Lawyers Take Note: FTC Advises Web Hosts to Promote Anti-Phishing Technologies

Posted in Domain Names | Email Newsletters | Privacy and Security

Most law firms moved to secure their websites during the past few years, prodded by bar regulators, who worry that client communications might be intercepted, and marketers, who’ve heard that Google dings websites lacking an SSL certificate.

But have law firms done all they can to protect against phishing attacks?

Law firms and their clients are particularly suspectible to phishing exploits. Just like banks, law firms are trusted entities that handle sensitive financial and personal information. An email purporting to come from an attorney’s domain will prompt at least a few clients to let down their guard.

Among marketers, email authentication is a “best practice” at least. Among law firms, it should be a “must do.”

Against this background comes today’s report from the Federal Trade Commission indicating that many web hosting services are not providing, or publicizing the availability of, readily available email authentication technologies. Often these technologies are free for the asking, requiring just a small amount of time to configure and deploy.

The FTC staff report, Do Web Hosts Protect Their Small Business Customers With Secure Hosting And Anti-Phishing Technologies?, reviewed the practices of 11 leading web hosting companies that serve small businesses.

The report’s authors concluded that, while nearly all web hosting companies provided technologies that secured communications between the website and web browsers (TLS, the protocol that supports ”https” requests), few web hosts are providing their customers with tools to prevent phishing attacks.

Phishing attacks commonly use spoofed emails to trick unwary recipients into divulging financial information or to engage in fraudulent transactions.

Small Entities Less Likely to Authenticate Email

The report identified Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain Message Authentication Reporting and Conformance (DMARC) as email authentication technologies that should be offered to all small business customers. Small businesses are less likely than larger enterprises to have these technologies in place, the report indicated.

SPF and DKIM verify the identity of the domain that an email message purports to come from.

DMARC gives an additional layer of protection by telling receiving email servers how to handle unauthenticated email messages.

(Credit: Federal Trade Commission)

According to the FTC,

[S]mall business web hosts have not embraced email authentication, leaving small businesses at risk of having their domains used in phishing attacks, harming their business reputations and potentially causing financial harm to their customers.

To which we could add: potentially creating ethical pitfalls and financial liability for law firms that don’t insist on having email authentication in place on their sending domains.

The American Bar Association’s recent guidance on the duty to secure client communications does not directly address a lawyer’s obligation to prevent phishing attacks. However, the ABA did state that lawyers have an ethical duty to take reasonable efforts to prevent unauthorized access to protected information. Should a firm or its clients fall victim to a phishing attack, the firm’s adoption (or not) of free, readily available email authentication technologies will be relevant to any post-incident assessment of the reasonableness of the firm’s information security practices.