Exploiting Trust: Unmasking Social Engineering Attacks in The Legal Sector
The law society reports that cyber attacks on law firms saw a 77% increase in 2024* with social engineering-based targeting, such as phishing becoming an increasingly common attack vector for cyber criminals.
Following the onset of the global pandemic in 2020, the SRA (The Solicitors Regulation Authority) produced a thematic review on cyber security in the legal sector which highlighted the vulnerability of the sector as a result of the large amounts of money handled between firms, their clients, and other third parties. Out of the 40 law firms they visited, 30 reported having been targets of a cyber-attack – demonstrating how attractive the UK legal sector is to cyber criminals.
Why is The Legal Sector a Particular Target for Cyber Crime?
The main reason cyber criminals identify law firms as high value targets is a direct result of the potential information or financial gain they can expect from a successful breach attempt:
Sensitive Data - Law firms routinely handle highly sensitive client data; often relating to ongoing criminal cases or mergers and acquisitions – all of which can be particularly lucrative findings for criminal organisations with intentions of exploiting opportunities for insider trading, gaining the upper hand in negotiations and litigation or subverting the course of justice.
Handling of Significant Funds - In many instances, from mergers and acquisitions to conveyancing, legal practices often find themselves handling significant funds related to ongoing cases. The time pressures associated with transactions, alongside the often-large chain of suppliers, clients and complex payrolls being managed, create attractive conditions for criminals to launch convincing social engineering attacks such as phishing attacks and business email compromise.
The other key element contributing to the intense targeting of the legal firms is the overall vulnerability of the sector. Perhaps unsurprisingly, cyber criminals find the most value in victims/sectors where the rewards are high, and the barriers to entry are low – business 101 it could be argued…
Lack of Dedicated Cyber Security Investment - Far too many firms operating within the legal sector - whether large corporate organisations, small-medium sized firms, chambers or even individual practitioners – rely on an external IT service provider to support their cyber security efforts alongside other various IT support. The lack of dedicated cyber security monitoring and expertise is leaving firms vulnerable to attack and reduces the opportunity for organisation in the sector to effectively assess their cyber security standing and prepare for potential cyber risks.
Your IT provider will not provide the same resource or expertise as a dedicated cyber security partner.
Not Enough Cyber Awareness & Staff Training - A common weak-point for organisations operating in many sectors - lack of staff training and awareness is just as big of an issue within the legal sector. Many firms are failing to keep cyber awareness high on the employee training and development agenda, opening a whole range of insider vulnerabilities that could potentially lend themselves to breach attempts from cyber criminals preying on unsuspecting employees. In fact, we know that human-error is a major contributing cause in around 95% of cyber breaches*** and thus education and awareness is a key element of prevention for all firms.
The Most Common Attack Vectors in The Legal Sector: Social Engineering
Social engineering refers to human-centric, deceptive attacks that aim to manipulate unsuspecting victims into revealing confidential information, facilitating unauthorised access to systems or databases and even transferring financial sums.
The most common and well-known form of social engineering is phishing emails, with variations such as smishing (SMS-phishing) and vishing (voice/call-based) – other common forms of social engineering include impersonation attempts and BEC (business email compromise). These attacks manipulate familiarity or trust to establish a connection with the victim before exploiting a weakness or manipulating the victim into taking a specific action e.g. clicking a malicious link, revealing personal details or transferring money.
Phishing - The most common form of social engineering. Criminals will use scam emails, texts or phone calls to manipulate and trick victims. These emails can easily blend in amongst the huge number of benign emails that busy users receive on a daily basis. Criminals can send millions of phishing emails at once, significantly increasing the odds of a successful breach.
Many law firm websites contain a vast amount of information and contact data for senior staff, partners and associates, which criminals will use to potentially launch more targeted email phishing campaigns.
BEC (Business Email Compromise) - A more targeted progression of general phishing emails - BEC attacks are often conducted with a particular senior employee or budget holder in mind. These impersonation emails aim to trick the target into providing detailed sensitive information or a transfer of funds and are often harder to detect.
BEC attacks will often use one of two methods when launching an email – either the criminal has gained access to a legitimate email of the individual they are impersonating, or they will simply create a ‘lookalike’ email address that closely resembles that of the real-life counterpart they are trying to impersonate. Through either method, they will reach out to unsuspecting staff members and request access to data or funds.
Are AI advancements spearheading the increase in social engineering?
With AI models becoming increasingly sophisticated, combining tried-and-tested techniques in conjunction with cutting-edge sociological research, cyber criminals are harnessing these advancements in AI to compose even more compelling scam scenarios including the potential use of AI generated audio and video to create even more convincing scams.
