Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

Journal logo
  • PRACTICE

    PRACTICE

    • Practice

    • Corporate law

    • Criminal law

    • Employment law

    • Environment law

    • Family law

    • Industry updates

    • Intellectual property

    • Property law

    • Technology law

    • Technology and innovation

    • Practice

    • Corporate law

    • Criminal law

    • Employment law

    • Environment law

    • Family law

    • Industry updates

    • Intellectual property

    • Property law

    • Technology law

    • Technology and innovation

  • PEOPLE

    PEOPLE

    • People

    • Equality, diversity & inclusion

    • Ethics & professional responsibility

    • Obituaries

    • Wellbeing & support

    • Noticeboard

    • People

    • Equality, diversity & inclusion

    • Ethics & professional responsibility

    • Obituaries

    • Wellbeing & support

    • Noticeboard

  • CAREERS

    CAREERS

    • Careers

    • Job board

    • Leadership

    • Management

    • Skills

    • Training & education

    • Careers

    • Job board

    • Leadership

    • Management

    • Skills

    • Training & education

  • KNOWLEDGE BANK

    KNOWLEDGE BANK

    • Knowledge Bank

    • Book club

    • Interviews

    • Sponsored content

    • Knowledge Bank

    • Book club

    • Interviews

    • Sponsored content

  • ABOUT THE JOURNAL

    ABOUT THE JOURNAL

    • About the Journal

    • Contact us

    • Journal Editorial Advisory Board

    • Newsletter sign-up

    • About the Journal

    • Contact us

    • Journal Editorial Advisory Board

    • Newsletter sign-up

Festive phishing

24th December 2024

Law firms are not immune to cybercrime, fraud and deepfakes. In fact security experts advise that they are a favourite target for cyber criminals due to the amount of data held.

The risk of theft by fraudulent ‘phishing’ emails remains an ever-present threat. It is still the top cause of cyber breach or attack; see the UK Government’s Cyber Security Breaches Survey 2024. Law firms are not immune to this risk and in fact, security experts advise that they are a favourite target for cyber criminals, due to the amount of data held.

Just as Friday afternoon frauds are recognised risks, busy times of year and holiday seasons are also danger periods. As we barrelled toward the end of the year and practitioners navigated December deadlines and Christmas preparations, it was important to remain on high alert.

Last highlighted in the Journal in early 2023 as part of Cyber Scotland week (see The red flags to watch for in phishing emails), it’s time to revisit this tricky area of risk to look at the various ways a firm can be targeted. Phishing is just one method of using the way we communicate to illegally obtain funds. These methods can be broadly divided into four categories:

Phishing

By now, most of us are probably somewhat familiar with the concept of phishing. These are fake emails purporting to be from a client, colleague or a reputable business. The emails will tell the recipient that they need to do something and will generally include a fake attachment or link that will either cause corruption in a firm’s computer systems or allow access for hackers.  

Smishing

This is the phrase now used for scam texts. The classic example from day-to-day life is a text saying that your parcel couldn’t be delivered and asking you to click on a link to re-arrange delivery. Look out for these appearing on company-issued mobiles as well as your personal device.  

Quishing

This relates to fake QR codes which can be stuck over genuine ones – for example, on a parking meter. These will then take the unwitting user to a fake website where, of course, they will be directed to put in payment details.

Vishing

Extremely relevant in the workplace, vishing describes fraudulent phone calls and (a more recent development) video calls. For example, a busy solicitor may get a call allegedly from IT support, advising them that they must do an update on their laptop immediately. Or the trainee may pick up the phone to someone posing as the managing partner who has lost their phone and needs them to arrange an urgent bank transfer.

Fraudulent video calls are now a concern, thanks to the murky world of AI deepfakes. In simple terms, a deepfake is an artificial video that will use a known individual and show them appearing to say or do something that they did not. In the context of the work of a law firm, a deepfake may impersonate a senior colleague or they could impersonate a client or third party in order to elicit payment from the firm.

There is no doubt that we must now be on high alert for all these methods of fraud. As phishing is still the most prevalent method used, here is a useful acronym to remember the red flags:

SLAM!

This stands for Sender, Links, Attachments, Message. Taking each one in turn:

Sender

  • Unknown senders: who is this email from? Is the sender unfamiliar? Be wary of emails from unfamiliar sources. Even if you recognise the sender, verify the email using another source.
  • Spoofed email addresses: does the email address look slightly odd? Check for spelling mistakes or additional letters, numbers or symbols (although remember that phishing emails are now highly sophisticated and the address may look correct).
  • Large recipient or cc list: if the email was sent to many recipients, this could be an indicator of phishing, especially if you can see the other email addresses. Threat actors will often send emails to multiple recipients, hoping that at least one will be compelled to act, and they are unlikely to have the same regard for data protection as genuine senders!

