top of page

Protecting your Law Firm: Don't Get Hooked by Phishing Attacks in the Legal Industry

Like any other organisation, legal firms are increasingly reliant on IT, whether that’s for sending sensitive documents or important invoices.

With an increase reliance on IT, comes an increased risk of cyberattacks. These malicious acts may directly target your legal firm or exploit vulnerabilities in the suppliers you rely upon. In certain cases, they may extend their focus to your staff's personal devices, as well as your business equipment, networks, and systems.

In 2022, 48% of UK businesses who identified an attack, the most common threat vector was phishing attempts (79%) (Cyber Breaches Survey 2023)

What is phishing?

‘Phishing’ is when criminals use scam emails, text messages or phone calls to trick people. Their goal is usually to get the victims to visit a website that downloads dangerous software onto their computers (malware, ransomware, or a virus), or to steal personal information like bank details or login credentials.

Law firm websites will often have contact details for their senior staff, partners, and associates, which criminals can use along with data from social and business networks to launch more specific attacks. Often, Phishing emails blend in with the flood of regular emails we all get every day and considering how easy it is for cyber criminals to send out millions of phishing emails from free email accounts, it’s no wonder that Phishing attacks continue to be the most common type of cyber-attacks against law firms.

A common tactic for cyber criminals is to trick victims into revealing their usernames and passwords by impersonating the login pages of well-known platforms like Microsoft, Gmail or Google. If recipients engage with these emails and unknowingly disclose their credentials, cybercriminals can exploit them for further attacks or sell their details onto to other criminals.

What can you do?

All phishing depends on an element of social engineering or interaction with a person, so making sure your staff are well trained in recognising a phishing attack is a priority. The ECRC has several affordable cyber resilience services who can deliver a bespoke Staff Awareness Training session tailored to your company and the risks it faces. Contact us to find out more.

Here at the ECRC, we would also recommend to have a plan in place to deal with phishing attempts and successful attacks. Make sure your staff know how to report an attack and don’t put barriers in place to reporting, such as disciplinary action. Make sure you report all phishing attacks to

Phishing attacks can be very sophisticated and extremely difficult to guard against but making sure you know how and when an attack has taken place means that you can react in the right way. You really don’t want a staff member too scared to report a successful phishing attack and letting an attacker have an extended period of time in your systems.

The National Cyber Security Centre (NCSC) have also created an enterprise Outlook add-in for staff to be able to report email phishing directly from their email box. The NCSC will the actively seek to disrupt the criminals sending these messages, protecting you from them as well as the wider community.

If you wanted to evaluate yours and your staff’s knowledge about phishing, why not have a go at our fun phishing quiz?

What's next?

The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of data and permanent loss of reputation. But all is not lost.

Here at the centre, we would recommend that you.

  1. Join our community today as one of our growing number of free core members. You will be supported through implementing the changes you need to make to protect your organisation.

  2. Consider how you can help your own supply chain and customers – it would be great if you could look at promoting the centre on our behalf. Have a look at our referral scheme to see how referring another company into the centre could benefit you.

  3. Take a look at our range of affordable student services, all which could be used by your organisation to make yourself more cyber resilient.

Reporting a live cyber-attack 24/7

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing.

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page