Law firms can be attractive targets for malicious cyber actors. These firms often hold sensitive client information and handle accounts containing large sums of money. The people who conduct these attacks are frequently based offshore and can use sophisticated techniques to cover their tracks, so the chances of recovering stolen funds or data is often low.
The NCSC has seen a spike in incidents of law firms being targeted by cyber criminals. These incidents can be devastating for those who are impacted. As well as serious losses of sensitive data or funds, the damage to a firm’s reputation and their clients’ confidence in them can be long-lasting.
Law firms vary widely in size from sole practices through to corporates with hundreds of employees, but a common thread is that many of them use an external provider for their IT services. This can sometimes make it challenging to understand or remedy the weak points in their own cyber defences.
Business email compromise
Cyber-attacks on law firms come in many different forms, but one of the most common types is called business email compromise. This is a kind of targeted attack where a bad actor tries to gain access to a firm’s legitimate email account, or uses a lookalike email address that resembles a firm’s real address.
Using these tactics, the attacker may use the email address to trick the firm’s staff, their clients, or other law firms into transferring money or information. For example, an attacker could fabricate an email to a client containing a fake invoice that lists a bank account controlled by the attacker. The attacker hopes the client will be fooled into paying money to the wrong account.
In the past, phishing emails were easier to spot because they often contained poor spelling and grammar or unprofessional language. With the rise of artificial intelligence-assisted writing tools, however, phishing emails have become more difficult to distinguish from genuine ones.
Things to do
- Make sure your staff use long, strong and unique passwords for their email accounts, and multi-factor authentication is enabled to protect your critical business systems and information.
- Be very cautious about clicking on links or opening documents from untrusted sources.
- Ensure that all staff are given training on how to identify and report unusual or suspicious emails and instant messages.
- Ask your IT service provider to check that any auto-forwarding rules for your email accounts are set up appropriately and look for any rules that you did not set up.
- Check if your business email addresses have been listed in data breaches by entering them at the haveibeenpwned External Link website. Addresses appearing on this site are at an increased risk of being breached and should have their passwords changed. Multi-factor authentication should be enabled.
Things to do
- Ask your staff to restrict the amount of information about them that that is viewable by the public on social networks. Be careful about sharing any personal information.
- Treat messages from unknown phone numbers with caution.
- Be careful about accepting friend or connection requests from strangers who have no common connections. Before you accept, think about whether you know the person or have any reason to connect with them.
- Don’t click on links from people you don’t know or trust.
- Assume that suspicious employment offers from unknown sources – such as those offering extremely generous pay and working conditions – are probably too good to be true.
- To prevent your accounts being compromised, use long, strong and unique passwords for them and enable multi-factor authentication.
Staff who use social networking sites such as LinkedIn may reveal a lot of information about their professional lives and interests to the public. Bad actors can use this information to construct detailed profiles of your staff, the organisational hierarchy at your firm, and your staff’s connections to other people and companies.
This kind of information can help attackers to create phishing emails or tailored messages that can look very convincing at first glance. Here’s a step-by-step example of how a criminal could use this information for malicious purposes: