Cybersecurity Threats for Law Firms

Why Law Firms Are a Target

If you run a small or mid-sized law firm, there is a good chance you think of cybersecurity as something that happens to big corporations. That very assumption puts your firm and your license at risk.

Law firms are enticing targets for a specific reason that does not apply to most other small businesses: you hold other people's most sensitive information, and you move their money. A three-attorney personal injury firm has settlement funds in trust. A five-person real estate practice handles escrow accounts with six-figure wire transfers on a weekly basis. A solo family law practitioner has custody agreements, financial disclosures, and Social Security numbers for whole families sitting in their case files and it's as good as gold on the dark web.

The 2024 ABA Cybersecurity Tech Report found that 36% of law firms experienced a security incident in the prior year. The average cost of a data breach for law firms in 2024 was $5.08 million, a 10% increase from the previous year. And 2024 set a record with 45 confirmed ransomware attacks on law firms, compromising more than 1.5 million records.

But here is the number that should reframe how you think about this: BakerHostetler, one of the largest law firms specializing in incident response, reported handling more than 1,250 cyber incidents in 2025, and law firm incidents specifically nearly doubled from the previous year. A threat group known interchangeably as Chatty Spider, Silent Ransomware, or Luna Moth emerged in 2025 and specifically targeted law firms by calling attorneys directly, posing as IT support, gaining remote access to their machines, and exfiltrating client files before issuing ransom demands. The demands ranged from $500,000 to $21 million.

This is not a hypothetical. This is what is happening right now to firms your size.

Threat #1: Business Email Compromise (BEC)

What It Is

BEC is a targeted attack where someone impersonates a trusted person via email to redirect money or extract sensitive information. The FBI documented $2.77 billion in BEC losses in 2024 across 21,442 complaints. Unlike spray-and-pray phishing, BEC is well researched, exceedingly patient, and highly specific. The attacker knows who you are, who your clients are, and when money is supposed to move.

What It Looks Like at a Law Firm

BEC hits law firms harder than almost any other business type because law firms sit at the intersection of large wire transfers, deadline pressure, and trusted professional relationships. Competent attackers exploit all three.

The most common scenario involves real estate closings. An attacker compromises the email account of someone in the transaction chain: the buyer's agent, the title company, or the attorney's office. They monitor the email thread, watching for the closing date and the moment wire instructions are sent. When that moment arrives, the attacker intercepts the legitimate wire instructions and replaces them with their own. The buyer, who is already stressed about making a deadline, wires their down payment or purchase funds to an account controlled by the attacker. In 2024, the FBI received 9,359 real estate and rental fraud complaints with losses exceeding $173 million. Seventeen percent of title companies reported sending client funds to fraudulent accounts.

I worked with a real estate attorney in Southwest Florida whose paralegal received what appeared to be updated wire instructions from a title company they had worked with on dozens of closings. The email address was one letter off from the real one. The paralegal processed a $300,000 wire to the fraudulent account. By the time the error was discovered the next morning, the money had been moved through two intermediary accounts and was gone. They called the FBI, but at this stage, nothing could be done. The attorney's malpractice carrier covered a portion of the loss, but the client relationship was destroyed, and the firm spent the next six months dealing with a state bar grievance.

Beyond real estate, BEC targets firms through the managing partner impersonation play. The attacker spoofs the managing partner's email and sends a message to the bookkeeper or office manager: "I need you to process a wire for a settlement payment. Details attached. Handle this before end of day, I'm in depositions." The tone is authoritative and urgent. The request is plausible. The bookkeeper processes it.

How It Gets In

BEC almost always starts with a compromised email account, either yours or someone you correspond with. The attacker gains access through phishing (a fake login page), credential stuffing (reusing a password from a previous breach), or by purchasing stolen credentials from a dark web marketplace. Once inside, they do not act immediately. They sit in the inbox, reading emails, learning communication patterns, identifying upcoming transactions, and waiting for the right moment to intervene.

What Stops It

A verbal verification policy for every wire transfer, no exceptions. Before your firm sends or receives wire instructions, someone must call a verified phone number (not a number from the email in question) and confirm the instructions with a live human being. This policy needs to be written, posted, talked about, and ruthlessly enforced with the same seriousness as conflict checks. (See: Financial Controls in the Controls Library)

MFA on every email account at the firm. If an attacker cannot get into your email, they cannot monitor your transactions. This is the single most impactful technical control against BEC. Every attorney, paralegal, legal assistant, and administrative staff member needs MFA on their email. No exceptions for partners who find it inconvenient. (See: Multi-Factor Authentication in the Controls Library)

Email forwarding rule audits. Attackers who compromise a mailbox often set up a forwarding rule that copies all incoming mail to an external address. This lets them maintain access even after a password change. Check forwarding rules on all firm email accounts monthly. (See: Email Security in the Controls Library)

Dual authorization for trust account disbursements. No single person should be able to initiate and approve a wire transfer from your trust account. Two people, two approvals, every time.

