Understanding attack vectors and why law firms are targeted

Law firms as high-value targets

Law firms are high-value targets for cybercriminals because of the sensitive information they hold and the amount of money they transact. Even small law firms hold valuable information and can undertake property matters with significant funds involved. The concentration and sensitivity of the data they maintain means that a single breach can expose not just the firm's own operations, but the confidential affairs of dozens or hundreds of clients.

The shift from technical hacking to psychological manipulation

A critical evolution in cybersecurity is the recognition that the most effective attack vector is not a technical vulnerability, but rather human behaviour. This represents a fundamental shift in how attacks are designed and executed. Understanding attack vectors therefore requires recognising that they operate at two levels simultaneously: they target specific technical pathways (email systems, remote access tools, unpatched software) and they target human psychology (trust, authority, urgency, curiosity). The most effective attacks combine both.

Phishing and variants

Generic phishing casts a wide net, sending identical or near-identical emails to thousands of recipients with generic lures such as fake bank security alerts, urgent package delivery notifications, or system updates. These broad-based attacks rely on volume: even if only a fraction of recipients respond, the attacker succeeds. For legal practitioners, generic phishing could also mimic a court filing notification or a client communication about a matter. When a recipient clicks a malicious link or downloads an attachment, their credentials or system access can be compromised.

Spear-phishing represents a dramatic escalation in targeting precision and sophistication. Rather than casting a wide net, attackers research specific individuals or departments—often through LinkedIn profiles, public court records, and firm websites—and craft highly personalized messages that reference real cases, colleagues, or clients. A spear-phishing email to a litigation partner might reference a specific case name and timeline or appear to come from opposing counsel with document requests. Because the message is tailored to the recipient's role and circumstances, it bypasses the scepticism triggered by obviously generic attacks.

Whaling targets the firm's most senior and powerful individuals—partners, managing directors, and key executives—who control access to funds and sensitive systems. Attackers conduct extensive reconnaissance to understand executive communication patterns and authority structures. A whaling email might purport to be from the firm's CEO requesting an urgent confidential matter, a client initiating a time-sensitive transaction, or the managing partner instructing a payment approval. Because executives often operate under time pressure and may be less sceptical of requests appearing to come from trusted contacts, whaling attacks achieve unusually high success rates.

Business email compromise (BEC)

BEC combines technical compromise with psychological manipulation. Attackers either hack into an existing email account (through phishing or credential theft) or spoof a domain with a subtle variation; for instance, registering "yourfirm-law.com.au" instead of "yourfirm.com.au" or using an internal display name that closely resembles a legitimate contact. Once in position, they intercept or create communications requesting payment, changed banking details, or confidential information.

For law firms specifically, BEC attacks often target settlement payments, trust account transfers, or client invoice payments. An attacker might pose as an opposing counsel requesting updated bank details for settlement, a client confirming payment instructions for a conveyance, or an internal partner approving a payment. From the recipient's perspective, the email appears entirely legitimate. It arrives through expected channels, references real transactions, and requests routine actions. The financial and reputational consequences can be catastrophic, and liability disputes frequently arise over who should bear the loss.

Supply chain and third-party attacks

Real estate agents, mortgage brokers, and settlement service providers represent common supply chain vulnerabilities for conveyancing practices. When a third party's email or systems are compromised, attackers can intercept communications, modify payment details, or impersonate the trusted entity to redirect funds. Because the relationship itself is built on trust, recipients are unlikely to verify unusual requests from ostensibly familiar contacts.

Ransomware attacks

Ransomware is malicious software that encrypts critical files, rendering them completely inaccessible until the attacker receives payment. Once deployed, ransomware locks down case files, client documents, financial records, billing systems, and database access, essentially freezing the firm's operations. Modern ransomware attacks frequently combine encryption with data theft where attackers extract copies of sensitive data before encrypting files, then threaten to publish the stolen information if payment is refused.

Vishing (Voice Social Engineering) and remote support scams

Vishing—voice phishing—uses phone calls, voicemails, and voice messages to manipulate targets into divulging sensitive information or granting system access. A vishing attacker might call a firm employee pretending to be from the firm's IT support department, claiming that suspicious activity has been detected and requesting the employee's credentials to "verify their account." Alternatively, they might impersonate a client in distress, a bank security team, or a government agency, using artificial urgency to bypass careful thinking.

Remote support scams follow a similar pattern. The attacker calls claiming to be from Apple, Microsoft, or the firm's IT vendor, alleging a technical problem and requesting remote access to the employee's computer. Once granted access, the attacker can install malware, steal credentials, or access networked systems. These attacks exploit legitimate remote support practices that law firms rely on for IT maintenance, making them difficult to distinguish from genuine requests.

Malware

Malware (malicious software) often arrives through phishing emails or compromised websites and quietly installs itself on a user's computer without obvious symptoms. Banking trojans and keystroke loggers are particularly dangerous in legal practice; they record credentials entered when accessing banking systems, client portals, or case management databases. Once credentials are captured, attackers can access those systems directly, transfer funds, or steal sensitive information.

