Get a free web app penetration test today. See if you qualify in minutes!

Get In Touch

Get Immediate Help

Get in Touch!

Talk with one of our experts today.

  • Yes, I agree with the storage and handling of my data by this website, to receive periodic emails from microminder cybersecurity related to products and services and can unsubscribe at any time. By proceeding, you consent to allow microminder cybersecurity to store and process the personal information submitted above to provide you the content requested. I accept microminder's Privacy Policy.*

  • This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank You

Thank you

We appreciate your interest in our cybersecurity services! Our team will review your submission and reach out to you soon to discuss next steps.

UK: +44 (0)20 3336 7200
UAE: +971 454 01252

4.9 Microminder Cybersecurity

310 reviews on

Trusted by over 2500+ customers globally

Contact the Microminder Team

Need a quote or have a question? Fill out the form below, and our team will respond to you as soon as we can.

What are you looking for today?

Managed security Services

Managed security Services

Cyber Risk Management

Cyber Risk Management

Compliance & Consulting Services

Compliance & Consulting Services

Cyber Technology Solutions

Cyber Technology Solutions

Selected Services:

Request for

  • Yes, I agree with the storage and handling of my data by this website, to receive periodic emails from microminder cybersecurity related to products and services and can unsubscribe at any time. By proceeding, you consent to allow microminder cybersecurity to store and process the personal information submitted above to provide you the content requested. I accept microminder's Privacy Policy.*

  • This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank You

Thank you

In the meantime, please help our team scope your requirement better and to get the right expert on the call by completing the below section. It should take 30 seconds!

30 seconds!

Untick the solutions you don’t need

  • Untick All

  • Untick All

  • Untick All

  • Untick All
Thank You

What happens next?

Thanks for considering us for your cybersecurity needs! Our team will review your submission and contact you shortly to discuss how we can assist you.


Our cyber technology team team will contact you after analysing your requirements


We sign NDAs for complete confidentiality during engagements if required


Post a scoping call, a detailed proposal is shared which consists of scope of work, costs, timelines and methodology


Once signed off and pre-requisites provided, the assembled team can commence the delivery within 48 hours


Post delivery, A management presentation is offered to discuss project findings and remediation advice


Sanjiv Cherian

Sanjiv Cherian, Cyber Security Director
Oct 22, 2023

  • Twitter
  • LinkedIn

Law Firms Under Attack: Cautionary Tales of Email Insecurity Run Amok

Imagine this all-too-real scenario. A busy M&A partner at a prominent law firm receives an email appearing to be from a trusted client requesting an urgent wire transfer to close a significant deal. You act quickly per the client's demands. You initiate the wire for $3 million. Only later does the partner discover the client never sent the email.

The wire request was a sophisticated phishing scam. The money vanished without a trace. Once the fraud is discovered, panic ensues. Clients are notified, bank accounts are frozen, and phones are ringing off the hook. Lapses in email security have led to disaster.

While dramatic, this account mirrors actual incidents at elite law firms, which have recently cost millions in stolen funds. It highlights how inadequate email security postures expose significant risks that even esteemed firms fall victim to at alarming and escalating rates.

Law firms provide ripe targets. Holding sensitive client information and funds, they present high rewards for cybercriminals. Yet basic email protections are often lacking. Outdated spam filters fail to stop phishing lures. Lawyers click malicious links and attachments—data exfiltrates without detection. Patient hackers penetrate systems completely unnoticed.
In this wild frontier, email threats evolve rapidly, outpacing static defences. New sophisticated phishing tactics, business email compromise scams, and zero-day malware easily evade outdated controls. Partners underestimate the persistence and cunning of adversaries. Technical gaps need to be addressed even as firms undergo digital transformation. The consequences are severe.

Here's why email-borne attacks are the most common threat to law firms

- Client impersonation scams coerce fraudulent wire transfers, diverting closing funds, settlements, and more into criminal accounts. Seven-figure thefts now occur with regularity.

- Business email compromise scams dupe personnel into purchasing fake gift cards, sending payments, and disclosing sensitive data to criminals posing as partners or vendors.

