Spear-phishing attacks are tailored to specific professions or individuals. In targeting the legal profession, they can appear to be from a court, a vendor, or even someone inside the firm.
Cai Thomas,cyber security consultant at Tessian, explains that criminals can broadcast introductory emails that appear legitimate and have no attachments or malicious links. Criminals know that the recipients who reply to these innocent-looking emails are more likely to fall for more targeted attacks. They then can look up the names of, for example, managing partners to fashion much more convincing, fraudulent emails.
The cyber thieves mine law firm websites and LinkedIn to identify targets and craft convincing emails. After identifying firms whose people are more responsive to seemingly authentic messages, they will pose as important people within law firms, requesting transfers of money or attaching an infected file "for urgent review."
According to Osterman Research phishing is the most common cyber attack affecting the legal profession, with attempts hitting 80% of law firms in a recent year.