Law firms face a higher-than-average risk of cyber attack because they combine three things criminals prize: large, time-pressured money transfers, volumes of personally identifiable information, and a trusted position in clients' communications. Business Email Compromise (BEC), ransomware, and data theft are the dominant threats - and the consequences include ICO fines, reputational damage, and direct financial loss.
The following sections detail how each vulnerability is exploited - and what managing partners and practice managers can do to reduce their firm's exposure.
Why is cyber security such an issue for law firms?
Much of the information law firms handle is highly personal and confidential in nature - the regulatory target that also makes them attractive to criminals. From small individual solicitors practices and high-street partnerships to well-known regional and national companies, law firms are a magnet for cyber criminals.
There are some good reasons for this.
Why do large money transfers make law firms a target for cyber criminals?
Conveyancing deals often complete at short notice and involve huge money transfers - perfect opportunities for Business Email Compromise (BEC) attacks.
Law firms frequently handle large sums of client money. Importantly, this money is often "passing through" between different parties, so there can be a large number of very high-value transactions, sometimes under high pressure and tight deadlines. Much of the communication between parties is done by email, which is not secure.
According to UK Finance's Annual Fraud Report 2024, total fraud losses across the UK reached £1.17 billion in 2023, with authorised push payment (APP) fraud - the category covering conveyancing and payment redirection fraud - accounting for a significant share. The legal sector is one of the highest-value vectors for this type of fraud, precisely because individual conveyancing transactions can each exceed £100,000.
The typical BEC attack chain targeting a conveyancing transaction follows a consistent pattern: criminals first compromise the email account of a client, counterparty, or the firm itself; they then monitor the thread silently, waiting for a payment instruction; and at the moment of completion - when deadlines are tight and pressure is high - they impersonate one of the parties and redirect funds to a controlled account. By the time the fraud is discovered, the money is gone.
"Better to ask when, not if, you will be targeted by online criminals."
- Paul Philip, then-Chief Executive, Solicitors Regulation Authority
Why is the PII and confidential data held by law firms so valuable to criminals?
GDPR and other legislation means that law firms have legal and ethical reasons to manage their clients' information carefully.
Legal transactions of all types - from conveyancing to court proceedings - require volumes of highly sensitive, confidential, and personally identifiable information (PII) to be transmitted, stored, and exchanged. Such information is a valuable currency in its own right to criminals, and so must be protected throughout its lifecycle. This is an area where law firms must consider secure transactions and document management solutions.
The table below maps the five primary attack types targeting law firms to how they work in practice and the controls that address each one.
| Attack Type | How It Targets Law Firms | Recommended Control |
|---|---|---|
| Business Email Compromise (BEC) | Criminals intercept email threads between firm, client, and counterparty to redirect payment instructions - particularly during conveyancing completions where time pressure is highest and verification shortcuts are most tempting. | Enable Multi-Factor Authentication (MFA) on all email accounts; verify payment instruction changes by telephone using a known number, never one provided in the suspicious email. |
| Ransomware | Ransomware-as-a-service groups conduct opportunistic attacks on UK professional services firms, encrypting case management systems, client files, and billing records. The NCSC's threat assessments have consistently identified UK legal firms as a target for ransomware groups exploiting unpatched software and weak credential controls. | Apply security patches promptly; maintain offline backups; segment networks so a single compromised endpoint cannot spread to the entire practice. Rapid incident response capability is also critical for containment. |
| Phishing | Staff receive emails impersonating clients, courts, Land Registry, HMRC, or counterparty solicitors - designed to harvest credentials or deliver malware. According to the Department for Science, Innovation and Technology's Cyber Security Breaches Survey 2024, phishing was experienced by 84% of businesses that identified a cyber attack. | Run regular phishing simulation exercises; train staff to verify unexpected requests through a separate channel; use email filtering that flags external senders. |
| Credential Theft | Stolen login credentials - often harvested via phishing or purchased from criminal marketplaces - give attackers access to case management portals, cloud storage, and client communication platforms. A single compromised account has been known to bring down an entire infrastructure. | Enforce MFA across all systems; use a password manager to prevent credential reuse; audit access logs for unusual login patterns or off-hours activity. |
| Malware in Documents | Clients and counterparties routinely open documents from their solicitor without hesitation - making a malware-laden attachment sent under a compromised firm email address an extremely effective delivery mechanism. | Implement document management solutions that scan attachments before delivery; train staff to recognise unexpected macro-enabled documents; restrict macro execution by policy. |
How does a law firm's trusted position increase its exposure to cyber attack?
