Skip to main content

Following a number of successful attacks on the legal sector in recent months, The Cyber Resilience Centre for Wales (WCRC) is warning that now is a good time to focus on cyber security and to put in place the simple steps that can be taken to protect your law firm – including taking part in the fully-funded Cyber Essentials certification programme delivered through The Law Society Wales office.

Many mistakenly believe that cyber security doesn’t concern them and is something for the ‘techies’ or IT department, but security is something everyone needs to be aware of.  Cyber security is an issue for any process which is wholly or partially reliant on technology, including those facilitated online, via email or through the use of any computer or device and that pretty much affects all of us.

Picture this, you are working to help a client complete on their new home and the final step that is outstanding is for the mortgage provider to release the funds. The provider informs you the money is on its way, but it does not arrive, instead a cybercriminal has intercepted, and they now have a very healthy bank account. Legal firms by their very nature handle financial transactions involving large amounts of money and sending and receive bundles of sensitive client information. To handle this data, legal firms rely on digital technology and systems to carry out everyday tasks including online bank transfers, automated identity checks or simple emails between firm and client.

Many of these attacks are in the form of phishing, which are communications designed to trick you into believing they are genuine. A popular method used by the criminals is to request a change of bank details in order for payment to be made to the attackers account, or by creating a false log in site which harvests your username and password leaving your account compromised. Then there are the phishing emails that will deposit malware on your network or devices – potentially encrypting your data along with a ransom demand.

A real & present danger

A report by the Solicitors Regulation Authority last year revealed that 75% of the firms included in the report had been the target of a cyber-attack. Frighteningly, in the remaining cases the firms reported that cyber criminals had directly targeted their clients during a legal transaction.

The report also went on to reveal that 23 of the 30 cases in which firms were directly targeted saw a total of more than £4m of client money stolen. While £3.6m of this was ultimately claimed against insurance policies, a further £400,000 had to be repaid directly from firms’ own money.

These figures do not take into account of the wider cost of such incidents to firms, for example higher insurance premiums, lost time, reputation and damage to client relationships.

How can you spot a phishing email?

The National Cyber Security Centre advises that  attackers want to gain your trust, and will aim to pressure you into taking action. Phishing will often feature one of these signs that can help identify them as a scam:

  • Authority – is the message claiming to be from someone official such as a bank, another legal firm or a government department.
  • Urgency – is there a limited amount of time to take the action requested? This may be reinforced with a threat of a fine or other negative consequences.
  • Scarcity – the fear of missing out on a good opportunity can influence a response.
  • Current events – Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.

If you have any doubts about a message, contact the organisation directly. Don’t use the numbers or address in the message – use the details from their official website.

Raising employees awareness to a potential attack is an important step to take in combatting this sort of threat. Also think of your clients, raising their awareness can potentially prevent both them and your own business from falling victim.

Cyber Essentials – fully funded certification

The WCRC understands that a busy solicitor’s office has little time for combing through complicated jargon, Cyber Essentials provides that first step in demonstrating cyber security. A Cyber Essentials certification covers the basic technical controls that will help prevent the most common, commodity attacks.

The Law Society in Wales have secured Welsh Government funding to offer law firms based in Wales the National Cyber Security Centre approved Cyber Essentials and Cyber Essentials Plus certification for FREE to strengthen the cyber security of law firms across Wales.

The Law Society are delighted to have appointed Pure Cyber as their delivery partner for this important project.

For more information and to register for Cyber Essentials or Cyber Essentials Plus – and read why you need to start this process as soon as possible, visit

Join the Cyber Resilience Centre for Wales for free

The Cyber Resilience Centre for Wales (WCRC) is a police / private sector / academic partnership that exists to support businesses improve their cyber resilience. To help businesses in the legal sector to outsmart cyber criminals and toughen up their cyber security, the WCRC has been established to provide businesses from all sectors and of all sizes with an affordable access cyber security services designed to help improve cyber security.

The centre offers a free core membership to businesses in Wales providing a welcome pack full of practical resources and tools, designed to help identify your risks and vulnerabilities and the steps you can take to increase your levels of protection. Through your membership, you will also get regular updates on new threats, designed to help you stay safer.

You can contact the WCRC via email at for more information or sign up for our free membership here.


Insight kindly produced by:

In collaboration with: