Introduction

We are seeing a huge uptick in our client law firms reporting serious cyber-attacks. This has been corroborated by Police cyber teams who have reported a significant increase in the targeting of law firms in the past few months. 

A commonality in all these recent attacks has been the attackers’ ability to bypass two-factor authentication (2FA) on email systems. Although 2FA has been the cornerstone of modern cybersecurity, through AI, hackers have found vulnerabilities that they can exploit. 
 

Methods

The most common attack methods seen recently are:

• Phishing emails: capturing both passwords and 2FA tokens in real time via fake login pages
• Social engineering: convincing staff to reveal login codes or approve authentication requests
• 2FA 'fatigue' attacks: repeatedly sending push notifications until a user accepts one

All recent attacks on our clients have been via phishing emails. 
 

Bypassing 2FA via phishing attacks: modus operandi

The attacks often start with an email matter enquiry e.g. a conveyancing transaction that goes directly to a fee earner or from the firm’s website contact page. Either in that email or in a subsequent email it will ask the fee earner to download relevant documents via a hyperlink.

Clicking on the link opens a fake Microsoft 365 or document sharing page. The web page will be identical to the real login page but it is controlled by the attacker and sits in the middle of the login process. 

As the login credentials are entered, they are passed instantly to the real system which sends a real 2FA challenge to the user. The user approves it thinking they are logging in. The attacker captures the authenticated session and gains access to email, cloud storage or case management systems.

The attacker will usually access emails  to identify opportunities to obtain monies. Typically, that might result in them locating conveyancing clients at the stage where the firm will be requesting deposit monies.

Emails are sent to the clients asking for the monies and providing the attacker’s bank details. Many clients are duped by this – often the only give away is the account name which will bear little resemblance to the firm’s name. 

Everything happens very quickly. 
 

How firms can protect themselves from 2FA bypass scams

1. Cyber Essentials 

As a bare minimum, we recommend law firms seek Cyber Essentials. This is a low cost accreditation that protects businesses against the most common cyber threats.

 

The JRS Difference

With our huge experience of negotiating these audits with our clients you can be confident that we know what we are doing. What we would say is that contacting us just after receiving an audit letter from the SRA is a little late in the day. Whilst we can help point you in a direction that is fully compliant, it is too late to do anything about the files that the SRA will be examining. Therefore, it is preferable to get us involved in advance of an audit. If you haven't yet had an SRA audit it is highly likely you will be selected in the next six months so please Contact Us now if you are not fully confident about your AML compliance.