Embroker Team April 22, 2024 8 min read

Law Firm Ransomware and Phishing Prevention

Woman with head in hands next to computer screen with legal balance scale escaping to symbolize law firm ransomeware prevention

February of 2021 saw a significant ransomware attack on Campbell Conroy & O’Neil law firm that had stunned the legal world when they learned of it in July. The reason this law firm ransomware attack was so shocking is the size of the victim. Campbell Conroy & O’Neil is one of the largest law firms with an impressive client list that includes giants like Boeing, British Airways, Apple, Ford, IBM, Exxon, Johnson & Johnson, Pfizer, Jaguar, and a whole host of Fortune 500 companies.

The ongoing investigation hasn’t yet determined if the criminals got their hands on any specific information. However, given the amount of sensitive personally identifiable information (PII) belonging to the rich and the powerful the firm stored on its systems, the potential fallout could be enormous.  

Grubman Shire Meiselas & Sacks was a victim of a similar attack in May 2020. The REvil ransomware criminal group breached the firm’s system, encrypted, and then stole their files. The criminals demanded a $42 million ransom, or they would leak the information the firm held on many celebrities and media companies who were their clients.

When Grubman Shire Meiselas & Sacks tried to negotiate, the criminals released 2.4GB of data on the dark web, and that data included Lady Gaga’s contracts and other legal information.

You might think that your firm is not big enough to be a lucrative target for cybercriminals since it doesn’t work with such influential clients. Well, that is not entirely accurate. 

A report by Covewave indicates that Q1 of 2021 brought an increase in ransomware attacks on small and medium-sized law firms. One of their previous reports indicated that 70% of ransomware incidents involved companies with fewer than 1,000 employees.

Whether ransomware is distributed through a phishing attack or in some other way, it is becoming the most prevalent type of cyber attack that can inflict significant damage to the victims’ networks.

How to Spot a Phishing Attack on Your Law Firm


Phishing attacks have become one of the most common types of cyberattacks, mostly because all it takes is a simple human error for criminals to access their victim’s system. The attacks are usually carried out through an email that requires the reader’s immediate attention and urges them to take action.

Whether it’s an infected attachment that an employee downloads to their computer, a link that leads to a fraudulent website, or a corrupted sign-in page where they should leave their credentials—a phishing attempt aims to trick the reader into providing them with the necessary information.

Phishing emails usually come from sources that appear to be verified and reliable, such as Microsoft or LinkedIn. However, a closer inspection of the email address usually reveals that it’s from a fake URL. 

Another red flag is the subject line of the phishing email. If the subject gives out a sense of urgency and demands immediate action from the recipient, there is a good chance it is a phishing attempt. Bad grammar and spelling are also telltale signs of a fraudulent email.

Criminals collect publicly available information about companies to make their messages more believable. Employees are more likely to open an email coming from their superior than from an outsider. Posing as a trustworthy source allows the attacker to manipulate their victim into giving away sensitive information.

Common Examples of Phishing Attacks on Law Firms

With the benefits of technology, cloud storage space, and online communication, law firms are actively transferring parts of their operations to the digital world. The advantages of conducting business online are numerous, from speeding up many processes, like archiving and data processing, to making it easier to meet with clients and get all the necessary information and documents from them. However, exposure to the Internet and online communication also brings security concerns.

Other than commonplace attacks that aim to infiltrate the law firm’s systems, some more sophisticated attempts have been made to extract money from legal professionals.

The most common scheme attackers use to trick lawyers involves fund transfers. These are usually elaborate schemes that include more than one perpetrator and a carefully thought-out plan of action.

One possible scenario happens when an alleged client that lives overseas signs a contract with a lawyer which authorizes the firm to cash a (counterfeit) cashier’s check for them and transfer the money into their overseas bank account. The cashier’s check comes from the party that allegedly owes the client money from previous business dealings, but is in fact, their accomplice in the scam.

Other variations involve an ex-wife who now lives abroad and expects alimony payments from her ex-husband or a person claiming to have inherited a fortune from a deceased relative.

Additionally, a particularly nasty variation occurs when the attackers impersonate the IRS or a law enforcement agency since those schemes can be particularly damaging to a law firm if an employee falls victim to one.

Ransomware Threats to Law Firms and Their Clients

It is not unusual that a law firm stores its clients’ Personal Identifiable Information (PII) or financial data. Firms that practice corporate law also keep clients’ business records, tax return information, and sometimes even information about potential mergers and acquisitions.

Given that all this data is extremely sensitive and valuable, law firms are very lucrative targets for cybercriminals. That data is not just a bargaining chip for the ransom but also merchandise they can take advantage of if necessary.

Law firms are also common targets because of their presumed weaker cybersecurity measures.

As we can notice, it is a fact that law firms stand to lose a lot in case of a successful ransomware attack— and not just financially. Their name can also be damaged, and since legal professionals heavily rely on their reputation, a ransomware incident can irreparably harm their practice.

In a successful law firm ransomware attack, cybercriminals take the confidential data hostage and threaten to release it to the public if the firm doesn’t pay the ransom immediately. There have been cases when attackers uploaded pieces of the stolen information onto the dark web, causing massive damage to the victims.

How Law Firms Respond to Ransomware Attacks

According to a survey by Capterra, nearly 70% of law firms paid the ransom the cybercriminals demanded from them. Two in three got their data back, while one-third of them never regained access to their stolen files.

Out of the 30% of breached law firms that didn’t pay the ransom, almost 90% of them were able to recover their data either by decrypting and removing the malware or through safe data backups.

Whether or not to pay the ransom is a tough call to make, especially since the future of your firm is at stake. Lawyers must also think about their clients and their sensitive information when making this decision. The best course of action is to consult cybersecurity experts and inform your insurer, who can offer some advice on how to handle the situation based on their previous experience.

Each incident is different, and there is no one solution that fits them all, so you will need all the help you can get to decide what to do in case of a ransomware attack on your law firm.

How to Protect Your Firm from Phishing and Ransomware Attacks

Now that we’ve acknowledged the danger phishing and ransomware attacks pose to law firms, let’s take a look at some best practices for protecting your firm from these incidents:

  • Educate your employees: Education is the best protection from phishing and ransomware attacks. All your employees should receive adequate training on how to recognize and report phishing without compromising critical information. Instruct them to verify the sender’s name, email address, and other contact information before clicking on any links or replying to the message. Ensure that your staff is familiar with typical phishing schemes attackers use to target law firms.
  • Restrict privileged access: Not all your employees require access to all the confidential files your firm stores. Define clearance levels for each position that would allow your employees to have access to files they need to do their jobs.
  • Secure your Remote Desktop Protocol (RDP): Reports indicate that RDP compromise is responsible for about 50% of ransomware attacks and that the black market is full of stolen credentials. If you are using Remote Desktop Protocol, look for expert assistance to ensure it is properly secured.
  • Use password management software: Do your research and pick the software that best suits your needs. It will allow your team to create and store foolproof passwords which are difficult to hack.
  • Implement multi-factor authentication: Use this as an additional security layer for all your business accounts.
  • Regularly update software: Picking the best security software for your business and keeping it updated is essential for ransomware protection.
  • Design a cyber incident response plan: Even though prevention is the most efficient way to protect your law firm from phishing and ransomware attacks, cybercriminals constantly find new ways to compromise their victims’ networks, and sometimes prevention is not enough. Since there is no perfect protection, you should also be prepared for the worst-case scenario. Designing a cyber incident response plan (especially one customized to your law firm) will enable you and your team to quickly respond to a cyber attack and minimize the damage it could inflict on your business.
  • Keep up with security best practices: Whether you have a cybersecurity expert in-house or you’ve hired a contractor, ensure that you follow all their security recommendations and implement all the protocols they design for your firm.
  • Invest in cyber insurance: If all your defense mechanisms fail and your law firm falls victim to a phishing or a ransomware attack, your best ally could be your insurer. Apart from the invaluable advice they can provide, they can also handle the potential fallout from the ransomware attack. A cyber insurance policy would cover the costs related to notifying the affected parties, computer forensics, credit monitoring, and possible civil damages. Cyber insurance would also pay for data loss and recovery, computer fraud, and cyber extortion, should you decide to pay the ransom.

If you still haven’t purchased a cyber liability insurance policy, now may be the best time to do that. If you are unsure about what kind of coverage you need, you can always talk to one of our experienced brokers who can assist you in finding the best policy for your firm. You can also sign up to Embroker’s digital platform and get your cyber insurance quote in under 10 minutes.

Related Articles

Woman presenting clipboard with lawyers professional liability step rating document on it
Insuring Your Law Firm: What Is LPL Step-Rating?

Insuring Your Law Firm: What Is LPL Step-Rating?

6 min read

Understanding LPL step-rating helps lawyers understand why their premiums will increase significantly over the first several years of coverage.

Read More
Woman shrieking as hand with legal balance scale comes out of computer monitor symbolizing law firm hacked
Law Firm Hacked? Here’s How to Prepare and Implement a Proper Response Plan

Law Firm Hacked? Here’s How to Prepare and Implement a Proper Response Plan

11 min read

Law firms have always been popular targets for hackers. What steps do lawyers need to take in the wake of a cyber attack?

Read More