AI models can also alert cyber criminals to new, effective techniques that are being used across the cyber threat landscape, with almost no lead time between the period in which a new technique is developed and when it can be implemented by the AI models.
How Can Law Firms Defend Against Social Engineering Attacks?
Phishing Prevention
The NCSC has specific, multi-layered guidance on how organisations should defend against phishing:
1. Make it difficult for attackers to reach your users - This can be achieved by employing the anti-spoofing controls: SPF, DKIM & DMARC***
a. Sender Policy Framework (SPF) - allows you to publish IP addresses which should be trusted for your domain.
b. Domain Keys Identified Mail (DKIM) - allows you to cryptographically sign emails you send to show it’s from your domain
c. Domain-based Message Authentication, Reporting and Conformance (DMARC) - allows you to set policy for how receiving email servers should handle emails which do not pass either SPF or DKIM checks.
2. Help users to identify and report suspected phishing emails - Try to create an environment that encourages phishing reporting and ensure that staff are aware of the common features of a phishing email, e.g. urgency and authority cues that pressure the user to act quickly and with minimal consideration.
3. Protect your organisation from the effects of undetected phishing emails - It’s impossible to stop every attack. Malware is often hidden in phishing emails of in websites that they link to, but with well configured devices and good end point defences, it is possible to stop malware from installing even if the email is engaged with.
4. Respond to incidents quickly – Knowing about an incident sooner rather than later allows you to limit the harm it can cause. Incident response should be practiced, understood and rehearsed before an actual incident occurs.
Protection Against BEC/Impersonation
The NCSC also expands on the phishing prevention guidance to offer tips on how to best defend against BEC attacks:
1. Use a takedown service - This will allow you to monitor for domains that are impersonating your own and assist with issuing takedowns and removing it.
2. Ensure passwords are strong - Encourage employees to utilise strong and unique passwords for email accounts, and that they’re using additional protection in the form of multi-factor authentication (MFA).
3. Make training a priority – Make sure that regular staff cyber awareness training is embedded into development plans and your overall organisational culture – helping employees know what to look out for and identify threats.
Out-of-Band Authentication
Out-of-Band Authentication (OOBA) is a type of 2FA (two-factor authentication) security measure, utilising a separate, independent communication channel to verify a user’s identity – adding an extra layer of security beyond the primary authentication method.
PureCyber Threat Exposure Management (TEM): Your Solution to Brand Protection
Threat Exposure Management (TEM) gives you the power to instantly search across the clear and dark parts of the web to identify threats to your data and brand. Evaluating and categorising the risk level.
TEM provides ongoing monitoring of your chosen business identifiers, such as domains, email addresses, and IP addresses across the web. Our TEM service acts as a broad search engine, looking for your chosen search terms in places most people cannot access.
Designed for any business handling sensitive data or looking to protect its brand and bottom line.
PureCyber TEM allows you to:
Discover if your data has been leaked
Find out if your staff/user accounts have been hijacked
Identify spoofs of your domain and issue take-downs
View the details of your data offered for sale
Uncover malware sitting within your network
Locate entry points for previous breaches
Do you need to issue a takedown for a malicious spoof domain?
Want to monitor if any of your employees credentials are being distributed through various illicit web channels?
PureCyber Threat Exposure Management is exactly what you need to protect your organisation.
How Can PureCyber Help?
The PureCyber team are here to take over the burden of your cyber security and ensure your organisation’s data remains secure and well managed, with proactive monitoring and real-time threat intelligence - providing you with a comprehensive and reliable cyber department to support you in all aspects of your security efforts, including: 24/7 Security Operations Centre (SOC) services, Managed Detection & Response (MDR/EDR),Threat Exposure Management (TEM) & Brand Protection Services & Penetration Testing.
Keep an eye on our Events & Webinars page for upcoming PureCyber events
PureCyber is recognised as an Assured Service Provider by the NCSC to offer governance and compliance consultancy services/audits. Contact our team of compliance experts to enquire about our full range of Governance Support - including Cyber Essentials, ISO 27001, FISMA, SOC1 and SOC2 standards.
Get in touch or book a demo for more information on our services and how we can safeguard your organisation with our expert cyber security solutions.
Email: info@purecyber.com Call: 0800 368 9397
Sources:
*The Law Society – Five Challenges for the Legal Sector in 2025
**House of Commons – Cybersecurity in the UK
https://researchbriefings.files.parliament.uk/documents/CBP-9821/CBP-9821.pdf
***NCSC – Email Security & Anti-Spoofing
https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing
SRA – Thematic Review on Cyber Security
https://www.sra.org.uk/sra/research-publications/cyber-security/
NCSC – Cyber Threat Report: UK Legal Sector 2023#
https://www.ncsc.gov.uk/files/Cyber-Threat-Report_UK-Legal-Sector.pdf