Defending against sophisticated cyber scams

Cybercriminals are using tactics that centre around creating scams almost indistinguishable from legitimate communications. Even though a lawyer’s own system might be secure, the criminals use a variety of methods to gain information on their intended victims. By researching the firm, gathering information from the dark web, or hacking into the email of third parties, they collect sensitive details that allow them to craft highly convincing scams.

To add to the deception, cybercriminals will look to set up bank accounts and register website addresses (a practice known as domain spoofing). These fake accounts look almost identical to the real ones and have the primary purpose of tricking clients into trusting fabricated communications and sending money to fraudulent accounts.

While some scams can be spotted due to their suspicious content, the use of AI has enabled cybercriminals to design sophisticated scenarios that can be hard for a person to detect at first glance. When used in combination with stolen information, domain spoofing, and account impersonation, these multi-faceted attacks show how cybercriminals now leverage every available loophole to achieve their ends.

No single defence is foolproof—this is where the Swiss-cheese risk management model offers a valuable perspective. Like multiple layers of Swiss cheese, where each slice of cheese has holes, every individual security measure has its own vulnerabilities. However, by aligning several layers of protection, the holes in one layer are covered by the solid parts of another. This multi-layered strategy is critical in creating a robust cybersecurity posture.

Law firms should adopt proactive techniques to minimise these vulnerabilities. In addition to the Victoria Legal Services Board + Commissioner Minimum Cybersecurity Expectations, law practices should consider additional protections for their cyber posture and brand.

Cyber experts: The first and best tactic for combating cybercrime is to get a cybersecurity professional on your side. Cybersecurity is a mature specialisation within the information technology industry. To achieve the right protection, cybersecurity professionals should be retained, usually in addition to your general IT service provider. Law practices should engage with cybersecurity experts who can continuously monitor their systems for potential issues and vulnerabilities. Their vigilance minimises risks by promptly addressing unusual activities and maintaining digital infrastructure integrity. Cybersecurity experts can also offer services such as Domain Name System (DNS) monitoring, which helps identify domain spoofing and other products to secure information and communications.

Secure your information: To assist in keeping information safe, law firms should use secure systems like encrypted email services, client portals, and secure document-sharing platforms to protect sensitive information. These systems minimise the need to send critical details through unsecured emails, greatly reducing the risk of a data breach by limiting who can access the information. Additionally, they help lawyers maintain control over who views their documents, ensuring that only authorised individuals have access. By keeping sensitive data within secure channels, law firms not only protect client confidentiality but also safeguard their own reputation and legal standing.

Multiple threats — multiple defences: The evolving nature of cyber threats demands that law practices be alert to cybercriminals' new threats. The sophistication of these tactics demands that law firms not only invest in robust cybersecurity technologies but also remain vigilant about the practices and vulnerabilities of their business partners. By instituting a multi-layered Swiss-cheese defence model, legal professionals can better protect themselves and their clients from the financial and reputational risks of criminal activities.

• Cybersecurity experts — As cybercriminal tactics become increasingly difficult to detect, law firms should engage the assistance of cybersecurity professionals who work to stay on top of the risks.
• Attacks involve multiple layers of deception — Cybercriminals combine email compromise, domain spoofing, and fraudulent bank accounts to create highly convincing scams to trick both lawyers and clients.
• A multi-layered defence is key — Use DNS monitoring, two-factor authentication, staff training, and incident response plans to mitigate risks.
• Secure communications are critical — Avoid sharing sensitive information, especially banking details, via unencrypted emails. Use secure client portals or encrypted messaging services instead.
• Law firms must maintain a cybersecurity focus — Regularly review security policies, restrict access, and vet third-party providers for cybersecurity compliance. Maintain a cybersecurity culture to raise awareness and aid in risk detection.