While we continue to face the threatening presence of Covid-19, many law firms are starting to realize that WFH (working from home) will no longer be temporary. But is your law firm adequately protected to operate remotely without compromising your business and clients’ data security?
Grace explains the different cybersecurity threats your law firm can be exposed to and basic principles you and your team should follow to minimize exposure to potential risks.
Our conversation then takes a turn that shades light to the fact that your Google Ads account is likely being subject to fraudulent clicks; Liel explains where these clicks come from and what can be done to stop them and your budget from going down the drain.
Resources mentioned in this episode:
Send us your questions at email@example.com
Enjoy the show? Please don’t forget to subscribe, tell your coworkers, and leave us a review!
Liel: [00:00:00] Tim Cook said if you put a key under the mat for the cops, a burglar can find it too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there is a key hidden somewhere, they won’t stop until they find it. I’m Liel Levy, co-founder of Nanato Media, and this is in Camera, a podcast where we zealously fight fraudulent and criminal online activity.
Liel: [00:00:56] Welcome to In Camera podcast, Private Legal Marketing Conversations. We are back. I’m Liel and I have here Grace, as always. How are you today?
Grace: [00:01:05] Good. How are you, Liel?
Liel: [00:01:06] I’m doing great, Grace. Thank you very much. I’m delighted to be back here and to have another conversation with you. How’s your week going so far?
Grace: [00:01:13] A little hectic, you know, with everything that’s going on. They actually closed Florida back up. They put back in the restrictions because of all the increases in cases. And I heard a couple of people came down for mass tort Nexus, as a matter of fact, and went back with COVID. So it’s pretty serious. Luckily, and I personally have still not come into contact with anybody. And I don’t personally know anyone, you know, here in Florida, family or otherwise, that has COVID or gotten COVID. So I’m lucky in that sense, but it has been a little crazy.
Liel: [00:01:49] I totally hear you. I mean, COVID is still around and it’s alive and thriving, unfortunately, in many states around the U.S., including Texas as well. And so I’m really glad to hear that you haven’t come in close contact with anyone who has it. And so we just need to continue being and taking precautions about it and not take anything for granted. I totally see how this continues to be a massive concern for everyone. Right. And definitely it’s going to be a central part in overall on all of our conversations moving forward as we continue to adapt to what is really a new reality, that it’s not temporary anymore. It’s just a reality in which we need to settle that has a lot of different changes in the way we do everything. We live our lives. We work. We interact with others. But I also think there is a lot of opportunity, and that’s what you and I tend to focus here on this podcast is in what are the opportunities that can be leveraged to continue thriving with your marketing and in growing your law firm. So, Grace, with that being said, let’s focus on all the news that has been happening around. So I’m just looking back into things that happened since the beginning of this week. So we had uber who acquired post mates. Right. So that’s a big move in the tech world, which we care about and one that helps uber a continue consolidating as the to go choice for, I guess, primarily food delivered to your home and the delivery service. Right. Is just booming and it’s getting bigger. Right. Because now, you know, it’s not just the delivery of food. There is delivery of groceries. There is delivery of many other things. And so these are good things to keep an eye on because there’s a lot of opportunity coming from there. Grace now, the other thing that it’s worth mentioning here, because, you know, we always like to shift and focus a little bit about tech and things that are happening in the world because we are always handling and working in social media platforms and such is that it looks like there are hints that Twitter is indeed starting to work on a paid membership platform that a lot of people speculate is indeed gonna be the new version of Twitter, where it’s going to be membership-based. Right. And if that happens, it’s gonna be a massive disruption for what is social media, as we know. Right. Even though Twitter is kind of like a niche platform, it’s not as big as Facebook is. It is still widely used. And it will definitely set a precedent as to what social media platforms could look like if there were to evolve into a paid platform where there are steps that are being taken more obvious than the ones that Facebook is currently taking right now in regards to moderating and blocking hate speech and all of those things that we’re all complaining about from Facebook. Right. And so I think that’s interesting. It’s meaningful. Again, it’s still nothing’s been confirmed. But the fact that they have an open job listings specific for this project under brand nickname, it’s not under Twitter itself, but obviously people are connecting the dots and saying, okay, this is most likely going to be the first steps that Twitter’s taking towards that goal. So it’s going to be interesting to see what happens there Grace. So that’s the news that we had this week when it comes down to tech and social media or at least some that are worth mentioning here now. Grace, I know you and I want to have a conversation about two very important aspects. Right. And just as we were saying a few moments ago, that now that remote working is becoming almost kind of like the norm in the way that we conduct business. And we need to be very able to shift from being in the office to remote working in no time. There is a very, very big component that needs to be well covered in order to make this transition from backwards and forwards safe, right, and that’s cyber-security Grace. So we’re going to be diving into that and we’re also going to look about fraud prevention. And so, Grace, without further due, let’s get started on this conversation, which I know you’re very knowledgeable about. So what considerations law firms need to have with regards to preventing cyber crime or being attacked?
