Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

Why your law practice is an easy target for cyber criminals

Last week, I talked to a former hacker who now works to protect cyber attack victims. He told me why law practices are especially vulnerable to cyber attacks, writes Dr Edward Phelps.

user iconDr Edward Phelps 10 August 2023 SME Law
expand image

For obvious reasons, I cannot reveal this hacker’s real name here, so let’s call him James. James has successfully hacked significant supermarket chains, pharmacy chains and large mining companies.

James said law practices are vulnerable. “They have copies of client identity documents, contracts, and bank info,” he told me. “And they don’t take many precautions.”

This is a significant problem because the Australian Cybersecurity Centre found that almost half of Australian small businesses – including most law practices – were victims of a malicious cyber attack in 2022. The cost to each of these businesses averaged $45,000. A successful cyber attack can severely disrupt business activities and damage customer trust, which can take years to rebuild.


James told me that hackers consider law practices low-hanging fruit because they usually lack robust security measures. The typical hacker simultaneously targets hundreds or thousands of accounts and then aggregates the data on all their infiltration attempts to pursue the most successful.

Here is another lesson from James, the hacker: a surprising number of people still fall for phishing emails. When phishing, cyber criminals pretend to be reputable companies or acquaintances to install malware on your computer or steal your personal information.

The data back this up. IBM’s X-Force Threat Intelligence report found that the average click rate for a phishing campaign is 17.8 per cent. That means that if you have five people in your team, on average, one of them is likely to fall victim to a phishing attack.

Understanding the different types of cyber attacks on law firms

  1. Phishing emails are the most common of the 10 top cyber risks that law practices must prevent. James said hackers commonly pretend to be the Australian Taxation Office, Linkt tolls, banks, or Auspost. They frequently embed some personal information about you in the message so it appears genuine.
The rest of the top 10 cyber risks include:

  1. Ransomware attacks: Hackers can encrypt your crucial data and hold it hostage unless you pay a ransom for the key to unlock it. This is often the second stage of a phishing attack. Once you click on the phishing email and give the hacker access to your systems, they steal or lock down your data and demand payment. You should not pay; always seek advice.
  2. Malware attacks are when hackers install software on your system without your permission. The software often makes your systems slow or unusable. It will usually also enable the attacker to access your information or make other demands. It is common for hackers to use your compromised computer to launch more attacks against other unwitting victims.
  3. With man-in-the-middle attacks, hackers intercept your confidential communications like a sneaky eavesdropper. Hackers like James have set up a fake chat service that mimics that of their victim’s bank. They pretend to be the bank in a chat with the target. Then they use the victim’s information to gain access to their accounts.
  4. Denial-of-service (DoS)/Distributed denial-of-service (DDoS) attacks flood your servers with so much traffic that they cannot respond. Your website or online services will be crippled, and your clients will be unable to access them.
  5. SQL injection: Hackers like to exploit weaknesses in your web applications to destroy your database or access information they shouldn’t be able to see.
  6. Insider threats come from unhappy employees or other “insiders” and can cause significant damage. This is why one of the first things my team does for our clients is to ensure strict rules that limit what each employee can access and quickly disable their access when they leave your organisation.
  7. Password attacks are one of the most common tactics. Hackers can try to trick you into giving up your password, but they can also use brute force. A hacker can try 2.18 trillion password/username combinations in 22 seconds. Passwords can only contain so many letters and numbers, so if your password is simple, they will find it out. The more complex and random your password is, the less likely it will succeed.
  8. Zero-day exploits: Unknown software vulnerabilities can lead to attacks before defences or patches are available. Russian hackers used a software update to install bogus code onto the computers of over 18,000 customers of SolarWinds. Embarrassingly for the US, the Russians even got into the systems of the Cybersecurity and Infrastructure Security Agency, whose job it is to prevent hacks.
  9. Drive-by downloads: Visiting an infected website or clicking a pop-up could download malware onto your system, leading to ransomware or another attack.
James tells me that hackers still successfully use all 10 techniques against unsuspecting law practices and other victims. The worst part is that all of them are relatively easy to defeat with a robust cyber security assessment and a straightforward set of protective measures.

Protect yourself. Don’t let the hackers ruin your business.

Dr Edward Phelps, director of Secure Konnect Cyber Security