It really takes less than 5 minutes, all a hacker needs to do is:
- obtain a database of all your email addresses (30 seconds) – this can be done legally from many free and paid email marketing services
- visit your webmail page and copy it (30 seconds) to their automated attack toolkit
- craft a fake email “From your IT department: Your mail storage quota is over the limit, please login to increase it” – 1 minute
- send it to everyone and wait (2 minutes).
- In the remaining 1 minute, your users will send the hacker their username / password combinations themselves.
There are 3 things you can do to prevent that:
- Ensure your email is hosted at a secure email provider, rather than your web hosting company – this is critical!
- Ensure your users have strong passwords – this is a security project in itself, from implementing password managers to regular audits and security awareness exercises
- Implement 2-factor authentication. But beware: even 2-factor authentication can be bypassed, so vigilance is key to keep your data and the data of your clients safe!
Email (or rather, access to email) is the most critical entry point a hacker can gain in your law firm. Because it is very likely that your file collaboration, file sharing, document management and filing systems are all tied to that same login credential combination of a username/password. And if we forget for a moment about all the confidential emails and attachments an account has accumulated for years and focus only on the other systems it gives access to – a breach would still be critical, maybe to the whole firm and its business.
We constantly see queries like “our law firm got hacked” – and as much as we would like to help everyone, we have limited time and resources. If you still want to work with us to protect your law firm from hackers – check out our CISO as a Service page!