Law Firms are an “Obvious Target” for Cyber Criminals

Cyber security is an increasingly widespread issue. Law firms are often an attractive target for criminals, not just because they hold large sums of money, but also client information.


Cybercrimes and scams include:


  • Malware – harmful software including viruses, programs that allow access to data, and ‘ransomware’ programs that encrypt files and demand a ransom in return for a decryption key;
  • Phishing and Vishing – where a criminal uses email or telephone to obtain confidential information such as a password through building a personal relationship with a solicitor or law firm employee;
  • Email modification – using details gained from hacking or social engineering to modify emails and redirect money due from a client, bank or supplier; and
  • CEO fraud – where a criminal impersonates a senior figure at a law firm through hacking their email address or purchasing a very similar email address, in order to impose authority and order money transfers.


99 cases of cybercrimes were reported to The Solicitors Regulation Authority (“SRA”) between December 2015 and 2016. Email modification was by far the most reported scam, making up three quarters of the cybercrimes experienced by firms. Half of the reports were email modification frauds against conveyancing proceeds, with 75% relating to “Friday afternoon fraud.”


The SRA recently held a roundtable bringing together a number of leading agencies and experts from a range of sectors to discuss the risks that cybercrime presents to law firms and how they can protect themselves and their clients.


One of the themes emerging from the roundtable discussions was that cyber security is too often considered to be just an IT risk. It is a business risk that requires engagement and ownership at board level. Additionally, it was agreed that people and processes are as crucial as technology. Staff need to know what to do if, for example, a client emails them with a change of bank account details. Further, the use of unsupported software increases an organisation’s vulnerability to cybercrime.


What can help to protect client information and money?


Firms can take reasonable, affordable steps against cybercrime such as:


  • Implementing rigorous, unambiguous procedures such as verifying emailed requests to change bank details by telephoning the client on a previously known number;
  • Keeping systems up to date, in particular browsers and anti-virus programmes, to mitigate the risk of malware or hacking and only using supported software;
  • Training staff to recognise common scams, unsolicited emails and fraudulent attempts to access information;
  • Informing the SRA of failed attempts to compromise accounts or information so that they are aware, to enable them to keep track of trends and provide the best advice.

Paul Philip, SRA Chief Executive, said: “We all benefit from information technology, but that means we are all vulnerable to cyber security risks. These risks evolve rapidly. Whether it is money or sensitive client information, law firms are an obvious target. It is the job of firms to take steps to protect themselves and their clients, but we want to help.”


If you have any questions or would like to discuss Cyber Security with us in more detail, please contact Karen Hain or call on 01772 821021 to be put in contact with a member of our Professional Practices team


This article originally appeared on the blog of MHA member firm, Broomfield & Alexander.