Zoom Attack Exposes Lawyers to Major Cyber Risk: Why Vigilance Is Now an Ethical Imperative!

Lawyers need to be able to Spot fake Zoom invites—protect your client data now!

A sophisticated cyberattack targeting Zoom users has recently emerged, with direct implications for lawyers and legal professionals. The attack, detailed by Malwarebytes, involves a crime group dubbed ELUSIVE COMET that lures victims into Zoom meetings and tricks them into granting remote access. This enables the installation of malware and theft of sensitive data, including financial assets and confidential client information, e.g., PII.

How the Attack Works

Attackers pose as reputable contacts (e.g., media invitations) and set up Zoom calls.
During the meeting, the attacker often sends a remote control request with their camera off, disguising their screen name as “Zoom” to appear legitimate.
If the victim approves, the attacker gains full control of the victim’s system, installs malware, and can access files, emails, and even financial accounts.

Why Lawyers Must Be Extra Cautious

Ethical Duties Under ABA Model Rules

You need to be careful who you let into your zoom conferences!

Competence (Rule 1.1): Lawyers must provide competent representation, which now explicitly includes technological competence. Comment 8 to Rule 1.1 states:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Confidentiality (Rule 1.6): Attorneys are ethically obligated to protect client information from unauthorized disclosure. Allowing remote access to your device can expose privileged communications, work product, and sensitive client data to malicious actors.
Failing to maintain technological competence or safeguard client data can result in ethical violations, malpractice claims, and reputational harm.

Best Practices to Prevent Zoom-Based Attacks

Never accept remote control requests from unknown or unverified participants.
Use Zoom via your web browser when possible, as the browser version does not support remote control, reducing risk.
Enable meeting passwords and waiting rooms to control access.
Restrict screen sharing and disable remote control features unless absolutely necessary.
Verify all meeting invitations-scrutinize the sender’s identity, and be wary of unsolicited requests, especially those involving media opportunities or unfamiliar contacts.
Keep Zoom and all security software updated to address known vulnerabilities.
Educate staff and colleagues about the risks and proper protocols for virtual meetings.

What to Do If You Suspect a Breach

You control access—deny hackers, defend your practice.

Disconnect from the internet immediately to limit further access.
Contact your IT or cybersecurity team and initiate your incident response plan.
Notify affected clients and relevant authorities as required by law and ethical rules.
Document the incident and steps taken for compliance and potential reporting obligations.
Review and update your security protocols to prevent future incidents.

Let’s be careful out there - it could cost you your job or, worse yet, your bar license if you don’t!

Happy Lawyering!!!