Cyber security

Why this risk matters

  • Solicitors face continuing threats from cybercriminals who target law firms because of the money and information they hold. Attacks can also threaten a firm’s own operations or its reputation.
  • Cybercrimes and scams include:
    • email modification fraud – where criminals intercept and falsify emails between a client and their firm, leading to bank details being changed and money being lost
    • phishing and vishing – where criminals email or phone to obtain confidential information, such as a password, through gaining the trust of a solicitor or other member of staff
    • malware – harmful software that includes viruses and ransomware programs, which encrypt files and demand a ransom in return for decrypting the files
    • CEO fraud – where criminals impersonate a senior figure at a firm through hacking, or having a very similar email address, to impose authority and order money transfers
    • identity theft – where bogus firms copy the identity and brand of a firm.


  • There has been a continuing increase in the reports of cybercrimes to us. We received 157 reports in 2017, up 52%, compared to 103 in 2016. And there were 76 reports in the first half of 2018, which is 10% more than in the first half of 2017.
  • In 2016, £9.4m of client money was reported to us as lost to cybercrime, increasing to £10.7m in 2017. This has dropped in 2018. But we suspect there is some underreporting, particularly where money is replaced promptly. This is because we are seeing fewer reports than we would expect given the media reporting of the frequency of these attacks.
  • Many of the reports show that firms have stopped client money being stolen by having appropriate defences in place, such as up to date systems and training their staff to recognise suspicious activities. The Law Society's review of professional indemnity insurance claims also shows that most attempted cybercrimes do fail, though the consequences of successful attacks remain very serious.
  • Email modification fraud accounted for 80% of all cybercrime reports in the second quarter of 2018. When used to steal conveyancing money it is also known as 'Friday afternoon fraud', as many of these transactions take place on Friday afternoons.
  • The large sums of money involved means that conveyancing will always be a target for email modification fraud. However, more than half of the email modification fraud reports now relate to other areas of work. This suggests that criminals are shifting to a wider range of targets as conveyancers are now more aware of the threat.
  • Almost all other cybercrime reports also involve some form of forgery to deceive staff into responding, rather than explicit hacking of the firm’s systems.

What firms can do

  • The best defences against many cyberattacks are to:
    • keep systems updated
    • use antivirus software on all devices
    • backup important information frequently and securely, and learn how to restore the system from a backup
    • encrypt mobile devices and install a system to track and delete the data if devices are lost
    • make sure all staff know how to create secure passwords
    • avoid using administrator accounts (those with the privilege to access other users’ accounts and install software) for regular work that does not involve maintaining the IT system
    • make sure all staff know how to recognise the signs of email modification fraud and common phishing scams
    • plan how to respond to an attack or other incident.
  • Firms should not let any unused internet domain names expire, for example when they merge, close or change brand. A criminal who falsely re-registers the old name can potentially get access to email histories including client confidential material, bank correspondence and the information needed to reset passwords. It also makes it easier to hold themselves out as a solicitor. Keeping control of obsolete domain names is an inexpensive way to prevent this fraud.

What we are doing

  • Our paper on IT security: keeping information and money safe gives more detailed advice on how to defend against cybercrime. The National Cyber Security Centre (NCSC) also give advice and information, including specific guidance for smaller businesses. We will be publishing more information on how firms are using advanced IT, including artificial intelligence. As part of this, we are working with the NCSC to include the latest recommendations on how to protect systems from attack.
  • Data breaches that might be serious breaches or misconduct should be reported to us through our Report Team. We are also interested in evidence of other cybercrime that affects firms and their clients. These can be sent to our Fraud Intelligence Unit. We want firms to be clear on what, and when, they should report concerns to us over issues that may lead to regulatory action. We have consulted on giving clarity around these practical decisions. The Reporting Concerns consultation responses are being analysed and we will share our findings shortly.
  • We consider each breach reported to us on a case by case basis. When necessary, we have taken regulatory or disciplinary action against firms when they did not:
    • take reasonable steps to protect themselves or check their client’s instructions
    • follow basic security guidance
    • report the incident, where appropriate
    • act to remedy the losses.