Grace: [00:06:28] So cybersecurity is a pretty loaded conversation, as you and I were talking about before we even started this. Right. And the reason being they have so many different complications or really factors to think about where variables and those are, you know, they have the hardware and or hold on to information that is extremely confidential. Right. I mean, they really have to think about HIPAA and things of that nature. Right. This is just standard stuff we all think about.
Liel: [00:06:57] Yes.
Grace: [00:06:58] So we also have to think about, you know, the compliance issues with regards to data retention and that type of thing. When I’m talking about cybersecurity, what I want to focus on has to do with more phishing and emails and things that you can besides the general HIPAA and security and compliance that you already have probably in place. If you don’t, you’re not going to be in business because of data breaches and whatever else that may have happened. But you need to have these things in place. And for the most part, you do. Right. You use systems that have authentications. They have a way of you. You have to send a text or they send you a text where it makes sure that, you know, it’s what they call multifactor authentication. So they have these different ways where the systems kind of help you maintain those cyber, you know, keep yourself secure in the Internet and whatever else digitally. Now, the things that you can’t control are things like emails. And attachments, and that’s kind of what I want to focus on a little bit when we’re talking about cyber security, the things that you can control because they come into your inbox or they come in as a folder or file and attachment. And I think that’s where we make a mistake. And a lot of times we missed the mark.
Grace: [00:08:18] Why do I say that? Now, I can tell you I don’t know how many times where you get spam emails, right. Most of us know for the most part that this email is spam. What do you think, Liel?
Liel: [00:08:29] Sure. Absolutely. And on top of that, we also trust in our e-mail platforms to identify some of these potential threatening e-mail and be moved directly to your junk e-mails or to your spam folders. Right. And so, you know, you sometimes don’t even get to see them in your inbox. But that doesn’t necessarily mean that you’re not getting some.
Grace: [00:08:53] Correct.
Grace: [00:08:54] And depending on the actual e-mail system you’re using, you know, as an example, Microsoft Office has specific levels of restrictions that you can put in place settings, policies they call them, that basically, you know, exclude things much higher on the threshold as what they call. Right. They call it a threshold for what they’re allowing into your actual inbox as opposed to what goes into spam. So you can set those thresholds. A lot of the policies already automatically put in place by Microsoft at the enterprise level.
Grace: [00:09:27] But if you have even individual email addresses that you have automatically forwarded to your work email, which happens a lot of times with lawyers, right.
Liel: [00:09:36] Yeah, absolutely.
Grace: [00:09:38] These are things that you have to think about and things that you need to think about every time you open an email. Now, it needs to be basically a simple process that you just it goes automatic in the back of your brain if you receive an email from somebody you were not expecting. And you open it, particularly if there’s a link or an attachment, do not click. Do not open. You first can call that person and ask them, did you send me this? Or if you already anticipating that you were supposed to get an email from that person and there’s an attachment and a link. Well, you’d most likely go ahead and click it. Now this happens a lot. OK, where people get an email with that is actually spoofed from someone they recognize. It used to be that you could say, OK, if you get an e-mail from someone you don’t recognize, don’t click. Well, it’s not as simple as that anymore. You have to look at the from. And if you look at the from email address and it’s the correct email address. OK, that’s your first step in eliminating that as a potential spam or phishing email.
Grace: [00:10:40] OK, now the second thing you need to look at is, was I expecting this email? Was it supposed to have an attachment and was it supposed to have and or was it supposed to have a link? And so when you’re looking at these emails and again, I go back to e-mails because this is the easiest way for them to get in to your system is through an email that you weren’t expecting and you click on. And it can happen on your phone, too, particularly because a lot of us are on Wi-Fi on our phones. That’s another potential way of getting in. And I’ll talk a little bit more about that on the very next section here. But again, back to e-mails on your emails. If you’re not expecting it, you don’t click, you don’t open and you do not go into a link that you’re not expecting, much less an attachment because they can run executable files that will now take over your computer and your entire database and get a hold of all of your information.
Liel: [00:11:31] So that’s the threat, right? Basically, what you’re trying to avoid, because, you know, a lot of people understand the concept of don’t open up e-mails from people you do not know, don’t open files, but they don’t necessarily know what’s at stake. What happens if you actually do? So just to say it in simple words, basically the moment that you open up a file that could actually kind of like deploy software that gets installed in your computer and once it’s installed in your computer, you can actually, obviously the files inside your computer. But if you’re a part of a network, it can also go through that and access even other devices that are part of this network. Is that a fair way of explaining these?
Liel: [00:12:20] Perfectly put. And that’s why I said that at the beginning about auto-forwarding your Gmail emails as an example. A lot of people do that right into their enterprise accounts, right into their work emails. And then you click on it and now you’re in the network. And so is the person that downloaded the virus to your email. So definitely simple terms is perfect. That’s exactly what happens. And I cannot impress upon people enough that, yes, you may be expecting an email from somebody, let’s say. Now, if you weren’t expecting that email and it’s the right email address from and it has an attachment that does not look like it makes sense. It says invoice.PDF and you shouldn’t be getting an invoice from this email address. Don’t open it. Call that person and ask, why did you send me an invoice? They may not know that their email was spoofed or spammed. I actually received one just last week that had an attachment included in the body from a law firm. I knew immediately I was not expecting an invoice, much less an attachment from this law firm. I took that email. I turned it into a PDF and I took the headers out. Again, that’s not something that you guys need to necessarily think about, but it’s something that you can look at or your I.T. department can take the headers out. And I forwarded it to the I.T. department of that law firm. I let the individual know that their email was being spammed or spoofed because I received this email.
Grace: [00:13:48] So they were then able to catch the fact that somebody got into their network again through an email and stop it before it got into the actual databases of information that they had. So these are things that happen every day, particularly right now. Everyone is remote. Everyone is clicking on emails. Everyone’s thinking, oh, I got this e-mail from somebody and they’re just going in and opening it. You have to be extra careful right now. Everyone’s at home. People are due to COVID, everyone’s able to sit there and actually do these what they call hackathon. Guys like people will sit in groups and all over the world and tried to just hack into people’s computers and databases for fun or for profit or both. So I know it sounds simple, but your email is a very easy way to get into your system. And so just pay attention, you know, think about it before you open an attachment. Is this an attachment that I was expecting? Is it from the right person? And they can even spoof the email address. But make sure you look at the from is the email address look like is the actual one? Or does it say, I’ll give you an example. Grace at four persist dot com. OK. If it says grace at four persist that come to say grace at four persse dot com. Yeah. Does it say Grace at four that go? Yep. Right. Ah, dot com dot and I r i n or dot com dot something else.
Liel: [00:15:23] Right. Absolutely. SubDomains. Right. Gary, very important because many times it may look like it’s a legitimate you URL that you recognize. But then all of a sudden, it’s attached to a subdomain that, you know, it doesn’t make a lot of sense to you. Right. And so absolutely something that you need to look into.
Grace: [00:15:43] I got a Bank of America email. It looked like the Bank of America domain. It had the logo, the picture and the link and everything when I hovered over the link in the body. OK, and it came from the right email address. I hovered over the link, the link actually displayed. I did not click on it. Mind you, but I hovered so I could see what the full link was supposed to actually be. It was a crazy url. That didn’t look like anything related to Bank of America. I know Bank of America is not going to send you something that you click on, by the way, your banks, social securities, any of those places will never send you something that you’re supposed to click on in an email. They will try to call you, especially if it’s fraud. But when it comes to clicking, they do not do that. And they don’t want you to do that. So I knew right away this was a fraudulent email, but it looked so legitimate, holding it over the link you’re able to see with the URL is without clicking it. And I could tell this was an embedded link.
