LAW FIRMS: The Shocking Impact of INADEQUATE EMAIL SECURITY SOLUTIONS 2023

Law Firms Under Attack: Cautionary Tales of Email Insecurity Run Amok

Imagine this all-too-real scenario. A busy M&A partner at a prominent law firm receives an email appearing to be from a trusted client requesting an urgent wire transfer to close a significant deal. You act quickly per the client's demands. You initiate the wire for $3 million. Only later does the partner discover the client never sent the email.

The wire request was a sophisticated phishing scam. The money vanished without a trace. Once the fraud is discovered, panic ensues. Clients are notified, bank accounts are frozen, and phones are ringing off the hook. Lapses in email security have led to disaster.

While dramatic, this account mirrors actual incidents at elite law firms, which have recently cost millions in stolen funds. It highlights how inadequate email security postures expose significant risks that even esteemed firms fall victim to at alarming and escalating rates.

Law firms provide ripe targets. Holding sensitive client information and funds, they present high rewards for cybercriminals. Yet basic email protections are often lacking. Outdated spam filters fail to stop phishing lures. Lawyers click malicious links and attachments—data exfiltrates without detection. Patient hackers penetrate systems completely unnoticed.
In this wild frontier, email threats evolve rapidly, outpacing static defences. New sophisticated phishing tactics, business email compromise scams, and zero-day malware easily evade outdated controls. Partners underestimate the persistence and cunning of adversaries. Technical gaps need to be addressed even as firms undergo digital transformation. The consequences are severe.

Here's why email-borne attacks are the most common threat to law firms

- Client impersonation scams coerce fraudulent wire transfers, diverting closing funds, settlements, and more into criminal accounts. Seven-figure thefts now occur with regularity.

- Business email compromise scams dupe personnel into purchasing fake gift cards, sending payments, and disclosing sensitive data to criminals posing as partners or vendors.

- Malware payloads in infected attachments infiltrate networks, spreading ransomware that locks down entire systems until sizable cryptocurrency payments are made. Total firms are held hostage.

- Credential theft enables adversary account takeover, data exfiltration of case files and confidential documents, and lateral movement through systems.

- Spear phishing messages trick lawyers into compromising sensitive data on case strategies, M&A deals, intellectual property, and confidential litigation risks.

- Phishing links install remote access malware like Emotet, letting attackers clandestinely traverse internal networks stealing troves of confidential data.

Desperate for solutions, compromised firms hire forensic teams to investigate. Attorneys scrutinise ethics obligations and liability. Leaders are summoned before risk management committees. The reputational damage, unplanned downtime, and client mistrust multiply the toll of inadequate security.

What can other firms learn from these email-centred breaches and their severe impacts?

Common Email Security Mistakes

Not training employees to spot social engineering tactics -

Staff need continuous awareness of the latest phishing lures, business email compromise scams, and unsafe behaviours. Regular training is a must.

Allowing outdated spam filters to languish -

Legacy rules-based filters are ineffective against modern AI-driven phishing attacks. Your business must upgrade appliances to current platforms leveraging machine learning for detection.

Neglecting multi-factor authentication -

MFA adds critical protection against stolen credentials, yet many firms must enforce it for email, VPNs, or financial systems. Your firm should universally require MFA.

Lacking advanced threat protection -

Basic signatures and lists cannot catch zero-day malware, weaponized documents, and other threats entering through email. Modern protection like sandboxing and heuristics are essential.

Not monitoring outbound email -

Data loss prevention capabilities should inspect outbound mail for unauthorized sharing of sensitive documents, personal information, or signs of theft.

Poor backup practices -

Quickly restoring email services is crucial after malware or ransomware attacks. Regular backups with isolated storage and multiple recovery points enable resilience.

Overlooking internal risks -

Insiders with access to confidential information may abuse email for theft. Controls like DLP, monitoring, and access controls mitigate this.

Not testing defences -

Running realistic phishing simulations, penetration testing and cyber exercises regularly provides visibility into readiness while honing responses.

With advanced solutions, training, and practices, law firms can defend against broadening email threats targeting lawyers, clients, and sensitive case data. But neglecting fundamentals is common.

Real-World Examples of Exploited Email Weaknesses

So your firm would not be some other statistics, and remember that even well-known and robust firms like the New York firms are vulnerable to this, so your business must consider this. If your firm is not aware, here are some of the incidents and the lessons learned from them: 

"In late 2022, elite New York firm Schulte Roth & Zabel fell victim to a phishing scam with $4 million stolen through a fraudulent wire transfer. Employees were duped into initiating transfers to foreign accounts because email accounts did not require multi-factor authentication."