What Your Insurance Carrier Will Ask

Cyber insurance applications for law firms will ask specifically about wire transfer verification procedures, MFA on email, and whether you have dual authorization for trust account transactions. If you handle real estate closings or settlement disbursements and cannot document these controls, your application will face scrutiny. Some carriers now require written wire verification policies as a condition of coverage.

Threat #2: Ransomware

What It Is

Ransomware encrypts your files and demands payment to restore access. For law firms, this means case files, client documents, billing records, and your practice management system are all locked simultaneously. Many ransomware groups now use double extortion: they steal your data before encrypting it and threaten to publish client files on the dark web if you do not pay.

What It Looks Like at a Law Firm

The double extortion model is particularly devastating for law firms because of client confidentiality obligations. When an attacker says, "pay us or we publish your client files," they are not just threatening your firm, they are threatening every client whose privileged information is in those files. You now have an ethical obligation under Model Rule 1.6 to notify affected clients, and potentially an obligation to notify courts if ongoing litigation is affected.

In 2024, ransomware attacks on law firms hit a record of 45 confirmed incidents. The BakerHostetler DSIR reported that the average initial ransom demand for law firms and professional services was just under $2 million, with the average amount actually paid landing around $450,000 and the highest payout reaching $1.9 million.

The Chatty Spider threat group, which emerged in 2025, demonstrated a particularly effective method. A member of the group would call an attorney directly, claim to be from the firm's IT department, and request remote access to the attorney's machine for a "security update." Once connected, they would exfiltrate as many files as possible before issuing the ransom demand. No malware installation, no phishing email, no technical exploit. Just a phone call and a plausible story. This approach bypassed every email filter and endpoint protection tool because it exploited trust rather than technology.

I met with a managing partner at a small litigation firm who had been using the same password across multiple websites for years. The password appeared in a data breach from an unrelated site, an attacker used it to access the firm's remote desktop server (which had no MFA), and deployed ransomware on a Saturday night. By Monday morning, every workstation and the file server were encrypted. The firm had backups, but the backups were stored on the same network and were encrypted too. They paid $85,000 in Bitcoin because they had a trial starting in three weeks and could not access their case files.

How It Gets In

For law firms specifically, the entry points are phishing emails (an attachment that looks like a court filing, a shared document from opposing counsel, or a fake e-filing notification), exposed Remote Desktop Protocol with no MFA, compromised credentials reused from other breaches, and increasingly, social engineering phone calls like the Chatty Spider approach.

What Stops It

Offline backups tested quarterly. Your backups must be disconnected from your network. Test restoring from them regularly. The firm I described above had backups, they just were not the right kind. (See: Data Backup and Recovery in the Controls Library)

MFA on everything, particularly remote access. RDP, VPN, practice management software, document management, cloud storage. If it can be accessed remotely, it needs MFA. (See: Multi-Factor Authentication in the Controls Library)

Staff training that includes phone-based social engineering. The Chatty Spider attacks worked because attorneys are accustomed to following IT instructions without questioning whether the caller is legitimate. Train your staff to verify any request for remote access by calling IT back at a known number. (See: Security Awareness Training in the Controls Library)

An incident response plan that addresses client notification. If ransomware hits your firm, you need to know within hours who to call: your cyber insurance carrier, your incident response counsel, the FBI (ic3.gov), and potentially every affected client. Having this plan written and accessible (not stored only on the encrypted server) saves critical time. (See: Incident Response Planning in the Controls Library)

What Your Insurance Carrier Will Ask

Carriers will ask about MFA, EDR, offline backups, and whether you have an incident response plan. They will also ask about your RDP exposure. If you have RDP exposed to the internet without MFA and a VPN, many carriers will decline to write the policy.

Threat #3: Phishing

What It Is

Phishing is a fraudulent message designed to trick someone into clicking a link, opening an attachment, or entering credentials on a fake website. It was the most reported crime to the FBI in 2024 with 193,407 complaints.

What It Looks Like at a Law Firm

Law firms face an industry-specific phishing risk that most other businesses do not: GootLoader. This threat uses search engine optimization (SEO) poisoning to place malicious content at the top of search results for legal terms. An attorney or paralegal searching for a specific contract template, a legal precedent, or a court form may find the top result leading to a file infected with malware. The group behind GootLoader has seeded malicious content linked to over 3.5 million search terms, a significant percentage of which are legal terminology.

Beyond GootLoader, the standard phishing scenarios apply. An email that looks like an e-filing notification from the court's CM/ECF system. A shared document that appears to come from opposing counsel. A fake invoice from Westlaw or LexisNexis. A DocuSign notification for a document you are expecting to receive. All of these are common phishing lures targeting law firms specifically.

At a firm I consulted with, an associate received an email that appeared to be a CM/ECF notification for a case she was working on. The link went to a page that looked identical to the PACER login screen. She entered her credentials, which the attacker then used to access the firm's Microsoft 365 environment (because she used the same password). The attacker had access to client emails, case documents and settlement negotiations for six days before anyone noticed.

