Email Hygiene: Removing the bait from phishing hooks

Email remains the primary mode of communication for legal professionals, used to share sensitive client information, case strategies, and legal documents. However, with this reliance on email comes the growing threat of phishing attacks—malicious attempts by cybercriminals to deceive recipients into revealing confidential information or compromising their systems. Phishing poses a significant risk to law firms, with 81% of Australian law firms having been targeted by phishing attacks in 2024.

This blog will explore the importance of protecting against phishing attacks in the legal sector, provide practical strategies for identifying and preventing these threats, and offer best practices to secure email communication and mitigate risks.

Why Phishing is a Critical Threat to Law Firms

Phishing attacks are particularly dangerous in the legal industry due to the highly confidential and sensitive nature of the information handled. Cybercriminals often target law firms to gain access to valuable data such as client records, financial information, intellectual property, and strategic case details. Falling victim to phishing not only jeopardises a law firm’s reputation but can also result in financial losses, legal liability, and non-compliance with regulations like GDPR or HIPAA.

Recognising Types of Phishing Tactics in Legal Environments

Phishing schemes continue to evolve, becoming increasingly sophisticated and harder to detect. Legal professionals must be vigilant in identifying the different types of phishing, including:

• Email Phishing: A common tactic involves sending emails that appear to come from familiar contacts—such as clients, opposing counsel, or court officials. These emails often request sensitive information, payment details, or login credentials. For example, a lawyer might receive an email seemingly from a client requesting an urgent wire transfer, when in reality, it is a fraudulent attempt to steal funds.

• Spear Phishing: This highly targeted attack involves personalised emails crafted using research on the victim. A managing partner might receive a convincing email from another partner, leading them to click a malicious link or reveal sensitive information.

• Whaling: Whaling targets senior executives with phishing emails appearing as urgent legal or financial requests. A managing partner could receive an email from a high-profile client asking for immediate action, prompting the transfer of funds or sensitive data.

• Clone Phishing: Attackers replicate legitimate emails but replace attachments or links with malicious ones. A lawyer might receive what appears to be a continuation of a previous email conversation, with a malicious attachment disguised as familiar content.

• Business Email Compromise (BEC): Attackers infiltrate or spoof a law firm’s email system to commit financial fraud, often tricking the firm into transferring large sums. For instance, an accounting department receives an email from a “senior partner” requesting a transfer to a fraudulent account.

• Vishing (Voice Phishing): Attackers make phone calls impersonating clients or authorities to trick legal professionals into disclosing sensitive information. A lawyer might receive a call from someone pretending to be from the ATO, asking for confidential client details.

• Smishing (SMS Phishing): Attackers use text messages to trick victims into clicking malicious links or providing sensitive information. A lawyer could receive a message from a “client” with a link to urgent documents, leading to credential theft or malware installation.

• Credential Harvesting: Cybercriminals may create fake versions of law firm or court websites, leading victims to believe they are interacting with legitimate platforms. Lawyers and staff may be directed to these sites via email links, where they are prompted to enter confidential information, which is then harvested by attackers

• Man-in-the-Middle (MitM) Phishing: Cybercriminals intercept ongoing communications to alter email content, such as changing payment instructions. For example, an attacker intercepts emails about a settlement, changing the bank details to redirect funds.

• Attachment-Based Phishing: Emails with malicious attachments, like fake legal documents, court notices or a client’s document, are sent to infect devices with malware. A law firm employee might receive a “contract” from a known client, which, when opened, compromises the system.

Strategies for Preventing Phishing Attacks in Law Firms

1. Verify Email Senders Before Taking Action: Before responding to any email, especially those requesting sensitive information or financial transactions, legal professionals should verify the sender’s identity. Contact the sender through a known phone number or separate email to confirm the request’s legitimacy. This extra step is crucial in avoiding scams designed to look like genuine client or court communications.

2. Look for Red Flags in Email Content: Phishing emails often contain subtle errors that can signal their fraudulent nature. These include unusual or urgent language, poor grammar, misspellings, or awkward phrasing that is inconsistent with normal communication from the sender. Email addresses that appear slightly altered, such as replacing an “l” with a “1” to mimic a legitimate domain, are also red flags. Training legal staff to recognise these red flags can prevent them from falling for phishing attempts.

3. Implement Two-Factor Authentication (2FA): Two-factor authentication (2FA) should be mandatory for all law firm email accounts. Even if a cybercriminal successfully obtains login credentials via a phishing scam, they will not be able to access the email account without the second form of verification, typically a code sent to a mobile device or authentication app. This provides a vital additional layer of security.

4. Utilise Advanced Email Filtering: Law firms should invest in robust email security systems that include advanced filtering for phishing emails. These systems automatically scan incoming messages for signs of phishing, including suspicious links, attachments, and sender domains. Many of these systems can also block potentially dangerous emails before they reach a user’s inbox.

Best Practices for Law Firms to Guard Against Phishing

1. Conduct Regular Employee Training on Phishing Awareness: Continuous education is critical in preventing phishing attacks. Law firms should conduct regular training sessions that teach employees how to identify phishing attempts, report suspicious emails, and avoid clicking on unsafe links or attachments. Simulated phishing exercises can be particularly effective in testing employees’ responses and identifying areas where further training is needed.

2. Establish Clear Protocols for Handling Sensitive Information: Law firms should create and enforce strict policies regarding how sensitive information is requested and transmitted via email. For example, firms can require that any request for client financial details, financial transfers, or sensitive documents be verified through a second communication channel before proceeding.

3. Use Secure Communication Platforms: When exchanging highly sensitive information, law firms should consider using encrypted email services or secure client portals rather than relying on traditional email. These platforms offer enhanced protection, ensuring that only authorised parties can access confidential communications.

4. Monitor Email Forwarding and Filtering Rules for Anomalies: Cybercriminals who gain access to an email account often establish automatic forwarding or filtering rules to divert specific emails, such as client communications, to another account. Regularly reviewing these settings ensures no unauthorised changes have been made and helps detect compromises early.

Responding to a Phishing Attack

Despite the best precautions, phishing attempts can sometimes succeed. If a law firm falls victim to a phishing attack, immediate action is necessary:

• Disconnect the affected device from the network to prevent the spread of malware or further access to the system.

• Notify IT or cybersecurity personnel to investigate the breach and assess the scope of the damage.

• Ensure you change all passwords immediately and activate multi-factor authentication across all accounts.

• Report the breach to clients, the platform where the attack occurred and relevant regulatory bodies such as ReportCyber to comply with data breach notification requirements.

Phishing attacks represent a serious threat to the legal industry, where the confidentiality and integrity of email communications are paramount. By prioritising phishing prevention and equipping legal teams with the training to recognise and respond to these threats, law firms can protect themselves, their clients, and their reputations. A proactive approach—focusing on the use of secure email practices—is essential to mitigating the risks posed by complex phishing attacks in 2024.

If your firm is looking for assistance in protecting against phishing and other cyberthreats check out Emantra’s comprehensive CyberStart service.