The body that regulates solicitors in England and Wales has warned that law firms’ growing dependence on IT systems is creating more opportunities for cyber-criminals.
According to the Law Society Gazette of England and Wales, the Solicitors Regulation Authority (SRA) said that ransomware attacks were increasingly targeting sensitive client information to extort money.
Ransomware can simply lock firms out of their IT systems, which will particularly affect fully remote firms, but is more regularly being used by criminals to steal information and then threaten to publish it.
The SRA predicts that this will become “a normal part of how ransomware extorts money”.
In a risk outlook report, the regulator said that firms reported 18 ransomware attacks in 2021, but it conceded that this figure “may not give the true picture of the threat, as they represent only those cases where client information was affected”.
The Gazette says that, already this year, top-100 firm Ward Hadaway has been subject to attempted blackmail for up to $6 million in bitcoin after confidential documents were obtained in a cyber-attack. Listed firm Ince was similarly targeted, with both firms going to the High Court to obtain urgent injunctions.
The SRA said: “Ransomware will continue to increase in sophistication and to use a wider range of methods to influence its targets.
“It is likely to increasingly become fully automated, attacking any target with suitable weaknesses. Most attacks will be random and be because the firm has a weakness that could be detected. However, some might be targeted intentionally.”
More than four-fifths of cyber-crimes reported to the regulator in 2021 involved emails – including phishing attacks and email modification frauds.
Compromised third parties
Conveyancing remains a regular target, due to the large amounts of money involved, but the regulator said criminals are “broadening their attacks” to other fields where firms might be “less alert” to threats.
The SRA said that some were even “intercepting and falsifying physical mail between a firm and client to request funds”.
The regulator also warned that compromised third parties or IT providers could also affect firms, noting that attacks last year on a service provider and a barristers’ chambers both “spread to multiple solicitors’ firms”.
The SRA said that firms might be targeted in the future by criminals using “voice-modification software in calls to impersonate a solicitor”, or artificial intelligence to make “phishing contacts and other false communications more credible, and harder to distinguish from the individual being copied”.