Cybersecurity for Law Firms: Top 3 Threats Lawyers Face and How to Prevent Them

Cybersecurity is something every law firm needs to be aware of. Whether you’re a sole practitioner or you run one of the largest law firms in the city, it’s crucial to keep cybersecurity top of mind. In this blog post, we’ll list some of the most common cybersecurity threats law firms face. We will also provide solutions to ensure your digital assets remain safe. 

Phishing 

Phishing, also known as a social engineering attack, uses deception to acquire sensitive information from unsuspecting victims. Often taking the form of emails or text messages, phishing scams may seem unassuming but can cause catastrophic consequences.  

Many phishing emails include fake links that may seem safe but which, if clicked, will lead you to a website that may look just like your bank's login screen or your law firm’s employee portal.

If you’re not vigilant, the phishing scam will succeed in acquiring your personal details or infecting your computer or your law firm’s digital assets. Other phishing scams may ask you to download an app or an update, only for that download to be malware.

Cybercriminals can use stolen data in a myriad of ways, often resulting in the loss of funds or the leaking of personal and private information. Since many law firms deal in sensitive matters, it’s crucial for this data to remain safe and secure. A simple lapse in judgement can lead to disastrous consequences. 

How to Spot a Phishing Scam  

Have you ever received an email that looks normal, but the more you look into it, the stranger it seems? Perhaps the sender’s email address is slightly off (it may be missing a letter, or it might say “.com” instead of “.org”) or the email’s subject or the message itself doesn’t make sense the more you read it.  

These obvious phishing emails tend to be filtered by your email and sent directly to the shadow realm (spam folder). If one makes it through your email’s filters, you should always click on “Report Phishing.” This way, you’ll train your email account to be on the lookout for similar phishing attempts. 

Emails as Phishing Scams 

You may receive an email asking for your login details or some banking information. Of course, it seems fishy (or phishy), so you call the number in the email for confirmation and hear a convincing voice at the other end telling you it’s safe to do what the email requests. Then, against your better judgement, you send over the information the email requested. Once that’s been sent, there’s no turning back. Pandora’s box has opened, shall we say. 

To avoid this outcome, remember to stay vigilant. This may be difficult when you have to parse through countless emails daily, but just remember to not click any links unless you’re certain they’re safe. A great way to check is by simply hovering (not clicking!) on the link. When you hover your cursor over the link, the link’s address should appear at the bottom of your email app’s screen. If the link looks odd (perhaps it’s too long or it doesn’t include the website’s actual name) then you should report the email for phishing.  

Texts as Phishing Scams 

Sometimes, phishing attempts may appear in the form of text messages. Popular phishing texts mention UPS, USPS, or FedEx, stating that your package could not be delivered. These messages are almost always followed by a link. Even if you weren’t expecting a package, it may be easy to simply click the link out of curiosity. Since you can’t hover over the link, it will open your phone’s web browser.  

Perhaps you’ll see a landing page that looks like the UPS website or maybe you’ll see something entirely different. The best course of action is to simply report these texts as spam. Most iPhones show a message at the bottom of texts that say, “This sender is not in your contact list.” Under that message, there’s a blue message that says, “Report Junk.” Play it safe and click this link. This will report the sender to Apple and delete the text. 

Phone Calls as Phishing Scams 

As technology continues to evolve and become more sophisticated, so do phishing scams and other cyberattacks. In fact, phishing scams may employ the use of an actual phone call where an AI chatbot emulates the voice of a higher-up employee (think your boss’s boss or the owner of the company: someone you may know by name but might not be able to place their actual voice).  

If you receive a phone call from someone who claims to work at your firm, but you’ve never spoken to them before, play it safe and tell them you’ll call them back, then confirm with someone who works closely with them or contact them directly using their office number or work email. It never hurts to be safe in these situations. 

Malware

Earlier we mentioned malware as something you may unknowingly download as part of a phishing scam. But what exactly is malware? Simply put, malware is software (literally “malicious software”) whose sole purpose is to harm your computer, server, or network.  

Computer viruses are some of the most common forms of malware, but they can also be hidden in common files like documents or images. In fact, you can unknowingly install malware on your computer by plugging in an infected flash drive or by visiting a malware-infected website.  

A good rule of thumb is to never use flash drives you’ve found on the floor. While most browsers feature some degree of safety precautions against malware or potentially dangerous websites, some may slip by.  

How to Protect Yourself from Malware  

Again, by remaining vigilant and only clicking on safe links and downloading applications from reputable websites and developers, you’ll keep yourself safe from malware. In the event you do download malware onto your work computer (or if you’d like to check your computer for malware), you should run an antivirus scan. In fact, it’s suggested to run these scans regularly to avoid malware from taking root. 

If the antivirus software finds any malware on your system, you’ll be able to delete the malicious software. You can also delete the software manually if you know what it’s called. While this won’t undo any potential damage, it will stop any further damage from occurring.   

Some popular antivirus software programs include: 

• McAfee
• MalwareBytes
• Norton Antivirus

Odds are your firm’s IT department already has an antivirus program up and running, but it’s a good idea to install some sort of protection on your own personal computer. While many antivirus programs are paid subscriptions, MalwareBytes offers a free option that’s quite powerful. 

Ransomware 

Although ransomware falls under the category of malware, it deserves its own spot on this list. Ransomware, as its name suggests, denies you the ability to access your data and programs until you pay a ransom. This can be disastrous when it comes to sensitive client data.  

Take the 2016 ransomware attack on Rhode Island-based law firm Moses Afonso Ryan which “locked down the firm’s computer files for three months.” While the firm eventually paid the ransom of $25,000, they lost more than $700,000 in billable hours during the three months when the attack took place.

Law firms can become victims of ransomware as part of a phishing or malware attack. The best way to protect yourself against ransomware is by remaining vigilant and practicing caution when opening links, downloading files, or entering sensitive data into websites. The Cybersecurity & Infrastructure Security Agency (CISA) has a great guide on how to protect yourself against ransomware. CISA also offers free cyber hygiene services you can use to assess, identify, and reduce exposure to cyberattacks such as ransomware.  

Start Taking Cybersecurity Seriously Before It’s Too Late 

Cyber attacks will continue to become more sophisticated and difficult to detect. As such, it’s crucial to be proactive when it comes to cybersecurity. In addition to running antivirus software, it’s also pertinent to encrypt your data. If you’re going fully remote or becoming a paperless law firm, sensitive client and firm data can be susceptible to cyberattacks. By encrypting your firm’s files, you can keep sensitive data safe. Even if hackers successfully gain access to your data, they won’t be able to use any of it since it’ll be fully encrypted. 

For further insight into the benefits of cybersecurity for law firms, look at these publications from TexasBarCLE: 

• Cybersecurity Practice Tips
• Cybersecurity, Cyberinsurance, & Privacy
• Cybersecurity Risks & Insurance Basics
• Cybersecurity for Law Firms
• Cybersecurity: How Business Lawyers Can Add Value to Their Clients and Protect Their Firms