Whether by email or cloud services, legal firms often find themselves as the communication hub between multiple clients and service providers - and hold a unique position of trust.
Many different people are expecting to receive and open documents, any one of which might be compromised by malware. They will not think twice before clicking to open a document from their solicitor or legal advisor - and the Cyber Security Breaches Survey 2024 confirms that phishing exploits exactly this trust, accounting for the majority of successful cyber attacks on UK organisations. Communications from law firms must therefore be even more secure than in many other industries.
A client's email account is not under your control
For many legal businesses, the proportion of high-value, time-critical transactions carried out with often inexperienced home users - with no control over the security of their home setup - is a real threat that has to be addressed. A client using an unprotected home device or a compromised personal email account can become the entry point for an attack on the firm itself.
Why should you worry about cyber security for your law firm?
Many in the legal sector ask why they should worry about a cyber attack. Either they are "too small to be a target" or "too large and well protected to be impacted". Of course neither is true. The Solicitors Regulation Authority (SRA)'s own research has found that the vast majority of law firms have been targeted by a cyber attack - and the volume and sophistication of those attacks continues to increase. Ransomware-as-a-service groups documented by the NCSC conduct opportunistic scans of UK networks indiscriminately, identifying vulnerabilities regardless of the size of the firm behind them.
I'm too small to be a target.
There are two reasons why this is not true. Firstly, criminals have realised that smaller companies with limited security teams and budgets are actually easier targets and can be just as profitable.
The second reason is the increased automation of cyber attacks. Just as with many industries - not least the legal sector itself - automation makes it possible to reach many more customers with individually targeted services.
Cyber crime is no different. Automated vulnerability scanners target IP ranges indiscriminately, regardless of firm size. Typically this access to your environment - whether it's stolen credentials or a software vulnerability - is sold on to other criminals to exploit. These specialists might then launch a completely automated ransomware attack.
Automated attacks can compromise systems with minimal attacker effort.
We're too big to be breached.
Breach likelihood is independent of firm size. The difference might only be in the level and sophistication of the attack and in the amount of the resulting ransom the criminals demand. Of course larger firms have dedicated security staff and increased budgets and so may be a more challenging target - but they are most likely protecting larger clients and able to pay significantly higher "recovery fees". And the automated tools still scan you, no matter how large or complex you are.
At some point a phishing email _will get through._ And one account has been known to bring down an entire infrastructure.
So what might it cost you?
The SRA and the Law Society both say that the impact in other ways is often much more significant than the cost of a ransom demand. There are many possible costs to a successful cyber breach.
- Money - both in terms of ransom payments and direct loss of stolen funds
- Reputation - possibly the most impactful of all losses is the loss of client trust
- Time - loss of billable hours and staff time dealing with a breach can run into weeks and longer
- Insurance Premiums - as with most insurance, paying out usually means paying more
- Regulatory Penalties - various bodies have the power to levy fines on top of the immediate costs, including the ICO under GDPR
- Stress and Pressure - to partners and staff alike. Don't underestimate the impact of crime on people
What does a real law firm data breach look like?
In March 2022, the Information Commissioner's Office (ICO) fined Tuckers Solicitors LLP £98,000 following a ransomware attack in August 2020 that exposed the personal data of hundreds of thousands of individuals, including highly sensitive court bundle data. The ICO enforcement notice is available via the ICO enforcement register - search for "Tuckers Solicitors" or use a Wayback Machine archive of the original notice for the full detail.
Crucially, the fine did not relate to the data loss itself - it related to the absence of adequate security controls. The specific failings identified were:
- using only simple password sign-in without Multi-Factor Authentication (MFA)
- no encryption of sensitive data
- having out-of-date systems with known vulnerabilities
Under GDPR Article 5(1)(f) - the "integrity and confidentiality" principle - data controllers are required to process personal data "in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures." The ICO found Tuckers had failed to meet this standard. The ICO's plain-language guidance on Article 5(1)(f) sets out what "appropriate technical measures" means in practice - and MFA, encryption, and patching are explicitly included.
