It took Campbell Conroy & O’Neil seven (!) months to disclose its February 2021 ransomware attack! Lawyers to the stars, its Fortune 500 roster of clients includes Apple, Boeing, British Airways, Exxon, Ford, IBM, Jaguar, Johnson & Johnson, and Pfizer… to name a few. And this only five years after the famous Panama Papers were stolen from the law firm of Mossack Fonseca—a 2.6 terabyte treasure trove of 11½ million documents exposing the tax-free holdings of the rich and famous.

And yet, law firms spend on average a mind-bogglingly puny 0.46% of their income on cybersecurity!! That’s compared to the cross-industry standard of 12%… 

Welcome, dear readers, to a world where those who claim to uphold justice unfailingly fall patsy to the nefarious felonies of phishing. The most critical client data—often protected even from the law itself—is at risk; high finance, existential risk, and even the lawyers’ billables attract prying eyes, hooks, and pawing hands. 

In this blog post, we explore why law firms, those bastions of legal wisdom, often fail to take the necessary precautions against these cunning online traps. So grab your virtual fishing rod and join us on this dialectic-defying journey!

The Overconfidence Conundrum

Law firms, where razor-sharp legal minds are forged, remain a top-of-the-cream cherry target for scammers. Surely, such esteemed establishments to whom we entrust our darkest secrets shouldn’t fall prey to something as basic as phishing. Wrong! Overconfidence, one of the lawyers’ most basic tools of trade, can also be an attorney’s Achilles’ ankle just asking to be bitten. While they argue intricate legal nuances in the courtroom, they remain blind to the lurking dangers in cyberspace—their email inboxes tantalizingly unguarded, their billing chains easily hijacked, and our data easily stolen.

The global legal services market is estimated at about $901 billion (2021), a third of that in the US. In the UK, 73% of leading law firms were attacked in 2022, resulting in losses of over £4 million to their clients. Only 42% of US law firms report carrying cyber insurance! On the other hand, law firms host no compunction in emigrating to the cloud—about 31% of them having already placed their client records off-site, and enabling the post-covid work-from-home craze. Of these highly democratic and politically correct firms, less than half bother encrypting their data…

And the dangers extend far beyond the walls of the firm; indeed, far beyond the walls of their clients. Last week HWL Ebsworth—Australia’s largest law firm with over 260 partners—announced that Russia’s ALPHV/Blackcat ransomware group had stolen data affecting over 60 government agencies and private entities, such as Australia’s National Bank, publishing over a terabyte-worth of personal information on Australian citizens.

Targeting Elusive Attorneys

Lawyers are a dream target for phishing scammers. They possess a wealth of sensitive information and are often burdened with a heavy workload, making them prime candidates for lapses in judgment.

And then there’s the money. Besides playing Perry Mason, Matlock, or Ally McBeal, lawyers spend much of their time probating wills, managing mergers-&-acquisitions, conveyancing, and alimony, processing cashier checks and other financial instruments, realizing estates, lodging and maintaining patents, and more. In fact, most of their work representing clients involves money matters and not criminal ones. 

Armed with the promise of juicy case updates, client settlements, or even confidential legal documents, phisher-thugs cast their hooks into the vast sea of unsuspecting attorneys and simply wait for the unguarded nibble. Moreover, because they hesitate in adopting proper security measures, attacks are more prone to success. 

In 2022, only about a third of companies had performed a security assessment, and nearly 70% are willing to simply pay the ransom. It’s preferable to the alternative—putting their clients’ data at risk or letting them know that their data IS at risk. For when trust is at stake, reputation trumps all. Lady Gaga’s lawyers at Grubman Shire Meiselas & Sacks were a case (sic) in point in 2020, when the REvil ransomware gang encrypted their files for $42 million. The lawyers tried to negotiate. The gang released some of their data. The lawyers caved in.