- Malware payloads in infected attachments infiltrate networks, spreading ransomware that locks down entire systems until sizable cryptocurrency payments are made. Total firms are held hostage.

- Credential theft enables adversary account takeover, data exfiltration of case files and confidential documents, and lateral movement through systems.

- Spear phishing messages trick lawyers into compromising sensitive data on case strategies, M&A deals, intellectual property, and confidential litigation risks.

- Phishing links install remote access malware like Emotet, letting attackers clandestinely traverse internal networks stealing troves of confidential data.

Desperate for solutions, compromised firms hire forensic teams to investigate. Attorneys scrutinise ethics obligations and liability. Leaders are summoned before risk management committees. The reputational damage, unplanned downtime, and client mistrust multiply the toll of inadequate security.

What can other firms learn from these email-centred breaches and their severe impacts?

Common Email Security Mistakes
Not training employees to spot social engineering tactics -

Staff need continuous awareness of the latest phishing lures, business email compromise scams, and unsafe behaviours. Regular training is a must.

Allowing outdated spam filters to languish -

Legacy rules-based filters are ineffective against modern AI-driven phishing attacks. Your business must upgrade appliances to current platforms leveraging machine learning for detection.

Neglecting multi-factor authentication -

MFA adds critical protection against stolen credentials, yet many firms must enforce it for email, VPNs, or financial systems. Your firm should universally require MFA.

Lacking advanced threat protection -

Basic signatures and lists cannot catch zero-day malware, weaponized documents, and other threats entering through email. Modern protection like sandboxing and heuristics are essential.

Not monitoring outbound email -

Data loss prevention capabilities should inspect outbound mail for unauthorized sharing of sensitive documents, personal information, or signs of theft.

Poor backup practices -

Quickly restoring email services is crucial after malware or ransomware attacks. Regular backups with isolated storage and multiple recovery points enable resilience.

Overlooking internal risks -

Insiders with access to confidential information may abuse email for theft. Controls like DLP, monitoring, and access controls mitigate this.

Not testing defences -

Running realistic phishing simulations, penetration testing and cyber exercises regularly provides visibility into readiness while honing responses.

With advanced solutions, training, and practices, law firms can defend against broadening email threats targeting lawyers, clients, and sensitive case data. But neglecting fundamentals is common.

Real-World Examples of Exploited Email Weaknesses

So your firm would not be some other statistics, and remember that even well-known and robust firms like the New York firms are vulnerable to this, so your business must consider this. If your firm is not aware, here are some of the incidents and the lessons learned from them: 

"In late 2022, elite New York firm Schulte Roth & Zabel fell victim to a phishing scam with $4 million stolen through a fraudulent wire transfer. Employees were duped into initiating transfers to foreign accounts because email accounts did not require multi-factor authentication."

"Philadelphia firm Fox Rothschild lost $600,000 in an email phishing incident in 2021. A hacker impersonated the firm's title insurance provider to trick employees into sending funds. Outdated defences failed to detect the scheme."

"In early 2022, a phishing attack on a sizeable Boston-based firm led to the theft of $600,000 when unknown hackers tricked employees into purchasing gift cards at the hacker's direction. The scam emails impersonated senior partners and went undetected by deficient email security tools—all the reason that the firm was not forcing multi-factor authentication to prevent unauthorised access."

"A 2021 business email compromise scheme targeted the managing partner of a law office in London, compromising their inbox through an advanced socially engineered phishing email. The hackers studied previous correspondence and crafted messages impersonating a construction vendor to manipulate multiple payments totalling over £1 million into criminal accounts. Email security awareness training had lapsed at the firm."

Both incidents illustrate legal organisations overlooking fundamental email security defences like staff training, MFA, phishing simulations, and upgrading obsolete controls. And patient hackers willing to study their targets meticulously. These gaps lead to massive financial and reputational loss for victimised firms. All law offices must recognise the need to implement layered people, processes, and technology measures to avoid similar breach scenarios.

