevent 99.9 Percent of Attacks on Your Accounts, Microsoft Security Blog (Aug. 20, 2019), www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/.