A relatively new type of experience for practitioners across Aotearoa New Zealand, LawTalk explores the discomforting experience of discovering a fake website was created in James Olsen’s name, and what steps practitioners can take to preventing and stopping further instances of this.
In June, Auckland barrister James Olsen had the discomforting experience of discovering a fake website created in his name. It featured his photo but contained career details lifted from the website of another lawyer. The website was being hosted by a US-based company, NameSilo LLC, and the site appeared to be operated out of Nigeria. The scammer had also created a fake profile on social media network LinkedIn.
“I was about to go out on my own and was in the process of creating a website when I came across this fake website purporting to be me,” he said. “It used a photo of me from my then-employer’s site but had recorded another lawyer’s career experience.”
“There was a disconcerting and unknown aspect to what had been done in my name coupled with the unknown motivation behind such a site.”
Mr Olsen filed a complaint with the Police, who said they only had limited options.
After communication with the website host, he applied to the High Court for a takedown order. Mr Olsen told the High Court in Auckland that it appeared the site was a scam which could be luring people into paying an advance fee for legal services which would not be provided.
In his judgment Justice Simon Moore said that the website posed an obvious risk to members of the public seeking legal assistance, who may unwittingly be duped by someone impersonating a lawyer. Justice Moore said that “the false statements could well operate to undermine public confidence in the legal profession. Parties and potential clients seeking legal assistance may also send sensitive information to the contact details wrongly believing that the site is genuine. Inadvertent disclosure of sensitive information plainly undermines the administration of justice.”
Mr Olsen provided the judgment and the sealed orders to website host NameSilo, but they didn’t respond.
Mr Olsen also gave the takedown order to Google New Zealand to de-index the site from search results. “Google came back promptly and took it out of the New Zealand search results. Although people overseas could still find the site.” He reported the fake profile to LinkedIn, but didn’t receive a response. The fake profile is still on LinkedIn.
Mr Olsen also submitted an abuse request to the (ICANN). It was ICANN who were finally able to get the site taken down, around two months after Mr Olsen first discovered it.
Mr Olsen’s advice to anyone in a similar situation is to get onto it as soon as possible, as it takes quite a while to get things moving. “It took about a month to get the order from the High Court. Given it was happening overseas, there was no jurisdiction to enforce orders.”
He feels that the provisions in the Lawyers and Conveyancers Act 2006, such as s.43 which is aimed at preventing non-lawyers from holding themselves out as lawyers, may no longer be fit for purpose as they were drafted when the internet was far less prominent. “And to get a court order under the Harmful Digital Communications Act 2015 you have to show that you’ve suffered emotional distress or harm. Even though this was distressing, I don’t think I could have reached that threshold.“
Our advice is that your first port of call should be to contact your insurer. Even if your firm does not have specific cyber security insurance, we encourage you to have a conversation with your insurer if something goes wrong
Mr Olsen says that online identity theft is going to be on the rise given the prevalence of online activity and the lack of regulation of the internet.
“The simple solution is to regularly Google yourself. It sounds vain, but keep an eye open as to what appears online about you. It just shows that in this digital age, it’s something that lawyers need to do to make sure they are not being impersonated.”
The Department of Internal Affairs (DIA) says that identity theft can damage your personal, professional and financial reputation. DIA suggest that victims act quickly to minimise the impact of the identity theft. If you have evidence that your information is being fraudulently used by another person, DIA recommend that you report this to the Police.
If you need support and advice, registered charity IDCARE provides cyber support services to victims of identity theft.
CERT NZ Acting Incident Response Manager, Jordan Heersping, says that cyber security is one of the top priorities for all businesses, but especially small to medium businesses (SMEs).
“We’ve found that New Zealanders don’t often realise the severity of the losses that businesses can incur from attacks, these could include loss of personal information and records, income, assets, productivity or customer trust and goodwill. And most of these can be stopped with some basic steps at personal level.”
Heersping recommends that a good place to start is to do the following:
“Businesses and organisations should make sure their remote access systems are as secure as they can be and pay very careful attention to emails requesting payment or personal information, particularly invoices,” Heersping says.
CERT NZ has a list of tips for businesses to make sure they are protecting their data, their network, their customer information and their reputation: www.cert.govt.nz/business/guides/top-11-cyber-security-tips-for-your-business/
Law Society General Manager of Professional Standards, Katie Rusbatch says that the Law Society receives regular calls from firms where they have been a victim of a security breach. “Our advice is that your first port of call should be to contact your insurer. Even if your firm does not have specific cyber security insurance, we encourage you to have a conversation with your insurer if something goes wrong. You may be liable if client funds are lost from the trust account or if trust account records are held to ransom and you have insufficient backups of your records.
“Firms fall prey to cyber security breaches on a regular basis, and these instances can be devastating for all involved.”
Heersping says that in the event of an incident, your response team should report to the national computer emergency response team, CERT NZ. “Even if the event is contained or being worked through, CERT NZ can inform other organisations who may also be affected or targeted. Reporting to CERT NZ is always anonymous. CERT NZ’s Incident Response team can assist you through the steps to recover from the attack and be more resilient in the future.
“Under the Privacy Act 2020, if your organisation or business has a privacy breach that either has caused or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.”
The phrase “serious harm” can seem ambiguous, the Privacy Commission gives examples including:
“CERT NZ strongly urges you to report any breach or potential breach to the Privacy Commission regardless of the level of severity”, Heersping says. “Doing so gives greater reassurance to your stakeholders, even if the breach was a lower level.”
The Privacy Commission expect to be notified of breaches no later than 72 hours after your organisation becomes aware of it.
The 1 April to 30 June quarter of 2022 saw a 14% drop in reports to CERT NZ but a slight increase in direct financial loss, up to almost $4 million. Notably 32% of those who reported a financial loss, lost more than $1,000.
The current trends being reported to CERT NZ are rising scams targeting individuals, specifically financial and romance scams.
These scams can also affect businesses as the person targeted can give over specific information about the company or accidentally allow the scammer to gain access to internal systems. The scammers may also target a person to take over their social media accounts to in-turn attempt to run scams on the target’s followers.