What Stops It

Unique passwords for every service, enforced by a password manager. The scenario above happened because one reused password gave the attacker access to everything. A solid password manager greatly reduces this risk. (See: Password Management in the Controls Library)

Email filtering that scans attachments and links before delivery. Both Microsoft 365 Defender and Google Workspace's advanced protection offer attachment sandboxing and URL rewriting. These should be enabled on your firm's email. (See: Email Security in the Controls Library)

Simulated phishing tests. Run them quarterly, using lures that mimic what your firm receives, such as fake CM/ECF notifications, fake DocuSign requests, fake Westlaw invoices. The click rates will drop dramatically after the second round if you take the time to debrief the results with staff rather than just reporting them. (See: Security Awareness Training in the Controls Library)

Threat #4: Insider Threat

What It Is

An insider threat is a security risk from within the organization: a departing attorney who takes client files, a disgruntled staff member who accesses records they should not, or an honest mistake that exposes confidential information.

What It Looks Like at a Law Firm

The departing attorney scenario is the most common insider threat at law firms and is often treated as a business dispute rather than a security incident. An attorney leaves the firm and takes electronic copies of client files, contacts, and work product. Sometimes this is authorized. Often it is not clearly addressed by the partnership agreement. And sometimes the departing attorney takes files for clients they are not entitled to represent.

The more dangerous version involves non-attorney staff. A legal assistant with access to the document management system downloads client files related to a high-profile case, either to sell the information or to use as leverage in a personal dispute. The firm discovers it weeks later when a reporter calls asking about case details that were never made public.

The accidental insider threat is the most common of all. An attorney emails a draft settlement agreement to the wrong email address. A paralegal uploads a confidential exhibit to the wrong matter folder in the DMS. A legal assistant sends a client intake form containing Social Security numbers via unencrypted email. None of these people intended to cause harm, but all of them created a potential breach.

What Stops It

Matter-level access controls in your DMS and practice management system. Not everyone at the firm should have access to every client matter. Configure your systems so that access is limited to the team working on each case. This is not just good security. For firms with potential conflict situations, it is an ethical obligation. (See: Access Control Management in the Controls Library)

Offboarding procedures that include same-day access revocation. When an attorney or staff member leaves the firm, their access to the DMS, email, practice management system, billing system, and any cloud services should be revoked on their last day. Not the following week, and not when IT gets around to it. (See: Account Management in the Controls Library)

Data Loss Prevention (DLP) policies on email. Configure your email system to flag or block outgoing messages that contain Social Security numbers, credit card numbers, or other sensitive patterns. Both Microsoft 365 and Google Workspace offer DLP features on business plans. (See: Data Loss Prevention in the Controls Library)

Threat #5: Vendor and Third-Party Risk

What It Is

Vendor risk is the security exposure that comes from the companies your firm depends on: your practice management vendor, your IT managed service provider, your cloud storage provider, your e-discovery platform, and your billing software.

What It Looks Like at a Law Firm

The managed service provider (MSP) compromise is the scenario that should concern every small firm. Your MSP uses a remote monitoring and management tool to access your workstations and servers. If that tool is compromised, the attacker gains access to every client the MSP serves. One breached MSP can mean 30 or 40 law firms get exposed all at the same time.

CTS, a managed IT service provider to law firms, was breached in November 2023, affecting dozens of firms, particularly in the real estate sector. The incident demonstrated exactly how vendor dependency creates cascading risk across an entire sector.

Third-party involvement in breaches doubled from 15% to 30% in the 2025 Verizon DBIR. For law firms where nearly every operational system involves a third-party vendor, this trend is especially relevant.

What Stops It

Ask your IT provider the hard questions. What MFA do they use on their remote access tools? Do they have a SOC 2 report? What is their incident response plan if they are breached? What notification timeline do they commit to? If they cannot answer clearly, you need to evaluate whether they are the right partner for a firm handling privileged client data. (See: Vendor Risk Management in the Controls Library)

Maintain a vendor inventory. List every vendor that has access to your systems or your client data. Review it annually. Include your practice management vendor, DMS provider, e-discovery platform, IT provider, cloud storage, email hosting, VoIP provider, and shredding service.

Require cyber liability documentation from key vendors. Your IT provider should carry their own cyber liability insurance. Ask for a certificate of insurance.

How Law Firms Are Different: The Ethical and Regulatory Context

The security obligations for law firms extend beyond data protection into professional ethics. ABA Model Rule 1.6(c) requires attorneys to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Model Rule 1.1, which addresses competence, has been interpreted by at least 40 state bars to include technological competence.

This means that a failure to implement reasonable cybersecurity measures is not just a business risk, it is potentially a violation of your professional obligations, which can result in disciplinary action, malpractice claims, loss of your license, or all of the above.

Many state bars now issue ethics opinions specifically addressing cybersecurity. If your state bar has published cybersecurity guidance, you should be following it. If they have not, the ABA Formal Opinion 477R on securing client communications and Formal Opinion 483 on obligations after a data breach provide the baseline expectations.

37% of legal clients said they would pay a premium for law firms with stronger cybersecurity measures. That is an ethical argument and a business decision.

Take the Next Step

This page gives you the picture. Our free cybersecurity assessment tells you where your firm specifically stands against each of these threats and maps your results to what cyber insurance carriers will ask.