Law firms are increasingly becoming victims of cyber-attacks. Recent reports have shown an increase in cyber-attacks on law firms in the US, with over 100 law firms across 17 states being affected in 2022 alone. These attacks mainly rely on phishing exploits, which allow the attackers to gain access to the law firms’ systems. The latest ransomware attack on US-based law firm BC Attorney by the ALPHV ransomware group was executed through phishing exploits and resulted in the group obtaining 390 GB of sensitive data, such as employee personal information and financial reports.
This trend has raised concerns for law firms’ cybersecurity practices and the need for more investment in cybersecurity to prevent law firms from becoming easy targets for cyber-criminals. According to a report by the US-based IT services company Protected Harbor, small and medium-sized law firms are particularly vulnerable to attacks due to their limited focus on cybersecurity. Larger law firms also face challenges keeping up with evolving technology and creating effective cybersecurity strategies.
To mitigate these risks, Richard Luna, CEO of Protected Harbor, recommends that law firms seek the support of managed IT service providers (MSPs) who stay up-to-date on the latest cybersecurity threats and can design systems with reduced vulnerability. Law firms also need to implement comprehensive training and education programs on identifying phishing and fraud attempts, to all employees, including partners. They should also consider regularly upgrading their software, implementing spam and virus scanning filters, and maintaining separate backup systems for critical data and client files.
Another notable concern for law firms is the rising cases of impersonation scams and multi-levelled phishing scams. These scams involve the use of official-looking emails with logos and letterheads of major multinational law firms to deceive recipients into approving payments. This was the case with the Crimson Kingsnake threat group, which used BEC attacks to impersonate well-known international law firms to deceive recipients into approving overdue invoice payments. The rise of BEC-induced losses has led to huge financial losses, with the FBI reporting that $43 billion was lost in 2019 alone. Recent IC3 data has also shown that a total of $2.4 billion was lost to BEC scams in 2021 alone, affecting a staggering number of 19,954 entities.
The urgency of enhanced cybersecurity measures in the legal industry cannot be overemphasized, as failure to invest in cybersecurity exposes sensitive client data and jeopardizes the firm’s reputation. Law firms and cybersecurity practices must be proactive, ever-evolving, and engaging. By continuously educating employees and seeking support from MSPs, law firms can protect sensitive data, mitigate risks, and maintain their professional reputation in an increasingly digital world. Potential clients should also ask their attorneys how they protect data when choosing firms to work with, and if they don’t have a good answer, clients should find another firm to work with.