I began receiving e-mail messages recently that look deceptively official. A typical one will be addressed to support@losinc.com or webmaster@losinc.com. The message reads, “You have successfully updated the password of your Losinc account. If you did not authorize this change or if you need assistance with your ac-count, please contact Losinc customer service at: webmaster@losinc.com. Thank you for using Losinc! The Losinc Support Team.”

Inevitably, it will have an attachment titled something like new-password.zip.

Other popular deceptions look like an e-mail from your bank, the PayPal bill-paying service or eBay. The message typically reads, “During our regulary schedule (note the spelling errors) account maintenance and verification we have detected a slight error in your billing information with XXX. This might be due to either following reasons.”

The message then details plausible reasons why your bank, PayPal or eBay might need updated information. The message advises you to sign into your account to update billing information. The message often includes boilerplate similar to real websites such as privacy statements and copyrights. To complete the ruse, the link looks legitimate. When you click on the link, however, you’re taken to a fraudulent site where, if you’re not careful, you’ll be asked to enter enough personal in-formation to become a victim of identity theft.

When setting up a domain name, one option is to forward traffic to another domain. This is generally useful and allows legitimate businesses to have multiple domain names leading to the same location. For example, my company owns “losinc.com” as well as “lawofficesystems.com” and “carolschlein.com.” Someone typing lawofficesystems.com will automatically be routed to losinc.com. I want those finding my site by these domain names to notice they can get there directly using the losinc.com address. Other times, depending on the nature of the website, you may want some browsers to open to specific pages on your firm’s website and can control that with this domain-forwarding feature.

Bogus links

An option when establishing the forwarding for a domain name is to show the resulting address or the originating address. Senders of deceptive e-mail linking to bogus versions of actual websites don’t want users to notice that, despite starting from a link that might include ebay.com in its address.

To make matters worse, it seems that no matter how diligent you are, the longer your e-mail address exists, the more you’re bombarded with unwelcome messages. The more places an address is published on websites, or included in articles or other published materials that can be found through search engines, the more easily your e-mail address can be collected. I purchased my business domain name in 1993, when the internet was in its infancy. For marketing purposes, I display my e-mail address prominently on my website as well as on print and internet articles. As a result, I generally get at least 150-200 unsolicited and un-wanted messages daily and even more on weekends.

An interesting variation on these issues was reported in the June 24 Business Day section of The New York Times. Several months ago, thousands of internet users were enticed by an e-mail offering to show revealing photos of Jennifer Lopez. When recipients of this e-mail clicked on the links, no photos were forthcoming. However, clicking on that link unleashed a software pro-gram onto their computer. When instructed by a remote master, all these infected computers became zombies, simultaneously bombarding a target website with so many hits that it would be impossible for legitimate searchers to access those sites.

This particular incident was set up to sell T-shirts. By overwhelming the sites of its two biggest competitors, the owners hoped to attract more people to their site.

The FBI estimates 300,000 zombie computers are ready to launch a similar attack, noting such scenarios are increasing. While it’s hard to imagine a situation where one law firm would target its competitors’ websites in this manner, it points out the need for constant vigilance in viewing websites and opening and responding to e-mail.

Latest schemes

Several new schemes have new terms to describe them. “Phishing” refers to the use of a bogus e-mail address that looks like it might be sent from a bank or financial institution and requests the user to send such private information as account numbers and passwords. “Pharming” involves interfering with a website’s forwarding so visitors are redirected to a phantom site where they’ll be induced to provide confidential ac-count information. “Typosquatting” is similar to pharming but relies instead on users who inadvertently mistype a web address and end up at a phony look-alike site.

To address these issues, the first line of defense is educating staff about these schemes and teaching them to be more cynical when managing their e-mail inbox. Even if they have an account with Citigroup or eBay, they should know those companies never solicit updates to user accounts through e-mail. Teach staff to carefully examine the web-sites they’re searching for and if there’s any doubt, don’t provide requested information.

One corollary of this advice is to help staff understand the difference between using a search engine and navigating directly to a website. I’ve recently been doing more remote support of clients using web-based tools like Gotomypc and Gotomeeting. These tools enable me to connect to my clients’ computers and do remote training, customization or troubleshooting. Generally, it takes only a minute or two to remotely connect with clients. There’s an occasional problem when a staff person at the client’s office types the web address into a search box rather than going to the website address directly.

When searching for a web address, one can end up with listings that include the advertising side of these sites rather than the tools to use them or worse, other websites that mention that site on their websites. My experience has been that many users don’t know the difference between starting with the search tool and going directly to a website address. Although most offices have the needed tools (anti-virus software, firewalls, spam filters, spyware and adware removers), the staff has not been educated about “safe computing” techniques.

Home connections

A policy should be established for employees who access the office systems remotely to ensure their home computers have as many protections installed and updated to limit vulnerability to the office systems. Under such a written policy, employees sign an agreement spelling out their obligations to maintain their home computer. They should be requested to regularly update anti-virus definitions, install a hardware- or software-based firewall, regularly run spyware remover programs like Spybot or Ad-aware and use a spam blocker. Such a policy not only educates the staff about safe computing, but reduces the time I.T. staff or outside consultants clean up the messes that can result from unwanted attacks or other infections.

Last piece of advice: Teach your employees about the nature of fair business tactics and ethics so they can share these with families and friends before they become criminal defense clients of your firm.
 

Carol L. Schlein is president of Law Office Systems in Montclair, a training and consulting firm specializing in law firm automation. Copies of previous columns are on her company website, www.losinc.com. For information about her quarterly meetings for Time Matters users, check the website or e-mail info@losinc.com. Schlein formerly chaired the Computer and Technology Division of the ABA Law Practice Management Section.

Questions for Carol L. Schlein on law office technology may be faxed to New Jersey Lawyer at (732) 650-7010, e-mailed to news@njlnews.com or mailed to “Law Technology Questions,” New Jersey Lawyer, Edison Square, 2035 Lincoln Highway, Suite 3005, Edison, N.J. 08817.