Phishing scams try to trick people into sharing personal or financial information by posing as someone trustworthy such as the police or your bank.

Phishing attacks usually happen through email and can infect your computer with malware, disguised as an attached document or link. They can also happen by phone (known as vishing), text message or social media.

Bigger firms are attractive to criminals because of the large amount of client data and money they hold. Smaller firms are also at risk if they have not taken the necessary cybersecurity measures.

Types of phishing

There are two main types of phishing:

  • mass emails sent out to thousands of people
  • ‘spear phishing’ - targeted emails sent to individuals where a criminal impersonates a client or someone the person knows at their firm

Recognising a phishing email

Check for emails:

  • with poor grammar and spelling
  • asking for personal or financial information
  • with links to a website you don’t recognise
  • requesting urgent action
  • encouraging you to open any attachments
  • where the sender’s email address may look unusual or unfamiliar

Preventing a phishing attack

You should:

  • treat emails containing links or attachments with caution
  • only open attachments from trusted sources – if in doubt, contact the sender to check if they actually sent the email
  • check that links match the text that contains them by hovering your cursor over it – the web address should appear
  • contact your IT department if you’re concerned

Spear phishing

These emails target a particular individual or firm. They can appear to be from a client, supplier or someone in your firm with their email signature and phone number, such as:

  • a senior partner or director asking for payment of an attached invoice, which could contain false bank details or even a virus
  • a security alert appearing to come from within your firm, asking you to change your password
  • If you’re unsure how to recognise these emails, you should:

  • consider the sender and their request carefully
  • call the person and check the email is genuine

Protecting your firm

Cyber attacks usually succeed because of human error. Make sure your staff:

  • recognise phishing emails and their risks
  • create strong passwords and change them regularly
  • are given extra support and training if they handle financial or sensitive information
  • know to report a suspicious email to your firm’s compliance officer for legal practice or compliance officer for financial affairs – they are responsible for informing the Solicitors Regulation Authority (SRA)

You must make sure that you have appropriate cybersecurity in your firm. You should have:

  • email filters to scan and approve or block emails
  • up-to-date malware and virus software
  • an incident response plan in case of attack

Read more about cybersecurity for solicitors

Reporting a phishing attack

You must tell the SRA immediately if you lose client money or information through a phishing attack. It will expect you to:

  • tell the client
  • repay any client money you lost
  • take steps to reduce risks of a further attack

It is usually difficult to get your money back after a phishing attack. But you must tell the SRA about the attack even if you manage to recover the money.

If you lose clients’ personal data you must report it to the Information Commissioner’s Office within 72 hours of discovering the breach.

If you receive a suspected phishing email, you can report it to:


Cybersecurity: what are the biggest threats for the legal sector?

National Cybersecurity Centre guidance on phishing

Blog: How to stay ahead of scammers

The cyber threat to UK legal sector – National Cybersecurity Centre 2018 report on how law firms can protect themselves against cyber crime

> Next section: Vishing

> Back to contents list

Cybersecurity news digest

Stay up to date with all things cyber with our weekly cybersecurity and GDPR newsletter.