Law firms make tempting targets for cybercriminals – they tend to handle sensitive information and are also well-funded, giving criminals two reasons to strike.
More than three-quarters of law firms in the UK (77%) have been targeted with a phishing attack in the past year, according to PwC’s Annual Law Firms Survey 2022.
The fact that many law firms are still somewhere on the journey towards digitising their services makes them even more of an attractive target, with systems evolving and changing as organisations embrace technology.
Leaders in the legal sector are aware of this risk, with cyber risk identified as one of the four top areas of concern which could impact their financial performance in PwC’s research. Cyber risk is increasingly important across all sectors – read our recent blog here.
But the risks legal firms face are changing: here’s some of the ways in which phishing attacks are changing in 2023.
Ransomware operations are seen as the most critical threat to the legal sector, according to PwC’s report – with law firms having seen data exposed on leak sites, or facing extortion demands from ransomware gangs in return for not leaking data. Ransomware attacks often begin with a phishing attack, and the number of ransomware gangs is growing, thanks in part to the ‘ransomware-as-a-service’ business model where affiliates pay to launch attacks.
The funds and information held by law firms make them a prime target for ‘spear phishing’, where attacks are personalised and crafted specifically for one target (so, for instance, they might appear to be from a colleague or client). Such tactics have been successfully used to infiltrate large law firms to steal intellectual property, according to the National Cyber Security Centre (NCSC)’s publication, ‘The Cyber Threat to UK Legal Sector’.
Artificial intelligence chatbots such as ChatGPT are already proving highly popular with cybercriminals, with organisations such as DarkTrace already having detected phishing emails created by generative AI. Such bots remove the language barrier for cybercriminals, allowing them to craft attacks (including personalised attacks) in perfect English without spelling errors.
Phishing emails are a familiar part of life for most internet users, but non-email phishing, ranging from voice phishing (read our blog on it here) to smishing (SMS phishing), is on the rise, with the number of attacks rising sevenfold in the second half of last year, according to cybersecurity firm Lookout. For law firms, phishing often forms the first part of a cyber attack, with phishing techniques used to garner information before threat actors move to steal data or install ransomware.
The shift to remote working has offered cybercriminals more opportunity to target phishing attacks on law firms, with many high-profile cyber attacks now beginning on machines in employee homes. For law firms, this risk is multiplied by the fact that threat actors are also likely to target their suppliers and clients. Legal business leaders need to take a holistic view of the risks that they face – and be aware that the blurred boundaries between business and personal devices can pose a risk, with mobile phishing affecting up to half of users in 2022, according to Lookout.
If you’re thinking of upgrading your cybersecurity, a penetration test is a great place to start – here’s five reasons a penetration test could benefit your business.