There has been a growing risk of cyberattacks in the legal industry. Cyber criminals are pretending to be solicitors, law firms and even members of the Solicitor's Regulation Authority (the SRA), creating fake websites, emails, and telephone calls deceiving people and businesses into transferring funds or stealing data to them.
The SRA reported in 2020 that 75% of the solicitors they visited had experienced a cyber-attack in the past and in 2021 they reported that 18 law firms were victims of ransomware attacks. The National Cyber Security Centre (NCSC) has recently issued a report highlighting that law firms are particularly susceptible to cyber-attacks for various reasons including:
- Sensitive information – Law firms routinely handle highly sensitive client information which may be valuable to criminals who want to gain a competitive advantage and/or the upper hand in transactions or litigation proceedings.
- Large funds management – Law firms handle significant funds and are often under time pressure which creates an attractive environment for business e-mail interception. For example, cyber criminals often pose as solicitors e-mailing clients 'using a lookalike' email address, telling them the law firm's bank details have suddenly changed to fraudulently receive monies.
Cyber criminals, however, are also targeting the clients of law firms by exploiting weaknesses in clients' systems and deceiving their people so it is important for individuals and businesses alike, to take steps to protect themselves from cyber-attacks. It could be as simple as double checking the email address of a sender or recipient or calling your solicitor to check the bank details to be used for a transaction before transferring funds.
We have summarised recommended steps from the NCSC that may assist with mitigating risks of cyber-attacks:
- Spread awareness – ensure all staff are aware of cybersecurity risks that law firms in particular are facing, and that they receive regular training on identifying a scam and your business's internal incident response plan.
- Reduce your digital footprint – cyber-attacks use publicly available information about your organisation and staff to make their phishing messages more convincing. For this reason, it is important to limit information online shared by employees and suppliers. The NCSC has a useful guide designed to help organisation with this.
- Improve cybersecurity systems – this can include using an administrator account and employing a two-step factor authentication system, on important accounts such as email to improve overall cybersecurity.
- Identify scam e-mails – watch out for scam e-mails, which usually contain the following features: (1) the sender appears to be a person of authority (2) they give you a limited time to respond (3) use of emotive language and (4) the email refers to a current event to make the scam seem relevant to you.
- Reporting suspicion – if you or your employees still have suspicions about a message, contact your solicitor directly to confirm that the message is genuine and came from the law firm in question.
Please do not hesitate to contact us if you have any questions or further enquiries on how to best protect your business and people. Our dedicated cyber and data protection team are available to discuss your cyber protection and live issues. Please contact Charlotte Clayson or Helen Briant.