The Tuckers case illustrates the regulatory cost of a breach, but it is far from the only type of loss. BEC attacks on conveyancing transactions result in direct client funds loss that falls outside the scope of ICO enforcement but can be even more damaging - combining immediate financial harm to clients with the reputational destruction of being the firm through which client money was stolen.
What can you do about it?
The good news is that the most effective controls are not exotic or expensive. According to the Cyber Security Breaches Survey 2024, phishing is the dominant attack vector - and phishing attacks are substantially disrupted by a small number of well-established technical controls. The priority actions for any law firm are:
- Enable Multi-Factor Authentication (MFA) on all email accounts, case management systems, and cloud services - the single most effective control against credential theft and account takeover.
- Implement encrypted document management for the transmission and storage of client files and sensitive case materials - this limits the damage if an attacker does gain access.
- Run regular phishing simulations to build staff awareness and measure your firm's susceptibility - staff who have been tested are significantly less likely to click on real attacks.
- Apply vulnerability scanning and prompt patching - automated ransomware tools exploit known, patchable vulnerabilities. Keeping systems up to date removes the most common entry points.
Both the Solicitors Regulation Authority's cybercrime guidance and the Law Society's cyber security guidance for solicitors provide detailed, sector-specific guidance on implementing these controls. The NCSC's Small Business Cyber Security Guide is also directly applicable to smaller and mid-size practices. You are not alone - there are robust frameworks and dedicated resources available for firms of every size.
Visit our Legal Sector cyber security page for tailored guidance, resources, and useful links.
Frequently Asked Questions
Why are law firms such an attractive target for cyber criminals?
Law firms combine three characteristics that make them exceptionally valuable targets: they handle large, time-pressured money transfers (particularly in conveyancing) that are vulnerable to Business Email Compromise; they hold large volumes of personally identifiable information and confidential business data that has significant value on criminal marketplaces; and they occupy a trusted position as the communication hub between multiple parties, meaning a compromised firm email account carries automatic credibility with clients and counterparties.
Are small law firms really at risk of cyber attack?
Yes. Smaller firms are often more attractive targets, not less, because they typically have smaller security teams, lower budgets, and fewer controls in place. Automated vulnerability scanners and ransomware-as-a-service tools do not discriminate by firm size - they scan entire IP ranges and exploit whatever weaknesses they find. A small high-street practice handling conveyancing or family law matters holds the same type of valuable client money and PII as a national firm, and may be significantly easier to compromise.
What is Business Email Compromise and how does it target law firms?
Business Email Compromise (BEC) is a form of fraud in which criminals gain access to - or convincingly impersonate - a legitimate email account, then use it to redirect a payment. In the legal sector, the most common version targets conveyancing completions: the attacker monitors an email thread between the firm, the client, and the counterparty, waits until a payment instruction is issued, and then sends a fraudulent message redirecting the funds to a criminal account. The attack exploits deadline pressure and the inherent trust clients place in communications from their solicitor.
What regulatory consequences can a law firm face after a cyber breach?
The consequences extend beyond the ICO. The ICO can levy fines under UK GDPR - as it did with Tuckers Solicitors LLP (£98,000 in March 2022) - for failure to implement appropriate technical security measures under Article 5(1)(f). The SRA may also take regulatory action against a firm or individual solicitors. Beyond formal penalties, firms face the reputational loss of client trust, potential civil liability to affected clients, increased professional indemnity insurance premiums, and significant staff time and legal costs in managing the aftermath.
What are the most important cyber security steps a law firm should take first?
The four highest-impact starting points are: (1) enable Multi-Factor Authentication on all email and case management accounts; (2) implement encrypted document management for client file transmission and storage; (3) run a phishing simulation to establish your current staff susceptibility baseline; and (4) conduct a vulnerability scan to identify unpatched systems. The SRA's cybercrime guidance and the Law Society's cyber security guidance for solicitors both set out the expected standard for firms in detail.