Introduction

We are seeing a huge uptick in our client law firms reporting serious cyber-attacks. This has been corroborated by some Police cyber teams who have reported a significant increase in the targeting of law firms in the past few months.  A commonality in all these recent attacks has been the attackers’ ability to bypass two-factor authentication (2FA) on email systems. Although 2FA has been the cornerstone of modern cybersecurity, through AI, hackers have found vulnerabilities that they can exploit. 
 

Methods

The most common attack methods seen recently are:

• Phishing emails: capturing both passwords and 2FA tokens in real time via fake login pages
• Social engineering: convincing staff to reveal login codes or approve authentication requests
• 2FA 'fatigue' attacks: repeatedly sending push notifications until a user accepts one

All recent attacks on our clients have been via phishing emails. 
 

Bypassing 2FA via phishing attacks: modus operandi

The attacks often start with an email matter enquiry e.g. a conveyancing transaction that goes directly to a fee earner or from the firm’s website contact page. Either in that email or in a subsequent email it will ask the fee earner to download relevant documents via a hyperlink.

Clicking on the link opens a fake Microsoft 365 or document sharing page. The web page will be identical to the real login page but it is controlled by the attacker and sits in the middle of the login process. 

As the login credentials are entered, they are passed instantly to the real system which sends a real 2FA challenge to the user. The user approves it thinking they are logging in. The attacker captures the authenticated session and gains access to email, cloud storage or case management systems.

The attacker will usually access emails  to identify opportunities to obtain monies. Typically, that might result in them locating conveyancing clients at the stage where the firm will be requesting deposit monies.

Emails are sent to the clients asking for the monies and providing the attacker’s bank details. Many clients are duped by this – often the only give away is the account name which will bear little resemblance to the firm’s name. 

Everything happens very quickly. 
 

How firms can protect themselves from 2FA bypass scams

Cyber Essentials 

As a bare minimum, we recommend law firms seek Cyber Essentials. This is a low cost accreditation that protects businesses against the most common cyber threats. The Cyber Essential website guides you through the process. It is a self-assessment procedure, but unless you are very IT-savvy you will need assistance from your IT support consultants to complete the process. 

Cyber Essentials has become a mandatory requirement of Legal Aid Agency criminal contracts. In addition, Lexcel Version 7 is highly likely to make it compulsory. 

Move beyond SMS-based 2FA

SMS codes are vulnerable to interception and SIM swapping by hackers. Where possible, you should seek to adopt Authenticator apps (e.g. Microsoft Authenticator, Google Authenticator) as they are more secure.

Staff Training

It goes without saying that you should maximise staff awareness about attack modes and precautionary steps. We recommend that awareness raising is:

Realistic: Emphasise the particular threats scenarios that the firm will face. Long-winded, generalist presentations will lead to people losing sight of the key messages

Bite-sized: Little and often e.g. at regular team meetings

Focused: Ensure that training sessions reinforce:

• Never sharing 2FA codes
• Recognising 2FA fatigue attacks
• Verifying unexpected login prompts
• Reporting suspicious activity immediately

Conditional access and device controls

We recommend getting your IT support people to restrict logins based on:

• Location (e.g. UK-only access where appropriate)
• Device compliance (only managed devices permitted)

Monitor and respond to suspicious activity

We recommend that you enable alerts for:

• Repeated MFA requests
• Logins from unusual locations

Secure mobile numbers and accounts

It is recommended that you:

• Use business-controlled mobile contracts where possible
• Apply PINs/passwords with mobile providers
• Limit use of personal devices for firm systems

Identifying a 2FA Bypass Attack

2FA attacks are designed to look routine. The key for staff is recognising when something feels slightly off— because attackers rely on normalising abnormal behaviour. Example include:

Unexpected authentication prompts

Typical red flags:

• Push notifications appearing “out of the blue”
• Login codes arriving by SMS or app without any action taken
• Prompts at unusual times (late night, early morning, or during leave)

These indicate that someone already has your password and is trying to complete the login.

Repeated 2FA requests (2FA fatigue)

Attackers often bombard users with prompts hoping they will eventually approve one just to stop the notifications. Staff should look for:

• Multiple prompts in quick succession
• Requests continuing after you have ignored or denied them
• Notifications that feel persistent or “nagging"

Number matching requests you didn’t initiate

With number-matching 2FA (e.g. Microsoft 365), you may be asked to enter or approve a number shown on a login screen. Red flags are:

• You receive a number request but are not logging in
• The number appears in a context you don’t recognise

This likely means that an attacker is actively trying to log in and needs your approval to proceed.

Requests triggered during a call or email

A common tactic is combining MFA prompts with social engineering. Examples are:

• Someone phones claiming to be IT support asking you to “approve a login”
• An email says your account is at risk and instructs you to accept a 2FA request

This likely means a coordinated attempt to trick you into approving access.

Login alerts from unusual locations or devices

You may receive security alerts showing:

• Sign-ins from unfamiliar locations (especially overseas)
• New or unknown device
• “Impossible travel” (e.g. a login from the UK and another country minutes later)

This likely means that your credentials are being used elsewhere
 

Responding to a Cyber Attack

What staff should do immediately

If staff experience the warning signs set out above the following actions are recommended:

• Do not approve any 2FA request you didn’t initiate
• Report it immediately to your IT team or supervisor
• Change your password (using a trusted device)
• Disconnect from networks if you suspect active compromise
• Follow the firm's incident response procedures

What the firm should do

If a 2FA bypass is suspected:

• Immediately revoke active sessions and reset credentials
• Review recent activity (emails sent, rules created, files accessed)
• Notify affected clients where appropriate
• Consider regulatory reporting obligations (e.g. to the SRA and ICO)
• Some firms should also consider reporting to the LAA or CJSM

Speed matters: early reporting can prevent financial loss and data breaches

Cyber Insurance

The benefits

Once a ‘nice-to-have’, cyber insurance is now becoming a ‘must-have’ especially for conveyancing firms. As it stands only a small proportion of law firms have cyber cover but that is changing. Cyber insurance policies vary in scope and coverage and, unlike PII, there is no list of minimum terms and conditions that must be included in cover. Therefore it is vital to look at the policy wording in detail.

The most important aspect of a cyber policy is how they respond to a breach. The best policies give you immediate access to a team of  experts who can assist with:

• Forensic IT investigation
• PR and crisis management
• Credit and identity-theft monitoring
• External legal advisers

What to look for in a policy

When seeking insurance you should looking at what is covered by the policy such as:

Breach costs: costs incurred responding to a data breach e.g. costs of a breach of client, third-party or staff confidential information. 

Legal expenses: for specialist advice on your legal/regulatory obligations to avoid fines and penalties
IT forensics: costs of experts to investigate the cause and scale of the breach

Restoration costs: Costs incurred restoring and repairing damage to systems, software and data e.g. locating and removing malware, or re-establishing the ability to make secure payments

Response management: e.g. expert advice to help limit reputational damage, handling enquiries from concerned clients

Business interruption: Losses due to interruption of business following a cyber incident. 

Reimbursement of revenue: Reimbursement of expenses incurred to minimise loss of revenue

Cyber extortion: Costs incurred responding to a threat such as ransom payments, consultants to handle negotiation
Third-party cover: This could include claims from clients/employees, regulatory fines 

Ensure that you take out the right level of cover. Policies often start at £500K. Larger firms will need more than that as the costs of a breach taking all of the above into account can be huge. 

The JRS Difference

We have significant knowledge of the types of scams that law firms can be subjected to especially in a Conveyancing context. Please Contact Us now if you are concerned about the risks to your firm.