"Philadelphia firm Fox Rothschild lost $600,000 in an email phishing incident in 2021. A hacker impersonated the firm's title insurance provider to trick employees into sending funds. Outdated defences failed to detect the scheme."

"In early 2022, a phishing attack on a sizeable Boston-based firm led to the theft of $600,000 when unknown hackers tricked employees into purchasing gift cards at the hacker's direction. The scam emails impersonated senior partners and went undetected by deficient email security tools—all the reason that the firm was not forcing multi-factor authentication to prevent unauthorised access."

"A 2021 business email compromise scheme targeted the managing partner of a law office in London, compromising their inbox through an advanced socially engineered phishing email. The hackers studied previous correspondence and crafted messages impersonating a construction vendor to manipulate multiple payments totalling over £1 million into criminal accounts. Email security awareness training had lapsed at the firm."

Both incidents illustrate legal organisations overlooking fundamental email security defences like staff training, MFA, phishing simulations, and upgrading obsolete controls. And patient hackers willing to study their targets meticulously. These gaps lead to massive financial and reputational loss for victimised firms. All law offices must recognise the need to implement layered people, processes, and technology measures to avoid similar breach scenarios.

Lessons Learned

-Train employees continuously - Phishing threats evolve rapidly
-Implement multi-factor authentication without exceptions
-Upgrade email security stacks continually, not just occasionally
-Never initiate financial transactions based solely on email requests
-Monitor outbound email traffic for signs of data theft
-Verify financial requests through secondary channels
-Have backup systems and contingency plans ready for inevitable incidents

Best Practices for Law Firm Email Security

Implement robust email security gateways to filter incoming threats -

Look for solutions with AI-driven phishing detection, sandboxing of attachments, impersonation identification, and integration of threat intelligence feeds. Gateways should block known and zero-day threats before reaching inboxes.

Upgrade endpoints with next-gen antivirus -

Endpoints need advanced protections beyond signatures to block malware, scripts, and techniques that evade traditional antivirus. Look for ML-based malware detection, script analysis, memory exploit prevention, and behavioural monitoring.

Require strong multi-factor authentication (MFA) -

MFA should be mandatory for all email accounts, remote network access, VPNs, financial systems, and client portals. Use MFA apps or hardware tokens and passwords to defend against credential theft.

Filter and monitor outbound email traffic -

Outbound email filters look for signs of data theft, like personal information, suspicious attachments, or externally emailed account numbers. DLP and CASB tools can help detect risky email-borne data flows.

Isolate financial transaction systems -

Keep payment systems on isolated networks protected by physical and logical access controls, with transaction approvals occurring on separate authenticated systems.

Develop and test incident response plans -

Have playbooks to guide rapid response to email incidents like wire fraud, data theft, and malware outbreaks. Run exercises to test and refine projects.

Train staff continuously on threats -

Conduct frequent end-user awareness training focused on social engineering, phishing, and business email compromise scams leveraging real-world examples relevant to legal practice. Update as new techniques emerge.

Perform simulated phishing attacks -

Schedule regular mock phishing campaigns impersonating clients, vendors, and internal contacts to teach employees to recognise and report lures before mistakes are made.

Monitor user awareness metrics -

Track testing results, training completion, and phishing click rates to measure readiness and high-risk behaviours.

Partner with managed security providers -

Augment internal teams with outside expertise in deploying, monitoring, and managing layered email defences and threat intelligence.

The cautionary tales of email threats run amok and serve to educate all law firms. As criminals grow more sophisticated, so must defences. With advanced technical protections, vigilant training, and response plans, law offices can avoid tomorrow's headlines of fortunes and reputations vanishing overnight. Your business must take action before it is too late - the stakes could not be higher.

What is the next step to protecting your business from this impending threat?

Some Law firms are big enough to hire a complete IT and cybersecurity department. While being more expensive than contracting a cybersecurity firm with expertise in the domain of defending targeted valuable data, it is also less efficient because the IT team your business will hire not only pays their full salary each year and pays for extra equipment, they lack the everyday experience that cybersecurity firms gathered from dealing with multiple attacks daily. The next step is hiring a firm that is well-versed in every kind of security practice and service, from penetration testing to email security services to infrastructure and training (meaning we make sure that your infrastructure is well built and well maintained, and we train your employees to detect and avoid schemes that could cost your firm millions). Join our 2500+ trusted partners under the Microminder safety net, which we work to keep your data safe and focus on what you do best; scaling your business.