Top Threats Observed in the Legal Services Industry

Top Cybersecurity Threats Observed in the Legal Services Industry

by | Nov 2, 2021

Over the past few years, law firms have consistently been one of the top targets for cyberattacks, near the top of the list of most targeted industries, alongside other high-value targets such as financial services, computer software, and IT services. As a result, law firms are constantly under pressure from clients and regulatory bodies to make improvements to security. 

Law firms experience different forms of cyber threats, and the following are top threats observed in the legal services industry:  



Malware is an old form of cyber-attack but is constantly repackaged with new tactics. However, the process by which a firm is attacked with malware is fairly universal: 

Initial access. The most common approach an attacker gains initial access is phishing via emails with malicious links or attachments to deliver malware into your system or network. In some cases, this can be done through remote code execution. 

Execution. The threat actor can run malicious code on a system. What usually happens next is that the malware reports a new infection to the associated command-and-control infrastructure and then receives instructions, additional malicious code, or functional components.  

Persistence. The attacker tries to strengthen the foothold to maintain access to systems across restarts, changed credentials, and other interruptions.  

Lateral Movement. Malware often attempts to spread to additional hosts, leveraging privileged accounts.  


Credential Phishing 

Credential phishing attempts to trick an employee into providing information, such as user credentials.  Credential phishing uses increasingly advanced forms of digital manipulations to extract people’s logging details. This form of attack is brutally effective because it plays on people’s trust. 

The legal services industry is one of the most vulnerable industries to credential phishing attacks. Threat actors employ multiple credentials phishing methods, including sending links, malicious attachments, or engaging in social engineering to compromise the user. Although email is the most frequent medium to carry out these attacks, other channels like social media, messaging apps, texting, and even voice calls are also used by threat actors.  

Once credentials are gotten, the attackers may sell them or use them to gain initial access to the network. Personal information and business context can be used from business email compromise scams, invoice scams, spear phishing, or voice phishing. 

Enforcing the use of multi-factor authentication for corporate email accounts and delivering credential phishing awareness training to institute best practices and some of the defense recommendations against credential phishing attacks.  


Business Email Compromise 

Business Email Compromise is primarily aimed at facilitating fraudulent money transfers via two methods: account takeover, and account impersonation.  

Account takeover. An attacker gains access to and control over a victim’s email account  

Account impersonation. An attacker attempts to fool a user into taking some malicious action unintentionally (often on behalf of an authority figure or colleague). Threat actors use these accounts, which often belong to executives, to request new payments and/or to redirect upcoming payments.  

While instigating fraudulent financial transactions is the most common objective, there is also a risk of data exfiltration, especially in highly targeted attacks where information about particular people or organizations is highly valued. 

In a reported BEC case involving a legal firm, an attacker compromised the email account belonging to an employee involved in legal settlements and implemented an email-forwarding rule that exfiltrated emails from this account, including settlement contracts/agreements.  

The threat actor then registered a domain that was very similar to the legal firm and replayed existing settlement agreements while requesting wiring instructions be changed. One of the payment requests even included a scanned copy of a settlement agreement, significantly bolstering the appearance of legitimacy.  

To defend against this risk, organizations can enforce usage of our-of-band communications to confirm and authorize large transactions or transfers of information, educate employees about impersonation attacks, and ensure everyone in the firm follows security and operational processes.  


Cybersecurity should be a priority for your legal firm 

There is no question that for the foreseeable future protecting distributed workers must be a security priority for the legal industry. And that’s a major reason why endpoint security is so important. But security can be an ambiguous term, so to be more specific, the success of your security strategy requires two functional components:  

Prevention through efficient and next-generation defense systems 

Detection and response to identify and contain threats that bypass defenses. 

It is time to prioritize the security of your firm. At ActiveCo, we specialize in creating a personalized cybersecurity plan for your business that can evolve to face new digital threats before they become a reputational nightmare or to detect and respond to threats that bypass defenses. If your current cybersecurity plan hasn’t been updated in a while, it is not properly equipped to handle the dynamic threats wreaking havoc across the world.  

To find out more about cybersecurity strategies for your business, cybersecurity risk assessments, improving access management, and tightening infrastructure security, take a look at the services offered by ActiveCo Technology Management 

Learn more on this topic

Related Blog Posts

Make Sure Your Students Are Safe At School

Make Sure Your Students Are Safe At School

College has changed since many of us were students. Years ago, we’d be shuffling from class to class, holding a single notebook and a pencil for scribbling down notes. There wasn’t as big a risk of photos or data being stolen online. That’s no longer the case....