Cyber security risk consultancy S-RM has warned that over the last two months law firms have increasing become targets for cybercriminal groups that specialise in business email compromises.

While BECs are not a novel cyber threat, the frequency and sophistication of these attacks have reached new heights warns S-RM, with law firms being disproportionately affected. It says many new tactics employed by these threat actors effectively circumvent multi-factor authentication measures, making it increasingly difficult for firms to protect themselves through traditional means.

Among the new business email threats evasion of multi-factor authentication, using techniques such as stealing session cookies and utilising advanced phishing techniques. They are also pursuing persistent access, meaning that one breach bypassing multi-factor authentication allows for long-term access.

S-RM also says phishing emails are becoming increasingly sophisticated, making them harder to recognise as fraudulent. Threat actors are increasingly targeting remote-working platforms such as Microsoft Teams and using QR codes, in addition to traditional email attacks. It warns that the ramifications of these attacks, when successful, are far-reaching and include not only reputational damage and financial loss, but increased regulatory scrutiny and impacts on insurance and professional indemnity premiums at the point of renewal.

Jamie Smith, global head of cyber security services at S-RM, said: “In this era of heightened cyber threats, law firms are more and more finding themselves in the crosshairs of sophisticated BEC attacks. Cybercriminals' ability to bypass multi-factor authentication and evade detection is alarming. It's a stark reminder that the traditional defence methods are no longer enough. Adaptation is crucial.”

To stay ahead of these threats, S-RN says organisations should review their existing multi-factor authentication measures and ensure their method is aligned to the FIDO2 standard, which prevents most of the newer, more sophisticated types of phishing. However, this alone may not be enough. S-RM advises reviewing security configurations and fine-tuning detection systems regularly to be resilient against new campaigns and techniques, in addition to updating awareness campaigns to emulate criminals’ changing methods.

Dan Caplin, director of cyber security at S-RM, added: “The rise in targeted email compromise attacks against law firms is a pressing concern for the legal industry. The attackers' evolving tactics, from session cookie theft to increasingly convincing phishing, challenge our conventional defences. Law firms must prioritise advanced security measures, detection and cyber resilience to protect their clients, reputation, and bottom line.”

---