Lessons Learned
-Train employees continuously - Phishing threats evolve rapidly
-Implement multi-factor authentication without exceptions
-Upgrade email security stacks continually, not just occasionally
-Never initiate financial transactions based solely on email requests
-Monitor outbound email traffic for signs of data theft
-Verify financial requests through secondary channels
-Have backup systems and contingency plans ready for inevitable incidents

Best Practices for Law Firm Email Security

Implement robust email security gateways to filter incoming threats -

Look for solutions with AI-driven phishing detection, sandboxing of attachments, impersonation identification, and integration of threat intelligence feeds. Gateways should block known and zero-day threats before reaching inboxes.

Upgrade endpoints with next-gen antivirus -

Endpoints need advanced protections beyond signatures to block malware, scripts, and techniques that evade traditional antivirus. Look for ML-based malware detection, script analysis, memory exploit prevention, and behavioural monitoring.

Require strong multi-factor authentication (MFA) -

MFA should be mandatory for all email accounts, remote network access, VPNs, financial systems, and client portals. Use MFA apps or hardware tokens and passwords to defend against credential theft.

Filter and monitor outbound email traffic -

Outbound email filters look for signs of data theft, like personal information, suspicious attachments, or externally emailed account numbers. DLP and CASB tools can help detect risky email-borne data flows.

Isolate financial transaction systems -

Keep payment systems on isolated networks protected by physical and logical access controls, with transaction approvals occurring on separate authenticated systems.

Develop and test incident response plans -

Have playbooks to guide rapid response to email incidents like wire fraud, data theft, and malware outbreaks. Run exercises to test and refine projects.

Train staff continuously on threats -

Conduct frequent end-user awareness training focused on social engineering, phishing, and business email compromise scams leveraging real-world examples relevant to legal practice. Update as new techniques emerge.

Perform simulated phishing attacks -

Schedule regular mock phishing campaigns impersonating clients, vendors, and internal contacts to teach employees to recognise and report lures before mistakes are made.

Monitor user awareness metrics -

Track testing results, training completion, and phishing click rates to measure readiness and high-risk behaviours.

Partner with managed security providers -

Augment internal teams with outside expertise in deploying, monitoring, and managing layered email defences and threat intelligence.

The cautionary tales of email threats run amok and serve to educate all law firms. As criminals grow more sophisticated, so must defences. With advanced technical protections, vigilant training, and response plans, law offices can avoid tomorrow's headlines of fortunes and reputations vanishing overnight. Your business must take action before it is too late - the stakes could not be higher.

What is the next step to protecting your business from this impending threat?

Some Law firms are big enough to hire a complete IT and cybersecurity department. While being more expensive than contracting a cybersecurity firm with expertise in the domain of defending targeted valuable data, it is also less efficient because the IT team your business will hire not only pays their full salary each year and pays for extra equipment, they lack the everyday experience that cybersecurity firms gathered from dealing with multiple attacks daily. The next step is hiring a firm that is well-versed in every kind of security practice and service, from penetration testing to email security services to infrastructure and training (meaning we make sure that your infrastructure is well built and well maintained, and we train your employees to detect and avoid schemes that could cost your firm millions). Join our 2500+ trusted partners under the Microminder safety net, which we work to keep your data safe and focus on what you do best; scaling your business. 

Don’t Let Cyber Attacks Ruin Your Business

  • Certified Security Experts: Our CREST and ISO27001 accredited experts have a proven track record of implementing modern security solutions
  • 40 years of experience: We have served 2500+ customers across 20 countries to secure 7M+ users
  • One Stop Security Shop: You name the service, we’ve got it — a comprehensive suite of security solutions designed to keep your organization safe

Unlock Your Free* Penetration Testing Now

Discover potential weaknesses in your systems with our expert-led CREST certified penetration testing.
Sign up now to ensure your business is protected from cyber threats. Limited time offer!

Terms & Conditions Apply*

Secure Your Business Today!

Unlock Your Free* Penetration Testing Now

  • I understand that the information I submit may be combined with other data that Microminder has gathered and used in accordance with its Privacy Policy

Terms & Conditions Apply*

Thank you for reaching out to us.

Kindly expect us to call you within 2 hours to understand your requirements.