Grace: [00:16:43] That’s what they call an embedded link. So there’s one other layer to this. OK. And it’s not so much about the email only it’s about Wi-Fi. Now, Wi-Fi is one of those things that is so easy to hack into because remember, guys, this is data that is basically open to the public, generally speaking, even with a simple password like a Starbucks or something like that. What do you put in? Everybody has the same password. So remember, there’s data that’s going over what is called Wi-Fi, which is the Internet, and it’s data that isn’t necessarily secure. Or if it is, it’s a very basic security, again, because it’s a Wi-Fi that’s available to the public. When that happens, they can steal your information when you’re on Wi-Fi for the moment that you hit send and then it goes off over the Wi-Fi. If somebody is in there at that time, they can scrub the emails, can scrub the information that’s going over that. And why am I mentioning this so hardcore? The reason I’m mentioning this is because when I go into any location and this doesn’t just apply to lawyers. This applies to everybody in the world. When I go into a place and they have one of those square where you can just swipe your card at a tablet or on a device or a cell phone, I make sure that that cell phone, that tablet or device is on cellular data, not Wi-Fi.
Grace: [00:18:13] You have something to say?
Liel: [00:18:14] Yeah, I mean, I’m just agreeing with your thorough process of validation. Yeah.
Grace: [00:18:20] I’m telling you that I know before we talked about this, you were like, is this something that you think? Liel, this is not just something I think about. It’s something that I impress upon my kid, my husband, my family and my mother. Constantly, I tell her, if you see them running your card, you take that phone or tablet and you make sure it’s on cellular data. If it’s on Wi-Fi, you refuse and you tell them, I’m not going to allow you to charge my card on Wi-Fi. You have that right, because it’s not secure. So. These are the small but very big things that you can do that can go. You can help control your own destiny when it comes to cybersecurity. So, yeah, you need to look at those things, right. I mean, now I know most of the people that are listening to this are probably going right in and thinking, OK, oh, man. You know, I’ve done that before or I’ve done this, then I. Oh, my gosh. I’d let them run my card on Wi-Fi.
Grace: [00:19:18] That’s when you may have had some fraudulent charges on your bank account. Right. Or your credit card. That was probably why. So not knowing, unfortunately, is the problem. And everybody having to go home and work remotely.
Grace: [00:19:33] And we’re all on Wi-Fi right now. I know a lot of us are on Wi-Fi, not using necessarily cellular data because we don’t want to use up our data. Right. So but these are small things that you can do to secure yourself, secure your data, secure other people’s data, your clients data, and just basically mitigate the risk that we have, particularly with everyone being online nowadays and with everyone being home and remote. All this data going across needs to be secured.
Liel: [00:20:04] Yeah, Grace. Absolutely. And I want to dig a little bit deeper here, and I’m not too sure if this is something that you can comment on. But how about VPN blockers does that help in any way or another to protect your privacy, to make yourself less likely to be a target. Or…
Grace: [00:20:25] Yes. Just Yes. OK. Of course. Really anything that allows. So VPN is a virtual private network guys. That’s what VPN stands for. That’s the acronym. A virtual private network is essentially a network in the cloud that is private to you. And it’s specific to certain IP addresses. Usually, you know, the actual physical, what I’d say cloud address of your computer or where your brain of the computer lives in the cloud. OK, just to make it as simple as possible. So a virtual private network, any type of layer of security that you add to it. Yes, it should be increased security. It should allow you to have a more secure database and or network without because it’s privatized, right? Now, there are factors that have to be thought of when it comes to those different things. That’s why I kind of went towards the email side of it. A VPN, you can kind of buy one. I think Cisco has VPN. There’s a couple of other ones, right?
Liel: [00:21:23] Yeah, there’s so many. There’s a large market. The market is saturated, so a lot of options there. But of course you want to go for one that is, you know, well known and reputable.
Grace: [00:21:32] Yeah, correct. So that kind of leads to in my opinion, the VPNs and the VPN networks. That has to do with your network. And generally speaking, your I.T. department, if you hopefully have one, is the one that is actually making sure that your security’s in place and that whatever type of way that you’re remoting into your network is secure. And a lot of times they do it through VPN. They might be doing it through what’s called Log Me In or remote desktop, which generally speaking, remote desktop is actually one of the less secure methods of doing it. But that’s why they put VPN in. But yes, a VPN is essentially a private network firewall that only certain people can get into using usernames and passwords and different authentication methods.
Liel: [00:22:20] Grace, listen, this is so relevant and so important right. Grace, I wanted to ask you about one more thing. How about passwords? Right. You know, because that’s another thing. Most of those in order to access the networks or the CRMs or CMSs that we use in order to be connected to the law firm remotely or to our accounts remotely. We’re using passwords. Are there any best practices that we can use in terms of protecting our passwords or making ourselves networks more secure from that standpoint?
Grace: [00:22:55] Yes. Do not use names of dogs. Family members love hate. There’s actually a list of common passwords that people do. Plus, in addition to that, of course, the middle names, surnames. Last names, a maiden names. People do a lot of that. And it’s very easy to hack into your password. If you do that constantly and don’t use the same password over and over. I know we all love to do that. I am guilty of it as well. I get it. I know it’s a pain to try and have all these different crazy passwords, but you need it. You have to do that. It’s just too easy nowadays to get into all of your systems, your bank accounts and everything if you use the same password for everything, guys. So, I mean, you need to have and a lot of times, even nowadays, they require you to have rolling passwords. Right? So every 72 days, every 60 days, every two weeks, you have to update your password like you have to. It’s required by the system.
Grace: [00:23:53] So in thinking about it like that way, when it comes to passwords, there are password protection systems out there, you know, different ways of saving all of your passwords in one location for enterprise level or company level. We use something called I.T. glue. It’s my glue dot com, our I.T. glue. And it’s one location where Only admin users have access to all the passwords and everyone else has access to the passwords that they need to have access to at the role that they’re in. So, I mean, there’s tons of plenty of things out there. I mean, there’s apps that will save your passwords in a secure location. But when it comes to passwords, I’m extremely adamant about, you know, not saving it. In a lot of places I actually use and my law people probably will laugh at this, but I use old school method of saving certain passwords that are extremely important to me, meaning like my bank accounts and things like that.
Grace: [00:24:50] I actually write it down in one location and I keep that in one location that only I know where it is and no one else knows where that paper is. It is a piece of paper. It’s one of the it’s funny. I don’t know if as I saw it in a movie or something, but I saw it in there. And the only way to guarantee that they’re not going to get your password digitally is to not put it in the digital world. Yeah, and they had a little piece of paper with their passwords, and that was it. There was no other way to get their passwords, you know. So, yeah, I kind of took that to heart, honestly, and for a very, very and I have like five specific passwords that I have on that piece of paper. That’s it. Myself and I don’t have access to and no one else.
Liel: [00:25:31] Hey, Grace, whatever works and keeps your account safe right. Yeah, I do just want to mention that whenever you do have the option to opt in for a two step verification, do it right. Because honestly, you know, a lot of platforms now have that option and it’s potentially the best way to keep yourself secure that, you know, like they may be able to make their way into your network but from then for them to be able to also get their hands on your mobile device so they can get your text message verification. That may be a harder thing to do. You know, keep that in mind. But also at the same time, particularly now in the way that technology integrates, you should also be mindful of the fact that you can also receive your text messages on your computer and such. And so these are some factors that you may want to have into consideration because it made me defeat the security purpose. So just putting it out there. But definitely platforms are taking steps to making their platforms safer and less susceptible to cyber-attacks. So that’s a conversation, Grace, that honestly we could be revisiting every month because there’s always something new, things as you’ve said, you know, hackathons are almost like a sport where every you know, every day there’s new developments. There’s new attacks that are being performed on different companies. And of course, we can never assume that we cannot be a target because by the time it may happen to you, it’s too late. And, you know, as we know very well in this field. A security breach can not only be damaging to the reputation of the law firm, but can also be very costly and it’s obviously something that one would want to avoid.
Liel: [00:27:31] Ok, Grace. So another thing which ties very well to this conversation, right? Is how can you also prevent and protect your Google ads campaigns to be subject to fraud activity? Right, Grace?
Grace: [00:27:49] Yeah.
