The number of cyber-attacks directed against UK law firms rose by 77% in the past year.

According to chartered accountants Lubbock Fine, there were 954 attacks detected - up from 538 the year before.

The company said that the wave is driven by criminals seeing law firms as prime targets for ransomware attacks or blackmail, due to the sensitive personal and financial information they hold, which hackers can sell on the dark web or threaten to publish on the internet. 

“The data that law firms hold on behalf of their clients is often highly sensitive – and therefore, valuable if you intend to blackmail a law firm,” said Lubbock Fine partner Mark Turner told the Law Society Gazette.

“This makes them a very attractive target. Hackers will often demand a blackmail payment from law firms or threaten to post that sensitive data on the internet.” 

Three-Quarters Impacted

Nearly three quarters of the UK’s top 100 law firms have been impacted by cyber-attacks, according to a report by The National Cyber Security Centre, while a 2023 survey by PwC found that cyber risk has seen significant increases in spending among larger law firms.

Also, 85% of the top 100 law firms say they “are extremely or somewhat concerned about cyber threats” and 100% now have a dedicated cyber security chief or equivalent.

Brian Boyd, head of technical delivery at i-confidential, said: “Law firms are mostly aware of their cyber risks and must continue to up their game and work proactively to protect their assets – especially when attack activity against them is clearly so high.

“This involves training employees on phishing scams and Business Email Compromise (BEC) attacks, and adopting processes where all financial transactions are verified verbally before they are actioned.

“These organisations must also adopt security controls to protect their networks against ransomware attacks and malware, and also ensure all suppliers are vetted, so criminals can’t find an easy way to breach them via a weak link in their supply chain.”

Warnings were made last year about an increase in BEC attacks on law firms, particularly where attackers find new ways to circumvent multi-factor authentication measures. Boyd said that as law firms often transfer large sums of money to clients on a regular basis, BEC attacks are more prevalent.

“The requests will be made to look like they have been sent by another employee and will often request an urgent transfer, which results in the email being actioned and law firms losing millions of pounds,” he said.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.