Veracity Blog

Phishing attacks: Defending your legal organisation

Phishing attacks: Defending your legal organisation

Phishing affects everyone but the Legal Sector is more attractive for cyber criminals due to the nature of the business, indeed the 32nd annual PwC Annual Law Firms’ Survey 2023 revealed that 85 per cent of the UK’s Top 100 firms are extremely, or somewhat, concerned about cyber threats. 

Reputation is critical to the business of law, which makes legal practices attractive targets for extortion. The Legal Sector is additionally more vulnerable because of the amount of highly sensitive information businesses carry, as well as the large volumes of money they can be dealing with. This makes organisations in the sector especially targeted by phishing attacks. 

What is phishing? 

We’ve all heard of phishing, and many of us will have received a spam email or some dodgy text message asking us to click on a link to resolve a non-existent issue. 

It usually involves criminals using scam emails, text messages or phone calls to trick their victims. Vishing is similar, but uses voice or video calls, often using Generative AI to simulate a trusted contact. 

The primary threat to the UK legal sector stems from cyber criminals with a financial motive. However, there are also potential threats from Nation States conducting cyber activities to further their own agendas or to disrupt professionals working on issues the state disagrees with, such as human rights or those wanting regime change. 

A recent publication from the UK’s National Cyber Security Centre (NCSC) – Cyber Threat Report: UK Legal Sector – focused specifically on current cyber security threats, and the extent to which the legal sector is being targeted. 

The NCSC is “increasingly seeing ‘hackers-for-hire’ who earn money through commissions to carry out malicious cyber activities for third party clients, often involving the theft of information to gain the upper hand in business dealings or legal disputes,” according to Bloomberg in a 2023 report on the subject.

Risk factors for legal firms 

Legal firms are increasingly vulnerable due to the widespread adoption of hybrid working – accelerated during the COVID-19 pandemic – and the increasing sophistication of cyber-attacks. 

Cyber threats apply to law practices of all sizes and types of work, from sole practitioners, high street and mid-size firms to barristers’ chambers, in-house legal departments and international corporate firms. 

The Solicitors’ Regulation Authority (SRA) reported in June 2022 that 75% of the solicitors’ firms they visited for their cyber security thematic review had been the target of a cyber-attack in the past. 

More than 80 percent of all the cybercrime reports received by the SRA in 2021 involved email. It is very likely that many others, such as cases where firms were not certain how their systems had been compromised, had begun with a phishing email. 

There were 18 ransomware attacks reported, a smaller number than the phishing attacks but potentially more damaging as it involves client data.  

Key types of threat 

The most significant threats fall into three broad groups: 

Phishing and email modification frauds – making up half of all the cybercrime reports. 

  • Although conveyancing remains a frequent target, due to the large funds involved, criminals are broadening their attacks to other fields as well; 
  • Other sectors have been attacked using voice impersonation systems to copy a target. 

Ransomware – which is increasingly being used to steal information with threats following to release it. 

  • It can lock firms out of their own systems; 
  • The loss of system access due to file encryption can seriously affect any firm, but especially those that are fully remote; 
  • Criminals have accessed sensitive client information, and it is likely that this will become the main type of ransomware attacks. 

Attacks on third parties and providers – which have spread to solicitors’ firms, is also increasing. 

  • This has included compromises at an IT service provider and a barristers’ chambers, both of which spread to multiple solicitors’ firms. 

What can the legal sector do to mitigate threat? 

Firms most at risk are those with cultures that do not encourage staff to acknowledge problems. If people are under stress or distracted, they’re more vulnerable to falling for a phishing scam or to click on a malicious attachment. 

A phishing attack is more likely to succeed if it appears credible: if it uses the tone of language that the recipient of the phishing contact expects, if it contains up to date and relevant information, and if it makes sense to the recipient.  

One of the best sources of data available to attackers for this information is your website. Scammers and criminal organisations can data mine your website, along with information from social and business networking sites, to launch targeted attacks. 

They use bots to monitor law firm websites and ensure they have up-to-date information and profiles on who works for the firm, as well as tracking what cases they are involved with or which third party clients and other firms they may be working for. 

This information can then be used to create creditable phishing emails which appear genuine and can be difficult to defend against, which is why a multi-layered approach is key. 

NCSC advice is to build your defences based on the following four principles: 

  1. Make it difficult for attackers to reach your users; 
  1. Help users identify and report suspected phishing emails; 
  1. Protect your organisation from the effects of undetected phishing emails; 
  1. Respond quickly to incidents. 

Some of the suggested mitigations may not be feasible within the context of your organisation. If you can’t implement all of them, try to address at least some of the mitigations from within each of the layers.  

Protecting your website from malicious bots is challenging. It requires a specialist skillset from a specialist cybersecurity partner, such as Veracity Trust Network. 

Veracity’s Web Threat Protection works alongside your existing security stack and keeps your organisation safe, as well as reducing wasted spend, improving customer experience and giving you accurate data in which to grow your business. 

It stacks seamlessly with your DDoS and WAF solutions because it’s an essential, specialised answer to malicious bot activity. Not an add-on. Not an afterthought. 

Start protecting your website and ad spend from bot attacks by booking a call now: 

Phishing protection for the legal sector:  

, , , , , , , , , , , , ,

Award-winning malicious bot protection.

Cyber Award Winner 2021

AI-Enabled Data Solution of the Year – DataIQ Awards 2023 Finalist

Tech Innovation of the Year Winner – Leeds Digital Festival Awards

Cyber Security Company of the Year – UK Business Tech Awards 2023 Finalist

Tech Leader of the Year – Tech Awards 2023 Finalist

Best Use of AI – Tech Awards 2023 Highly Commended