By Heath Hamacher
When COVID-19 struck, calendar software and videoconferencing became a viable, popular means of doing business. Unfortunately, cybercriminals got the memo and have begun pursuing a new and particularly dangerous line of attack.
In recent years, internet bad guys have increasingly targeted law firms and their valuable corporate and customer data, looking to profit by weaseling into networks and injecting themselves into others’ financial affairs.
Email attacks have long been the hacker’s preferred modus operandi, and remain so even today. But most people have become rightly more suspicious of emails, so today’s hackers, like the savvy businesspeople they are, are casting wider nets and chasing multiple revenue opportunities.
Calendar fraud attacks started appearing a few years ago, but particularly since the pandemic started, these efforts to infiltrate platforms such as Zoom, Microsoft Teams, WebEx, and Google Calendar are wreaking havoc on unwitting victims.
“We’re on these [videoconferences] a lot more than we used to be, and if something’s on our calendar, we just kind of trust that we put it there or that someone in our office or someone else who had access put it there,” said Patrick Brown, vice president of Enterprise and Operational Risk Management at Lawyers Mutual of North Carolina.
Unfortunately, that may not always be the case.
You don’t want to be in the room where this happens
Since 2020, Brown has incorporated information on calendar fraud into cybersecurity presentations and continuing legal education, though he admits that it may only be one small part of a comprehensive discussion covering smishing (SMS/text phishing), vishing (voice phishing), and other –ishings. But Brown said that while calendar scams might go by a different name, it’s the same game.
“Basically, it’s a form of phishing that takes advantage of the user-friendly features in calendars where an appointment is automatically added to your calendar even before you accept it,” Brown said.
Calendar fraud can be particularly effective because these very high-risk entries, notifications, and invitations reside within trusted web applications, said Jack Pringle of Adams & Reese in Columbia, who focuses his practice on privacy, cybersecurity, and data management.
“A lot of people don’t give thought that one’s calendar might be an attack vector,” Pringle said. “But as with anything else, it’s important to understand that it’s not magic if someone manages to put something on your calendar if they know your email address and if settings allow them to put things on your calendar without approval.”
A study conducted by cybersecurity and antivirus provider Kaspersky Lab, focusing mainly on Google Calendar, found that users are less likely to ignore calendar invitations and events and more likely to open links on the fly that they assume to be sound.
These conference links act like a legitimate meeting app, Brown said, but lead the recipient to an empty room. And by the time they realize what they’ve waded into, it’s too late.
“No one else shows up for the meeting but, in the background, something has happened,” Brown said. “Maybe it’s downloaded malware or ransomware or keylogger [software that records the strokes the user makes on their keyboard] or some sort of command-and-control software.”
A good day of work beats a bad day of phishing
One third of law firms with 100 attorneys or more have been victimized by cybercriminals, according to the American Bar Association, and they’re not the only targets in the legal industry.
In 2019, the North Carolina State Bar was infiltrated by hackers demanding ransom. While the association’s servers were locked up and its website rendered inoperable, no data appeared to have been stolen. The bar recovered from the attack without paying a ransom and intensified its efforts to improve network security, including moving its data offsite into a secure cloud environment with real-time and redundant backups.
“As you might imagine, we receive our fair share of … attacks, so employee education is a big part of our security plan,” said Peter Bolac, assistant executive director and legislative liaison at the bar.
Brown recommended quarterly, if not monthly, security awareness training. He likens it to regular CPR training for lifeguards, except it provides “muscle memory” for hacker defense.
“It keeps us all safer and keeps everyone thinking about it,” Brown said. “If you see something suspicious, anything that you don’t remember putting there, report it. If you’re at a firm with secretaries or paralegals, check with them.”
Most experts agree that protecting everything, all the time, from experienced, motivated bad actors is likely impossible. In addition to being computer whizzes, scammers are notoriously persistent, sometimes setting reminders to send messages until the invitation is deleted or the recipient enters the room.
To help counteract that persistence, as with other cyber scams, experts recommend a healthy dose of skepticism and common sense. In a world where information from family schedules to financial information is synced and responses are often instantaneous, Brown said that the motto should be “don’t trust anything.”
“Take a second to stop, breathe, and think,” Brown said. “Don’t just assume that something is trustworthy.”
Some platforms claim to have adjusted their settings to help defend against these types of attacks, but Pringle said that the working assumption should be that a calendar application by default is going to automatically accept invitations.
“Each of us has to weigh the benefits of various technology tools and features—convenience, ease, rapid transactions, etc.—with the potential risks those tools and features create or heighten,” Pringle said. “There is almost always some tension between security and convenience … we have to put friction in the process [of cyber-attacks].”