Professional Services, SMB IT | 4 March, 2020

The three biggest email security threats faced by professional service firms

Being on the wrong end of a successful cyber attack can be a disaster for any professional service firm. It hurts both finances and reputation, so you must do all you can to guard against it.

One of the most common techniques used by hackers is to compromise a firm’s cyber security through email. According to a recent email security report by Mimecast – a leading cybersecurity provider – 91% of firms experienced an email attack in 2019. And the threat is growing – the report showed a 67% increase in impersonation/compromise (spoofing) attacks and a 54% increase in phishing emails.

In the legal sector alone, The Law Society reports that 52% of firms have recently detected an attack, with the most common types being phishing emails, spoofing and malware attacks.

But how exactly do email attacks manifest themselves – and how can you prevent them?

Here’s an explanation of the three main ways that cyber criminals use emails – and advice on how you can protect your firm:



Phishing is defined as the fraudulent practise of sending emails supposed to be from a trusted party. The intention is usually to persuade the recipient to reveal valuable information – e.g. usernames, passwords and financial details.

And it is incredibly common. According to a report from the National Cyber Security Centre, phishing is the most common cyber attack affecting the legal sector. Of course, it’s not just law firms – every person with an email address has dealt with a phishing attempt at some point or another. It takes little skill or technical expertise to attempt this type of fraud, which is evident in the amateurism of most phishing emails. But although most phishing emails are easily spotted, some can be very sophisticated and convincing and lead to large losses when they are mistaken for genuine emails.

The biggest factor in regards to stopping phishing attacks is proper staff training. It’s vital that all your employees are trained on the risk of phishing, know how to spot suspicious emails and what to say and not say in reply to a message.



Spoofing is where a cyber criminal attempts to obtain confidential information from others – e.g. your clients or suppliers - by impersonating your firm. This is often done through sending fake emails, purporting to be from your account and that can even use your domain name. This can obviously have severe implications for your clients and your firm if people respond to a message that, to all intents and purposes, appears to be from your company.

According to 2019 cyber security stats for the UK legal sector, published by The Gazette, 91% of firms are exposed to having their addresses spoofed and then used to send fraudulent emails.

You can counter spoofing by using DMARC technology, which stands for Domain-based Message Authentication, Reporting, and Conformance. This, in basic terms, is technology that detects and flags up any spoof emails that are being sent from your domain, so you can quickly rectify the problem. Without DMARC, it could carry on without your knowledge. Also, cyber criminals are far more likely to target domain names that lack DMARC protection.



Simply put, malware (short for ‘malicious software’) is a programme designed to spy on, or cause damage to, computer systems.

One of the most common ways for malware to enter your system is through staff members opening email attachments. Word, Excel and PDF documents are all used by hackers as a route to embed malicious code within a system, which can then be exploited later. For example, embedded code can be used to copy financial details as they are typed. But the most common type of malware is ransomware, which is when hackers use an embedded programme to encrypt files and data in your system, making it impossible to regain access. Access is only granted after a ransom has been paid.

There are some sensible precautions you can take to guard against malware attacks. The most obvious step is to ensure staff don’t open any email attachments unless they are 100% sure they’re safe. You should also keep your firewalls, anti-malware software and operating system fully updated to prevent cyber criminals from exploiting any vulnerabilities.


In summary

Email remains integral to any business, but its use in crime is an ever-present threat to professional services firms. Phishing, spoofing and malware attacks are among these common threats.

Prevention is the best form of defence, so with a bit of thought and organisation, it is possible to protect yourself from cyber criminals who target you through email. This normally means a combination of tech updates and staff education, which will help keep your firm, your data and your clients safe from the hackers.

For more information on cyber crime risks - and how employees can play an integral role in safeguarding your firm – watch the Oosha webinar on social engineering.

Posted by Wayne Barber

Related articles

How law firms can get the most out of their IT
With an incredible 713% growth in legal tech investment in 2018, technology is clearly something that firms are confident can bring huge benefits to
Innovation – the key to attracting a millennial workforce?
According to a Deloitte survey, by 2025 it’s expected that 75% of the global workforce will be millennials – people born between the early 1980s and
What does legal innovation really mean?
The phrase “legal innovation” has become a bit of a buzzword amongst law firms. And there’s a good reason for it. An SRA Survey found that 40% of

Prepare your firm for the future of work. Register for a demo today.