Liel: [00:27:49] And it’s so important. And it’s one of those conversations that doesn’t get a lot of attention lately because for a very long time it’s been a problem that agencies and Google ads managers, they have not really had control over and they are just like, well, there’s nothing we can do. And so therefore, we’re just going to have to, you know, you know, tried to put up with it, maybe tried to make some adjustments to prevent it. But that’s really about where it gets. But right now, Grace, in the world in which we leave, there is way more opportunities to take proactive steps to prevent your Google ads accounts from being subject to fraudulent activity. So, Grace, let me just start by explaining what do I mean with fraudulent activity and where it can come from? OK. So really fraudulent activities. Anyone anything that is actually clicking on your ads, right. Your paid ads. And they don’t have any genuine interest in your ad. Right. They’re not clicking on it because they actually are interested in this particular case. Law firms hiring you as a lawyer. Right. Or informing themselves about your law firm. So that is considered a fraudulent click. Now, where can these clicks can come from well, primarily there’s three different sources that can generate these clicks. Right. The first one and probably the easier to prevent is from netbots. So we already know that up to 40 percent of the traffic in the Internet comes from actual bots who are just designed to navigate through the Internet, clicking on things just for the sake of committing fraud. Right. And so that one can be prevented initially by just blocking a set of IP is that they’re widely known for being fraudulent associated. Right. So that’s one. Now, there is another one in here. It gets harder to be able to control. Now it’s your competitors, right? So what does it mean, fraudulent clicks from your competitors? Well, it’s very simple. OK, so if you’re a personal injury attorney located in Los Angeles, some of your high intent keywords might cost about two hundred and fifty dollars. Maybe Grace. So you’re actually now bidding on keywords. You know your click may cost up to two hundred and fifty dollars. And when you have a competitor of yours who’s actually clicking on your ad with their goal in mind, being that you actually spend your budget so they can get ahead of you and show their ads, better positioned that been yours, then that would be click fraud from your competitor. Now, obviously, the way in which they do it, sometimes it’s just very obvious. Right. If somebody sees your add and clicks on your ad 10 times one after the other. Right. That’s way evident. And there you can count on Google’s algorithm picking up on it and potentially blocking that activity from hitting your account. Or it may hit your account, but then swiftly be removed because Google understands, OK. Something weird it is happening here. This is unfair on the advertiser. We’re going to cancel this activity and not let it hit the advertiser. Right. So that’s the kind of help and the kind of policing that Google does to prevent fraud activity. Right. But what happens when the competitor is more subtle? Right. And over a period of 30 days, clicks on your ad 10 times. Right. So 10 times, maybe one day he clicks, then three days passed by. Then they click again. And then another three days pass by and then they click again. Right. And this could be different search terms. They not necessarily always have to be the same ones. But by the end of the month, they’ve click ed10 times. Your average cost per click is two hundred and fifty dollars. They’ve just took two thousand five hundred dollars from your budget and throw it out to the garbage. And really, the loss is not just the clicks that you lost, but the actual opportunity of being able to show up your ads when other people who genuinely need and are searching for a personal injury attorney, the opportunity of them actually seeing the ad of the law firm. Right. So there is a lot at stake here. So that’s a way that click fraud can happen. And then there is another way that this case could happen, and this is probably the most annoying one also is the click Farms, which these are actually users or workers that are actually hired to click on competitor ads, right?
Grace: [00:32:37] Like a hackathon.
