Hacking & spoofing – how secure is your email account?
Email security for law firms is an ever present concern. These days we are all aware of the potential dangers of fraud when it comes to our emails.
For the purposes of this article, I will be focusing specifically on email through Microsoft Office 365 as this is the mail platform we resell to clients, and which is fast becoming the most popular email service for businesses.
So, what are the main issues that you might face when dealing with malicious email? Let’s define a couple of terms and then look at what can be done to mitigate some of the risks to your firm.
This kind of attack worries people the most and is potentially the most damaging to your firm. It means that someone has illegally gained access to your email account. Meaning they can access your contacts list, and emails you have both sent and received.
Scammers may monitor your account for some time. They may read messages and gather useful information such as bank details and details of transactions you are conducting for clients.
They may then contact the client asking for funds to be transferred. The client, seeing that the email came from their solicitor, could then make payment to the bank account that the scammer provided to them.
Fortunately, there is a solution available to all Office 365 customers that can help prevent this situation – Multi Factor Authentication.
Multi Factor Authentication (MFA) provides an additional layer of security for your Office 365 account. It requires not only your email address and password but also a second authentication step.
This can be either a code sent via text message or though an app installed on your mobile device. When you sign into Office 365, you will be prompted for this second stage verification.
While a hacker may have access to your email address and password, unless they also have your mobile phone, they will not be able to gain access to your account.
Spoofing occurs when you, or a third party, receives an email that at first glance looks to have come from your account. In fact, it has not. Your account has not been hacked or compromised.
The sender has made it appear that the email was sent by you. Closer examination reveals that the sending address was something completely different. Typically, a Gmail or other free account that scammers use.
While a message like this will not pass detailed inspection, it may be enough to trick people into thinking that it came from yourself or someone else at your firm.
While not as serious as a full email breach, this is a common method employed by scammers. Most of us have encountered this at some point.
Solution: DKIM Technology.
This is where a technology called DKIM (Domain Keys Identified Mail) can come in. With this feature enabled on your Office 365 account, all outgoing messages will be digitally signed with an invisible key unique to your firm. When a mail server receives a message, it will check this key and verify that it really came from your firm.
If this check fails, the message is not delivered to the recipient.
The good news.
If you have Office 365 email administered by LawWare, then both DKIM and Multi Factor Authentication are available to you. Please contact me to find out more about email security for law firms.