More than 90% of all cyber attacks begin with phishing (CISA, 2024). Phishing is a deceptive practice where cyber criminals pretend to be trustworthy entities to trick individuals, primarily clients, into revealing sensitive information, such as passwords or credit card numbers, often through misleading emails or messages. Your clients might receive an email seemingly from you, their solicitor, asking them to provide personal details or make a payment to a new account for legal fees, when in reality, the request is from a scammer imitating your solicitor’s communication.

A client might fall for such a trick because the email appears to come from a trusted source, their solicitor, complete with similar email address, logo, and language style. Additionally, the request seems plausible within the context of their ongoing legal matters, exploiting their trust and urgency to respond to their solicitor’s needs. Astonishingly, 83% of UK businesses that faced a cyber attack in 2022 have stated that the entry point of the attack was a phishing email.

Despite these threats, email is still by far the most common channel of communication for private client law firms, with 90% of client respondents, defined as a client who has used private client legal services within the last three years (in Legado’s private client experience research report) stating they had received communications via email. This alarming reliance on email, coupled with the sophistication of phishing attacks, underscores the critical need for law firms to bolster their communications security to protect both their clients and their own reputations.

The Financial Toll

In common with many other industries, the cyber threat to the UK legal sector is significant and the number of reported incidents has grown substantially over the last few years. According to the 2017 PricewaterhouseCoopers Law Firm survey, 60% of law firms reported an information security incident in the last year, up from 42% in 2014. The costs arise from the attack itself, the remediation and repairing reputational damage by regaining public trust. These costs can be multifaceted and significant, harming the firm in a number of ways. The following are examples of areas where a firm was impacted:

  1. Client Fund Theft: The SRA reports that over £11 million of client money was stolen due to cyber crime in 2016. Phishing attacks may lead to unauthorised access to law firm or client bank accounts, resulting in direct financial loss.  
  2. Ransomware Payments: It was estimated during 2021 that ransomware attacks occurred every 11 seconds globally at a cost of £16 billion for that year (WTW). It is anticipated that the cost is now much higher. The rise in ransomware attacks on the legal profession last year prompted the ICO and the NCSC to write a joint letter warning law firms against paying ransom demands and advising their clients against doing so (Law Society)
  3. Regulatory Fines and Legal Fees: The Solicitors Regulation Authority (SRA) expects its regulated sector to be vigilant to the threat of cybercrime. The legal profession has a duty to keep client information confidential. and safeguard clients’ monies and assets entrusted in them. If client monies are lost as a result of a cyber security incident this is a breach of the SRA Accounts Rules (SRA).
  4. Remediation and Recovery Costs: Following a breach, firms must invest in forensic investigations to understand the breach’s scope, strengthen security measures, and recover compromised data, incurring significant expenses. In an adjacent industry, a cyberattack on Capita, one of the UK’s biggest outsourcing businesses, will cost the company up to £20 million to resolve the fallout and shore up its technological defences (The Times).
  5. Increases Insurance Premiums: 65% of law firms have been a victim of a cyber incident, but despite the need to protect themselves, 35% of firms still do not have a cyber mitigation plan in place (Law Society). Swiss Re recently reported that the value of global cyber insurance premiums will almost quadruple in five years, to over $37.5bn. (Law Society)
  6. Loss of Billable Hours: The disruption caused by a phishing attack, including system downtime and the time spent in response efforts, can significantly reduce billable hours, impacting revenue.

Reputational Damage: Beyond the Pounds and Pence

For UK law firms, where trust is paramount, the reputational damage from a phishing attack can be severe and enduring. A breach not only compromises client confidentiality but also undermines the firm’s credibility. For example, a notable case involved a small-two partner law firm in County Durham, which was reprimanded by the ICO over a cyber attack on its system where fraudsters accessed funds on a probate matter (Legal Compliance Services).

Another example came in the form of payment diversion requests. A recent example claimed to be from Maurice Muchinda of Shoosmiths LLP. The emails, sent from “maurice.muchinda@shoosmithes.co.uk” to clients of the firm asked for payments to be sent to an unknown third party account and included the details of how to send the money. Maurice Muchinda is indeed a regulated employee of Shoosmiths LLP. The only difference here is that the nefarious emails have been sent from “shoosmithes.co.uk” rather than “shoosmiths.co.uk”, adding an extra “e” in the false domain and hoping the client would not notice. The SRA believes the client’s computer may have been compromised, the malicious actor then intercepted the conversation between the two parties and attempted to extract funds from the client. (Phishing Tackle).

Such incidents can tarnish a firm’s reputation, affecting client retention and the ability to attract new business. The legal sector’s competitive nature means that any perceived weakness, especially in data security, can drive clients to competitors. Internally, a breach can create a culture of mistrust, impacting staff morale and productivity. This is critical in an industry where the competition for talent is fierce, and a firm’s reputation can significantly influence its attractiveness to potential employees. The reputational impact of a phishing scam on a law firm is multifaceted, affecting client relationships, market standing, internal culture, and professional partnerships. The path to restoring a tarnished reputation is complex, highlighting the critical need for robust security measures.

Strengthening Defenses: Best Practices

There are many resources available to ensure that you, your firm and your clients can at the very least mitigate the threat of cybercrime. Cyber security risk should form part of a business’ operational resilience strategy; in turn this will help firms identify, understand, and manage any cyber related vulnerabilities to their businesses.

Education and awareness of cyber security risk is of paramount importance as staff are often viewed by threat actors as a path of least resistance and an easy route in. Training must be tailored accordingly so that it is relevant to individual teams or staff members, depending on their role or level of seniority within the business, and also on the access privileges and types or sensitivity of data they are processing.

Secure systems must also be introduced to reduce the threat of a cyber incident, particularly in any client-facing exchanges. The use of an end-to-end encrypted messaging system can reduce the threat of a phishing attack by up to 90% (Fortinet). The dichotomy of security and user experience remains a hot topic, with long, complex passwords, multiple authentication factors, and frequent sign-ins all contributing to friction in the user journey. Yet, compromising security in the pursuit of seamless UX can expose systems to vulnerabilities, unauthorised access, and data breaches.

Modern technology offers a compromise, with a UX which is intuitive and security which is robust, whilst also providing additional value and insights to clients and law firms. Law firms that fail to embrace modern cybersecurity measures are not merely risking breaches; they’re setting themselves up for inevitable failure in a digital-first legal landscape.

Sources

  • https://www.wtwco.com/en-gb/insights/2023/12/cyber-security-threats-facing-the-legal-profession#footnote-ref-6