Liel: [00:32:39] And they make it look and they make it look like it’s a genuine user. There is a genuine interest. They may even you know, if you have a web form on your landing page or something, they may even submit it. Right. But there’s really no intent. There is no real client or case or query at the other end of the conversion. With that being said, Grace, it’s I mean, going back to where we started the conversation, it’s definitely a challenge that many advertisers are facing. But it shouldn’t be one that cannot be tackled and cannot be solved. Right, and to say that Oh, no, no, no. My ads managers are amazing. You know, I don’t have that issue or so you really don’t know until you don’t start really doing some proper tracking. So Grace, tracking is the solution, but what is it that you track? Well, you need to track basically the IPs of the people who are clicking in your ads. That’s the only way that you can really identify whether there’s been fraudulent activity on your account or not. Now, here’s the thing. You need to keep into consideration Google ads, whether it’s Google ads platform or analytics, they won’t disclose the IPs of users were actually clicking on your ads, right. Or visiting your Web site, for that matter. They’ll give you other information, but they won’t necessarily give you the IP, but are third party software that you can integrate to your accounts and you can actually get this information. And so when you start tracking these, you can actually see search terms and you can see IPs right? Now, of course, particularly when we’re looking at the most sophisticated click farms and sometimes competitors. These guys are guys that are more experienced and they’re actually masking out maybe by using VPN blockers, maybe by using an IP range right, not coming always from the same range. But there’s always some indicators that can help you identify and make it evident to you. There’s been fraudulent activity. So it could be the repetition of extremely relevant search terms. Right. Like best personal injury attorney near me. Right. If that gets searched on consistently, like every other day and clicked on yet never converts. That’s a big red flag. That means that you’re actually being targeted. So you’re actually wasting your budget rather than actually being able to generate a client. True. That potential click, right. And so, Grace, it’s very important to be able to trace down every single click, not just to the search term that it came from, which Google lets you see, but also for you to be able to associate it to an IP. And if you see that one particular IP is consistently clicking and not converting. Well, that’s an easy one. That’s it. It’s done. You block it and they’re out of the way. You can set up rules after one time that I get a click from an IP. At that point, I no longer wish to show my ads to that user. Right. As I’ve said, it gets harder than that because at the time they’re not just always using the same IP. They may use a range. Well, you can set up a range. Any users that are coming from this IP range, we don’t want our ads to be seen. Right. So you can upload all of these data to your Google ads account. So to tell Google, hey, I want to make it very clear that I don’t want users coming from these IP addresses to be able to see my ads, leave alone click on them. Right. If they cannot see the ad, obviously they cannot click on it. And so that’s the way that you can take an approach to prevent actually getting fraudulent activity.
Liel: [00:36:19] Now, Grace, this is not a task that you just do one time and you forget about it. This is something that needs to be monitored every single day and you need to make adjustments. Sometimes Grace, they are so agile that you may want to block some particular keywords that may need to be put on your negative keyword list in order for it to stop showing up, because they’re being just so dynamic that their IPs are changing it. They’re not just on the same range. Now they’re changing completely IPs from one day to another, making it very hard for you to track. And so at that point, you need to assess. Well, you know, what is it worth for us to block a particular keyword, let’s say, for a few days and then see whether the fraudulent activity stop and you’ll be surprised. Most of the times it does help and it helps a lot, Grace. So there is definitely a lot to do in order to stop this. But it has to be addressed. Now, Grace there is great software that will help you, as I’ve said, track IP activities on your ads. One of them is ClickGuard. One of them is ClickCease. Right. We’ve used both. We have our own preferences. But in reality, you know, you could go and try them yourself and see what is it that’s gonna be the best fit for your law firm. But you definitely want to work and partner up with agencies that are taking steps to prevent fraudulent activity. Unfortunately, Grace, there’s a lot of unethical competitors out there that will engage in this kind of activity in order to try to get ahead of your law firm and to be able to show to the same users that you’re trying to show your ads.
Liel: [00:38:00] So it’s not something that can be ignored as much as we would want to live in a perfect world where this was not a threat that we were facing, there are a lot of studies and statistics that indicate obviously depending on the industry. But out of every four clicks that you get, one of them could be actually a fraudulent click. And so when you think about your budget in Google ads and if you were to think that up to a quarter of it may potentially be going to fraudulent clicks and now multiply it out over a year. Now we’re talking about a lot of money, which is basically really taken out of your pocket and thrown right into the trash. So it’s unfair and it’s definitely worth taking the steps to do everything that it’s possible to stop that. So Grace, I’m going to link in our episode notes obviously, these platforms and I are also going to be linking an article that we wrote about it that gives a little bit more thorough information. But you do need to understand that just by the information that Google gives you, it may be hard for you to really be able to be efficient at implementing a solution that will really minimize these or eliminate it entirely. All right, Grace.
Liel: [00:39:11] So a lot of tips here on how to keep your Google ads free of fraudulent activity or minimize fraudulent activity, but also how to keep your entire network secure Grace. So, Grace, out of everything that you shared with us, what are actionable takeaways that we can recommend for our listeners to implement when it comes down to preventing cybersecurity, keeping their connection safe and keeping their accounts secure?
