Law firms’ “shocking” vulnerability to cyber criminals

Gee: Cyber-criminals need only a sliver of vulnerability

The vast majority of major law firms still have significant unaddressed cyber-risk, despite repeated urging by regulators, insurers and others to shore up their defences, according to new research.

It found larger law firms especially prone to hackers taking over their website addresses to perpetrate spoofing scams, employing vulnerable servers, and using out-of-date software or invalid security certificates.

The study was conducted by tax, advisory and risk firm Crowe, in conjunction with the University of Portsmouth’s Centre for Counter Fraud Studies.

It is just the latest warning of law firms being targeted by criminals; the Solicitors Regulation Authority revealed a fortnight ago that its study of 40 law firms which suffered a cyber-attack over the past three years found that more than £4m of client money was stolen from 23 of them.

Using KYND’s anti-cyber attack technology, the researchers examined the cyber-exposure of some 200 firms, chosen for their high turnover.

Overall more than 90% of them (182 firms) were found to be “wide open to having their domains spoofed and used to send spam, phishing or otherwise fraudulent emails either internally or externally”.

Every single firm with a turnover between £1m and £10m was at risk of their website addresses being spoofed.

Further, around eight out of ten of the 200 firms were running services publicly known to be vulnerable to hackers and a similar number had at least one domain registered to a personal or individual email address, which the research said represented “a significant threat to business continuity and domain ownership”.

The research said firms could reduce the risk of email spoofing by creating a sender policy framework and a domain record to closely monitor emails being sent on behalf of the firm. These reports could alert recipients  to illegitimate emails.

Out-of-date software could be identified through a register of all software used by the firm. A similar review procedure could be used to keep watch on the expiry dates of security certificates – which browsers use to create secure communications channels.

Domain names should be registered with generic firm email addresses such as Two-factor authentication, such as a code texted to a mobile phone, should be used when offered by domain registrars.

However, there was no substitute for independent verification of a firm’s security posture, which should be obtained from outside experts “irrespective of the technical capacity of a law firm’s IT team”, the study advised.

Jim Gee, partner and head of Crowe’s forensics and counter fraud services, said: “It is clear that there is an epidemic of fraud and cybercrime in the UK, and this research proves that law firms are, perhaps surprisingly, still seriously exposed.

“For an industry that is so closely associated with diligence and detail, the results are likely to come as a shock.

“Firms would do well to review their resilience. Cyber-criminals need only a sliver of vulnerability to fraudulently gain access to valuable and sensitive data; are the UK’s law firms leaving the door open?”

His colleague Louis Baker, partner and head of professional practices, noted that the top 200 law firms were likely to have substantial budgets to build cyber resilience.

“Therefore, the likelihood of smaller firms not included in this study being vulnerable to unaddressed threats is significant and should be seriously considered by their management.

“Irrespective of size or location, law firms attract cyber-criminals due to the large amounts of client money, data and sensitive information they hold.”

    Readers Comments

  • Stephen Mason says:

    We did warn law firms in chapter 10, written by Stephen Mason, Charles Christian and Rupert Kendrick in ‘Internet Marketing Strategies for Law Firms’ edited by Nicola Webb, published in 2003 by the Law Society.

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Our latest special report, produced in association with Temple Legal Protection, looks at the role of after-the-event (ATE) insurance in commercial litigation post-LASPO. We are at a time when insurers, solicitors, clients and litigation funders work ever more closely to create funding packages that work for all of them, with conditional fee and even damages-based agreements now part of many law firms’ armoury.


9 April 2020

Protecting clients from home

Working from home is a new challenge for many, but as long as reasonable steps are taken to ensure clients are protected and standards of compliance are met, it does not need to be daunting.

Read More

Loading animation