The "Billable-Click" Syndrome

Picture this: a harried lawyer, juggling multiple cases, barely keeping up with their ever-increasing workload. Suddenly, an email notification from a colleague pops up, promising a breakthrough in a crucial lawsuit. Fueled by curiosity, ambition, and the allure of a substantial billable hour, the attorney clicks without a second thought. And just like that, the phishing lawyer reels in yet another unwitting victim. It’s a vicious cycle that persists due to an unfortunate combination of professional ambition and a lack of cybersecurity mindfulness.

One might argue that law firms simply lack awareness about the potential dangers of phishing attacks. After all, they specialize in the intricacies of the legal world, not cybersecurity. However, in an age where cybercrime dominates headlines, turning a blind eye to basic online safety measures is akin to ignoring a jury’s instructions. Ignorance may be bliss, but in the realm of phishing lawyers, it can lead to dire consequences—both for the lawyers themselves and the clients they represent.

A Battle of Billable Hours vs. Basic CyberSec

In the fast-paced world of law, where billable hours reign supreme, cybersecurity often takes a backseat. Law firms are too busy preparing arguments, attending court hearings, and counting their stacks of cash to worry about the pesky details of online safety. The allure of billable hours trumps all, leaving the door wide open for phishing lawyers to exploit.

Last year, several international law firms, including Dentons, Deloitte, and Monlex Int’l, found themselves being impersonated through business email compromises. Crimson Kingsgate, a notorious Nigeria-based group, sent out bills to clients, adding to the $2.4 billion in BEC-related price tag reported last year by the FBI. And, in April, Uber disclosed yet another breach—this time through the servers of a relatively small third-party law firm.

In an uncharacteristic development this past June, Knights employees were thrilled to receive a pay rise. only to discover that the attached details were actually a test by the firm’s HR department aimed at raising phishing awareness. 

“It might have been better for everyone if the exercise had been the work of scammers,” relates the Rollonfriday website “The awareness test went down ‘like a lead balloon’ and prompted strongly worded emails, partners threatening to leave.”

Stay Safe

Embroker’s ten commandments of safety include:

  1. Run an external security assessment to identify your needs, and weak spots, and plan a defense mechanism.
  2. Employee education: Train them on identifying phishing and other modes of extracting information. Regularly test them and remember: practice makes cautious.
  3. Privilege restrictions: Adopt a zero-trust policy and provide one-time access on a need-to-access basis. Check these permissions on a regular basis and update them where necessary, and audit data trails 24/7.
  4. Secure RDP (Remote Desktop Protocol): Get an expert–RDP violations account for over 50% of ransomware attacks.
  5. Password management and MFA: Get the latest in passport management software – again: from an expert who will tailor suit the solution to your needs.
  6. Update software and APIs regularly.
  7. Maintain 3-2-1 backups (on-site and off-site).
  8. Protect your email: adopt SPF, DKIM, and DMARC email protection, and make it easy for staff to query mails — keep an open line between them and IT.
  9. Response plan: An outsider should do this—one who is not acquainted with your operations but for whom it is all new. It should include a ‘detection-containment-investigation-remediation-recovery scheme and should be regularly updated, based on best security practices and GDPR (EU) and CCPA (US) regulatory publications.
  10. Invest in cyber: whether it’s in security or insurance, you should assess the worst-scenario loss to you and your clients and invest accordingly. Most cyber insurance plans will cover data loss and recovery, computer fraud, and cyber extortion. But remember–no insurance will cover you if you don’t take the required precautions.

In a world where even the most distinguished professionals can fall victim to online scams, it is crucial for law firms to wake up from their complacency and recognize the looming threat of phishing lawyers. Balancing billable hours with robust cybersecurity practices should become a new mantra for legal professionals everywhere. Until then, we can only hope that the lure of law phishing bait loses its appeal, allowing the legalistic warriors to embrace a safer digital future.

Stay vigilant, always question that too-good-to-be-true email that lands in your inbox, and install novoShield to guard your phone from phishing attacks. Happy surfing, both in the courtroom and online!