Grace: [00:39:41] So two things. I’ll have two takeaways and then you do a third for the click fraud. So the first takeaway, I’d say is pay attention to your emails from who they’re from. Are you expecting them? And don’t click on something that you don’t expect. It’s very, very simple on that first one.
Liel: [00:40:02] Yeah. Grace, I couldn’t agree more. And so, Grace, I mean, just for the sake of accountability, we all know how challenging it is to manage teams. Right. So should you have a cybersecurity policy in place with actual steps to be followed and a particular description of activities that need to be avoided in order to ensure that everyone in your team is aware and can be held accountable when things potentially may go wrong?
Grace: [00:40:34] 100 percent. I mean, you need to just pay attention, right? It’s a matter of paying attention and just being careful with your information. In general.
Liel: [00:40:45] I have encountered someone who’s managed teams. I have encountered of the things sometimes that you think are they are the most simple and common sense related things that, you know, they will strike you as well. It’s just a matter of common sense, tend to be the ones that many times trigger mistakes and can get you, your company, or a particular team member in trouble. I would 100 percent recommend for people to actually implement a policy that explains very clearly what is expected for them and what steps are they expected for them to take, that would be just what I would suggest.
Grace: [00:41:24] No, you’re right. It’s something that needs to be taught. Train and reinform. Like you said, that is something that we’re going to continue talking about. It needs to be the same conversation with your team. You’re 100 percent right.
Liel: [00:41:37] Great Grace.
Grace: [00:41:38] So the second takeaway, I’d say is, be careful with Wi-Fi. Public Wi-Fi. Make sure that if you run any transactions, they are not on Wi-Fi. It is on cellular data or hardline of some sort. Because it’s an easy way to get a hold of your information, passwords and other things.
Liel: [00:41:57] Grace Absolutely right. And even, you know, like you’ve mentioned about running transactions, your credit card transactions like now with apps like Square and other technology that makes it very easy for people to be able to use mobile devices to run transactions. You know, it can make you wonder. Right. So that’s the thing. Now, Grace, the other thing is just, you know, as simple as like if you were going to access your bank accounts or anything like you were going to do it on a public network, try not to.
Grace: [00:42:28] Right. No, not try not to. Do not access your bank accounts. Do not access anything on a public Wi-Fi network that is supposed to be secure because you can and will most likely get hacked at that time. This is what people do. They’ll sit around a Starbucks and hackathon.
Liel: [00:42:47] Yeah. Grace, let me just then give my take away about Google ads fraudulent activity is just something that needs to be talked about. Right? Don’t avoid the topic, ask the questions and ensure that a strategy is being implemented in order to reduce fraudulent activity.
Liel: [00:43:07] Do not think that because you’re seeing results and because you are assigning cases that there may not be some clicks that are going to waste due to fraud. Right. So if you’re an agency owner and you have not yet implemented fraudulent prevention software in your client’s account, do it.
Liel: [00:43:24] And if you’re a law firm who’s working with an agency, ask them about it and see what is it that they’re doing in order to prevent fraudulent activity. Right. Grace, I can not tell you how much activity we proactively identify and have, obviously saved our clients from being subject to.
Grace: [00:43:45] What I’m taking from what you’re saying, though, I think it’s important to note, it’s really from all of our conversation here right now, is do security and risk assessments of all of your systems for everything you’re doing, whether it be digital marketing. Right. For click fraud. Just make sure that there’s, you know, do an assessment, check it out, make sure there’s nothing like you said, cost per click isn’t going up insanely. You know, why? Still ask the whys and do security and risk assessments of every system you have.
Liel: [00:44:14] Yeah, absolutely. Absolutely. Ask the questions and set up systems in place. Grace, thank you very much for another great conversation. And we’ll be back next week with another conversation on legal marketing. Have a lovely day ahead of you.
Grace: [00:44:28] You, too, Liel.
Liel: [00:44:29] All right. Thank you. Bye.
Liel: [00:44:36] If you like our show, make sure you subscribe. Tell your co-workers. Leave us a review and send us your questions at firstname.lastname@example.org. We’ll see you next week.