Links 

  • URL inspection: if in doubt, DO NOT CLICK! Hover over any URL to reveal the address. You may find that it contains spelling mistakes or additional letters, numbers or symbols.

Attachments

  • Unexpected attachments: do not open or download attachments from unknown or unexpected senders.
  • File types: be particularly careful with attachments that are executable files (for example, ending in .exe, .zip or .docm).
  • Verify: if you know the identity of the sender but you were not expecting to receive an attachment from them, contact them in another way (don’t send a reply to the same email).   

Message

  • Greetings: is the greeting oddly generic (“Dear customer”, “Attention account holder”)?
  • Poor spelling and grammar: these may not necessarily be present in a phishing email but they are still a red flag to watch out for.
  • Sense of urgency and threatening language: are you being asked to do something immediately? Does the message warn of dire consequences for not acting on it? Threat actors will try to elicit panic in the recipient. Check with an outside source if you are worried.
  • Current events: threat actors like to take advantage of current topics. They may leverage awareness of a recent publicised security breach to play on the recipient’s concerns.

 

How to Avoid Phishing Attacks

It’s important for firms to employ a mix of technology-based defences, workforce education and robust policies and procedures to detect and defeat phishing attacks.

Security is key.

If you are unsure of the protections you have in place, or if you know your firm’s security needs an upgrade, the Law Society of Scotland’s Guide to cybersecurity is a good place to start. It contains more in-depth information on current cyber threats and advice on how to prepare for and respond to a cyber attack. The Law Society has also curated trusted partners in the cyber security world to whom you can turn for more tailored advice.   

People power

Any cyber security specialist will tell you that people are the last line of defence when it comes to preventing an attack through phishing or a similar method. Training is vital. All staff need to know how to be vigilant and what to do if they think an email or other communication is fraudulent. If you have not already done so, it is a good idea to put a specific training programme in place covering phishing and other cyber threats. Consider running a regular phishing campaign where staff are deliberately sent a ‘would be’ fraudulent email. These can monitor how many employees click on a fraudulent link or open an attachment and identify training needs.

On this note, look out for Lockton’s new phishing online training modules, which will be released on our website soon. These are freely available to the Scottish legal profession and will provide 30 minutes of CPD for each module.

Make sure that all staff know the importance of reporting a suspected phishing email, and how to report it. There should be a clear pathway for employees to alert your IT support, who can then take the appropriate action, including blocking malicious senders.  

Cyber insurance

Subject to its terms and conditions, the Master Policy itself will typically respond to any situation involving loss of client account funds that were in the control of the law firm, regardless of whether that loss has been caused by a cyberattack or fraud.

However, there are situations where a cyber incident will lead to first party costs and, generally, these will not be covered under the Master Policy. Examples include where there is a data breach event or a ransomware attack. In these circumstances, a well-written cyber policy can help to protect a firm when an incident occurs. Firms interested in learning more about the protection offered by a cyber insurance policy can approach Lockton, or their own insurance brokers, for more information.

So, as we enter a new year, the message is to stay vigilant and don’t unwrap any unwanted belated gifts that may appear in your inbox.

Article written by Lockton as part of their Journal and Law Society partnership

About the author
Add To Favorites

Additional

https://www.clio.com/uk/?utm_medium=bar_partner&utm_source=law-society-scotland&utm_campaign=law-society-scotland-q2
https://www.evelyn.com/people/keith-burdon/
https://lawware.co.uk
https://www.findersinternational.co.uk/our-services/private-client/?utm_campaign=Scotland-Law-society-Journal-online&utm_medium=MPU&utm_source=The-Journal
https://yourcashier.co.uk/
https://www.lawscotjobs.co.uk/client/frasia-wright-associates-92.htm

Related Articles

Regulation of Legal Services (Scotland) Bill approved by Parliament after decade of work

21st May 2025
One of the longest legislative processes in Scottish parliamentary history has concluded with new powers which regulators say will better...

Authorising the Algorithm — what the first AI-driven law firm signals for legal practice

21st May 2025
Garfield.Law Ltd is the first purely AI-based firm approved to provide legal services. Dr Corsino San Miguel looks at this...

Public Policy Highlights April 2025 including Net Zero, Legal Aid and Human Rights

21st May 2025
The Law Society Policy team and its network of committee volunteers respond to issues of legal aid, net zero, human...

Journal issues archive

Find all previous editions of the Journal here.

Issues about Journal issues archive
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited