Blog Article
8 June 2023 | 5 Minutes Read

Cyber impersonation: Unmasking the growing threat to law firms

There is an alarming increase in cyber-attacks on law firms, globally. Learn the importance of taking proactive measures to protect both your firm and your clients.

Sendmarc | Blog | Cyber impersonation: Unmasking the growing threat to law firms

Cybercriminals, having recognized the vulnerability of clients who rely on legal services, are increasingly targeting law firms —


leading to a surge in impersonation cases around the world.

It’s easy to understand why legal practitioners and conveyancers are perfect targets of cyber-crime. There is the potential for invoice fraud via business email compromise (BEC) attacks and the consequent theft (via interception) of client funds, while also being ideal targets for double extortion ransomware attacks. Whatever the nature of the crime, the financial loss for the victim and the impact on the business who hasn’t protected them can be irrevocable.

What does impersonation of a law firm look like?

Impersonating a law firm involves creating a fake identity that looks just like an established, reputable legal practice. Cybercriminals use various and sophisticated tactics, such as spoofing email addresses, forging official documents, and setting up fake websites to convince their targets of their legitimacy. Some common methods include:

  • Spoofed Websites: Impersonators create websites that closely resemble those of reputable law firms, often using identical or slightly altered domain names.
  • Email Phishing: Impersonators send phishing emails that appear to be from legitimate law firms, tricking recipients into disclosing sensitive information or making fraudulent payments. These emails often exploit urgent matters, such as pending legal action or settlement discussions.
  • Business Email Compromise (BEC): This is what happened in the recent R5,5million cyber-fraud with ENS Africa, where an invoice was intercepted and the bank details were changed.
  • Social Engineering: Impersonators employ social engineering tactics to manipulate victims into divulging confidential information.

‘Crimson Kingsnake’: A case study

In November 2022, researchers identified a new BEC group named ‘Crimson Kingsnake’ who has impersonated several highly-respected international law firms — including Allen & Overy, Kirkland & Ellis and Deloitte — to trick recipients into approving overdue invoice payments.

How did they do it?

  1. Impersonating lawyers, threat actors sent invoices for overdue payment of services to clients.
  2. They then used email spoofing to add legitimacy to the scam. Once a target replies, the actor responds with payment account details in a PDF invoice, including a bill number, bank account details and the company’s actual VAT ID.
  3. It’s been observed by researchers that if they face resistance, an ‘executive’ at the targeted company (under a new email with a spoofed display name) puts further pressure on the target.
  4. Through this fake persona, the attackers “authorize” the target to proceed with the payment.

Analysts at Abnormal Security, who first discovered Crimson Kingsnake activity in March 2022, report having identified 92 domains linked to the threat actor, all similar to genuine law firm sites.

The consequences of law firm impersonation

The consequences of falling victim to law firm impersonation can be far-reaching. Some examples include:

  • Financial Loss: Impersonators target individuals involved in legal proceedings and often deceive them into making payments for legal services or settlements. By tricking them into making payments to fraudulent accounts, victims can suffer significant financial losses, with little to no chance of recovery and, as they are often large amounts, can leave individuals and businesses in financial ruin.
  • Breach of Confidentiality: Impersonators who gain access to confidential data — a privacy breach — can exploit it for personal gain, commit identity theft, or use it in further scams.
  • Legal Consequences: Impersonation of law firms can lead to inaccurate legal advice or documents, jeopardizing ongoing proceedings. Victims may unknowingly act on misleading information, resulting in legal complications and potential liabilities.
  • Damage to Reputation: Both the impersonated law firm and its clients can suffer reputational damage. Clients may lose trust in the firm, leading to potential loss of business, while the law firm’s professional standing may be undermined.

Measures law firms can take to prevent impersonation

Educate your teams and your clients. Train employees and clients to recognize the signs of impersonation attempts, including suspicious emails, websites, and phone calls. Encourage them to verify any communication or payment requests. Educate staff members on cybersecurity best practices and the dangers of phishing attempts.

Consider moving sensitive conversations to a secure portal. Email communication is an important tool for business but is an attack surface that is easy to exploit. Using a secure channel to communicate sensitive information can be useful.

Implement DMARC (you can test your current protection here). DMARC will verify the source of an email message and decide what to do with it. It’s an additional security check to ensure that only legitimate emails are sent from your domain, while you have full visibility on senders, too. This means you are able to see details like source countries, authorized vs unauthorized domains and more.

Regularly assess your cybersecurity. Conduct regular assessments of your law firm’s IT infrastructure to identify and address vulnerabilities. Implement robust security measures, including strong passwords and regular software updates.

Add two-Factor authentication. Two-factor authentication adds an extra layer of security to the login process, protecting the account even if the password is compromised.

Regularly audit your environment for suspicious logins. Most modern email platforms allow you to understand where the IP addresses of users that are logging into their systems are geo-located. This information can be very useful in identifying potential malicious actors – after all, if all your users are based in South Africa, for example, you shouldn’t be seeing logins from Iran or the United States or any other region for that matter.

The impersonation of law firms is a growing threat that can have severe consequences for individuals and businesses alike. By understanding the methods used by cybercriminals and implementing preventive measures, we can minimize the risks associated with law firm impersonation. Using a platform like Sendmarc gives you full visibility into your email sending environment so that you can actively defend and protect your domains – — and your clients.

DMARC requires continuous monitoring and updating to ensure maximum compliance and deliverability. Contact us to learn more about how we can help you achieve the highest and safest states of email security.

Know your score

Everyone is at risk from email fraudsters. How secure is your brand name from email scammers?

If you’re at risk of impersonation, one of our experts will be in touch to assist.