Law firms face wide array of cyberthreats

Listen to this article

By Gina F. Rubel

(First in a series)

Law firms and their clients are facing an unprecedented rise in cybercrime, with 2024 being the biggest year yet for cybersecurity incidents. The American Lawyer and Bloomberg Law report that at least 21 law firms filed data breach reports to state attorneys general offices in the first five months of 2024, preceded by 28 law firm breach reports in 2023 and 32 in 2022.

To the uninitiated, the cybersecurity threat trajectory might appear to be downward. However, every year the severity of attacks is worse, reflecting the growing sophistication of the perpetrators.

According to one survey, more than half of law firm respondents who experienced a security breach lost confidential client data — among the worst things that can happen to a law firm.

To a cybercriminal, law firms are a treasure-trove of sensitive and confidential information, including intellectual property, internal personnel and financial records, and business, financial and personal client information. Cyberattacks have exposed vulnerabilities within law firms, leading to significant financial losses, reputational damage and legal repercussions. Law firms have been subject to class-action lawsuits and have unknowingly contributed to insider trading that has cost companies millions of dollars—all because of cyberattacks.

In a recent review of ransomware attacks:

• Twelve percent of attacks on law firms resulted in a lawsuit. Of those, when you include the 25% of matters that were settled out of court, the law firm lost every time.

• Only 26% of law firms believe their firm is “very prepared” to respond to cyber incidents.

• In one survey, 39% of law firm respondents reported awareness of a security breach in the last year, and 56% lost confidential client data. Sixty percent identified the sophistication level of the attacks as the biggest challenge in reducing risk.

• Law firms face a global average ransom demand of $2.5 million.

Types of cyberattacks

Ransomware, phishing, smishing, vishing, social engineering, spoofing, denial-of-service attacks, and insider threats are among the sophisticated cyberattacks being directed at law firms.

• Ransomware: Ransomware is malicious software, commonly called “malware,” that targets individuals, businesses and institutions, as well as any type of device with computing capabilities. Ransomware encrypts files, locking out users by rendering their data or system inaccessible. Criminals then demand a ransom payment, typically in cryptocurrency, in exchange for the decryption key or restoring access.

Typically, ransomware spreads via unsolicited emails and employees who mistakenly click on genuine-looking links. Paying the ransom does not guarantee data recovery, and it might encourage further criminal activity. A growing number of ransomware gangs use double-extortion tactics by stealing data and encrypting systems.

• Phishing, spear-phishing, smishing and vishing: These attacks commonly lure victims into sharing personal or financial information, clicking on malicious links, or downloading harmful software or applications. All typically create a call to action with urgency, curiosity or fear, and they confuse victims with deceptive messages that appear from trusted sources.

— Phishing: An umbrella term that often focuses on fraudulent emails and websites meant to steal data. Example: An email from a third-party vendor, such as a court reporter, asking users to reset their passwords due to a security breach, leading to a fake login page.

— Spear-phishing (business email compromise): A spear-phishing email is a scam that attempts to steal money or sensitive data from a business. Spear-phishing narrowly targets individuals, groups, or organizations and evades multifactor authentication (also called “two factor authentication”) and other safeguards. These personalized scams trick victims into divulging sensitive data, downloading malware or sending money to an attacker. Only proper cybersecurity training can challenge business email compromise.

— Smishing (aka “SMS phishing”): A form of phishing that invites users to reveal data through fraudulent text messages. Example: A text message alerting the recipient of a suspicious client funds transaction and urging them to click a link to verify their interest on lawyers’ trust account.

— Vishing: This exploits voice communication, typically over fraudulent phone calls that induce victims to reveal personal information. Example: The receptionist receives a call from someone claiming to be from the state bar, stating that a partner failed to pay his or her bar dues and will face disbarment unless an immediate payment is made.

Few of the 3.5 billion smartphone users worldwide understand the dangers of clicking on a link in text messages or responding to unsolicited voicemail messages, making smishing and vishing two of the more lucrative forms of cyberattack.

• Social engineering: These tactics rely heavily on using multistep psychological manipulation to trick victims into giving away sensitive information.

• Spoofing: These tactics are supercharged with spoofing, where cybercriminals disguise themselves as a known or trusted source. According to CrowdStrike:

— Domain spoofing is a form of phishing where an attacker impersonates a known business or person with a fake website or email domain to fool people into trusting them.

— Email spoofing targets businesses through emails with forged sender addresses.

— Address resolution protocol spoofing or address resolution protocol poisoning is an attempt by hackers to intercept data by tricking one device into sending messages to the hacker instead of the intended recipient.

• Denial-of-service attacks: This is a malicious, targeted attack that floods a network with false requests to disrupt business operations. In such an attack, users are unable to perform routine tasks, such as accessing email, websites, online accounts or other compromised computer or network resources. The attacks originate from just one system; a directed denial of service attack launches from multiple systems.

These attacks generally resolve without losing data or paying ransom, but they cost time and money. Worst-case scenarios can involve so much downtime that a cascade of negative results can ensue — missed filing deadlines, deals blown up, and a host of issues that implicate professional conduct violations.

Insider threats

Insider threats are internal maligned actors such as current or former employees who have direct access to the company network, sensitive data, and IP as well as knowledge of business processes, company policies or other information. The risk of insider threats mandates that all law firms remove or restrict access to law firm data and information technology systems when any employee moves to a new job or is terminated.

Understanding key distinction

While all cyberattacks are concerning, once you have reason to believe your law firm has been targeted, it’s important to differentiate between a cyber incident and a cyber breach. The consequences and necessary responses can vary significantly.

• Cyber incident (no data captured): A cyber incident refers to an event where a law firm’s security systems are compromised, but no sensitive data is captured or accessed by unauthorized parties. Examples include a successful denial-of-service attack that temporarily disrupts operations or an attempted phishing attack that is caught by the firm’s security measures.

While these incidents might not result in the direct loss of data, they can still expose vulnerabilities that need to be addressed to prevent future breaches.

• Cyber breach (data compromised): A cyber breach involves unauthorized access to sensitive or confidential information. This is the scenario that law firm IT departments fear the most. A breach can expose critical client data, such as Social Security numbers, financial records, HIPAA-protected personal information, or intellectual property.

The legal, financial, and reputational fallout from a breach can be catastrophic, often requiring significant resources to manage the aftermath and restore trust with clients and stakeholders.

Gina Rubel, a graduate of Widener University Commonwealth Law School, is the CEO and general counsel of Furia Rubel Communications.