Most successful cyber-attacks on law firms include an element of social engineering where the attacker has manipulated a human via a breach of trust. Social engineering is psychological manipulation designed to trick people into divulging confidential information, granting unauthorised access, or taking actions that compromise security. Unlike technical attacks that exploit software vulnerabilities, social engineering exploits predictable patterns of human behaviour and decision-making. Attackers manipulate emotions—fear, urgency, trust, authority, and curiosity, to short-circuit rational thinking and prompt immediate action without verification.

The effectiveness of social engineering reflects is based on how psychology shapes decisions under pressure. A message suggesting that someone's job is on the line, that a colleague needs urgent help, or that immediate action is required to prevent a crisis overrides normal scepticisms. When recipients believe the situation is genuine and time-critical, security protocols often fall by the wayside.

Phone calls impersonating legitimate service providers

Attackers place phone calls impersonating legitimate organisations such as IT support departments, telecommunications providers like Telstra, banks, or government agencies. The objective is to manipulate employees into divulging credentials or granting system access. A caller might claim that suspicious activity has been detected on the employee's account, that the firm's systems have been compromised, or that immediate verification is required. The attacker controls the conversation, creates time pressure, and speaks with authority, making it difficult for recipients to question the legitimacy of the request.

Some variations involve the attacker offering technical assistance to fix a non-existent problem. They request remote access to the employee's computer to "verify the system," and once granted, install malware, capture credentials, or move laterally into the firm's network.

Email spoofing from trusted clients or colleagues

Email spoofing enables attackers to fabricate the sender's identity, making messages appear to originate from trusted sources such as a client, a colleague, opposing counsel, or firm management. This can involve either subtle domain variations (such as "yourfirm-law.com.au" instead of "yourfirm.com.au") or compromising a legitimate email account and sending communications directly from it. From the recipient's perspective, the email appears entirely authentic.

The request itself is typically designed to feel routine: payment instructions, document requests, confidential information, or meeting confirmations. Because the message appears to come from a trusted source and requests ordinary actions, recipients are unlikely to verify the request through an independent channel.

Creating false urgency: Security breaches and system compromises

Attackers deliberately manufacture urgency to prevent careful thinking. A message might claim that suspicious activity has been detected, that passwords require immediate resetting, that a security breach has occurred, or that account access is at risk. The tactic also appears in payment-related attacks: a client is in immediate need of funds for settlement, an opposing party is demanding swift payment, or internal approval is needed urgently to meet a deadline. By framing the request as time-critical and linking non-compliance to negative consequences, attackers overcome the natural resistance to unusual requests.

Building false credibility through research and OSINT

Before contacting a target, attackers conduct extensive research using Open-Source Intelligence (OSINT). Here they gather freely available information from public sources to build credibility and personalise their approach. OSINT involves collecting information from social media profiles, LinkedIn, company websites, court records, news articles, directory listings, and any publicly disclosed information about individuals and organizations.

An attacker uses this information to reference real details in their communications: mentioning specific clients, case names, recent transactions, or organizational structure. A spoofed email from a colleague becomes more convincing when it references a real project they're working on together. A phishing message from a client becomes credible when it mentions their actual legal matter. The illusion of legitimacy created by this research forms the foundation of successful social engineering attacks.

AI has changed the nature and impact of many of the attack vectors by making social engineering faster to create, harder to detect, and easier to scale. Where criminals once relied on poorly written, generic emails, they can now generate highly polished, grammatically correct messages tailored to specific roles, matters, or clients in seconds. Large language models can mimic professional tone and legal terminology, making phishing and business email compromise attempts look and read like authentic communications from partners, clients, or regulators. This significantly erodes traditional “red flags” such as spelling errors and awkward phrasing that lawyers once relied on to spot scams.​

The same capabilities can support more advanced attacks, including synthesised voice and video “deepfakes” of senior partners or clients, further blurring the line between legitimate and malicious communication. As a result, AI does not replace traditional attack vectors; it amplifies them, increasing both the volume and the quality of attacks that law firms must detect and resist.

To assist in protecting yourself and the firm from being a victim of cybercriminals, review the following steps:

1. Identify – Don’t accept email requests on face value. The email asking you to re-direct money might look genuine, but it could have been sent by a hacker.
2. Verify – Call the sender personally to check authenticity. Use a number you know, not one suggested in the email. Ask for the account number, write it down, then compare with the email.
3. Note – Make a file note that you made the call and confirmed the payment instructions, so you can prove it.
4. Warn – Tell the client they might also be targeted with fake emails from you and not to act on email payment directions without calling to check. Put this in your engagement letters.
5. Double-check – Involve a second person in the process and don’t action payment requests without proof that steps 2 and 3 have happened.

Cyber-criminals are not primarily “hacking computers”; they are hacking people. The most successful attacks on law firms now blend technical tools with carefully crafted psychological manipulation. Recognising that reality is critical. The attack vectors outlined are simply different entry points into the same objective: gaining access to client funds, confidential information, or systems by exploiting trust. Implementing the five‑step protection framework (IDENTIFY – VERIFY – NOTE – WARN – DOUBLE‑CHECK) in your internal procedures, supervision, and training helps turn good practice into standard practice.

Ultimately, effective cyber resilience for law firms is a collective responsibility. Technical safeguards, governance frameworks, and insurance are to be matched with healthy scepticism and a culture where “take a moment and double‑check” is seen as a professional strength, not an inconvenience.