When clients entrust solicitors with their finances, they expect their money to be handled securely and professionally. Solicitors typically enjoy a strong reputation for adhering to regulatory standards, which fosters trust. However, trust is easily broken. If something goes wrong, especially in cases where money changes hands, confidence in a solicitor can be quickly shattered. Unfortunately, solicitor client accounts have become prime targets for hackers. One of the most effective methods hackers use to infiltrate these accounts is spear-phishing.

What is spear-phishing?

We've all heard of 'phishing', a type of social engineering attack where hackers attempt to trick individuals into clicking on a link, downloading malicious attachments, or disclosing sensitive information. This type of attack is typically not aimed at any specific person – it's a "scattershot" approach, where hackers, just like a fisherman, cast a wide net and hope to catch any unsuspecting fish that just happen to pass. But spear-phishing is much more specific and targeted.

Hackers gather information on their victim (often through social media, websites, or data breaches) to make their attack appear more legitimate and convincing. For instance, a hacker might impersonate a solicitor’s client or colleague by sending a tailored email that appears legitimate, instructing the solicitor to transfer funds or disclose sensitive account information.

Because the email looks so genuine, many people may let their guard down and act without question, thinking the message is from a trusted source. However, behind this crafted message lies a hacker intent on stealing funds from a solicitor's client account.

Why are solicitor client accounts such Targets?

Solicitors are trusted with large sums of money. Client accounts are often used for property transactions, legal settlements, and large business deals, making them an attractive target for hackers. A successful spear-phishing attack can give hackers access to these accounts, enabling them to steal substantial sums without the client or solicitor being aware until it's too late.

A breach of this nature doesn’t just result in financial loss. It can severely damage the solicitor’s reputation and relationship with clients. It can also lead to costly legal battles, regulatory penalties, and a loss of business. This highlights the critical importance of implementing robust security measures to protect client funds from cybercriminals.

How Can Solicitors Protect Client Accounts from Spear-Phishing?

1. Employee education and awareness

The first line of defence against spear-phishing is ensuring that all employees, especially those with access to sensitive client data, are well-educated about the risks. Regular training on recognising suspicious emails, understanding the dangers of clicking on unknown links or attachments, and verifying requests for sensitive information is essential to preventing attacks.

2, Multi-factor authentication (MFA)

Multi-factor authentication adds an extra layer of security by requiring more than just a password to access accounts. For example, a text message code or a fingerprint scan may be required before access to sensitive data is granted. This added measure significantly reduces the chances of an attacker gaining unauthorised access, even if they have managed to steal a password.

3. Verify unusual requests

In cases where a financial transactions or sensitive information is requested via email, solicitors should always verify the request through a secondary communication channel (e.g. a phone call) before taking action. Even if an email appears to come from a trusted source, it's better to double-check than to risk falling victim to a well-executed spear-phishing attack.

4. Keep software and systems updated

Hackers often exploit vulnerabilities in outdated software to gain access to systems. Solicitors should ensure that all operating systems, security software, and applications are updated regularly with the latest patches to protect against potential threats.

5. Implement strong email filtering

Using advanced email filtering systems can help block potential phishing attempts before they even reach the inbox. These systems often detect and block suspicious emails by analysing the sender’s address, content, and attachments for signs of phishing activity.

6. Encrypted communications

Solicitors should prioritise encrypted communication methods for sharing sensitive client information. Whether through encrypted email or secure client portals, ensuring that communications are protected helps safeguard against interception by hackers.

The bottom line: employ a zero trust mentality

Employing a “Zero Trust” mentality is essential in protecting client accounts. All requests must be questioned and verified. Regular training, advanced security protocols, and vigilance can go a long way in keeping client accounts safe from cybercriminals.

The legal profession is built on trust, and safeguarding client funds is an essential part of maintaining that trust. Spear-phishing and other cyber threats pose real risks, but with proactive measures, solicitors can significantly reduce the chances of falling victim to such attacks.

As the digital landscape continues to evolve, so too must the ways in which solicitors protect their clients. Cyber security isn't just a precaution; it's a vital part of maintaining the integrity of the legal profession in an increasingly connected world.

Paul Delahunty is Chief Information Security Officer at Stryve, a leading Irish multi-cloud and cybersecurity company and ICTTF Cyber Security Company of the Year 2022. Paul is CIO and IT Leaders Security Leader of the Year 2023 and 2024, and is the Tech Excellence Awards CIO of the Year 2024.

Resources and support

The Law Society aims to help solicitors minimise their cybersecurity risk through information and resources targeted to the profession.

• Get more cyber security knowledge and resources