Phishing might once have seemed like a distant or obvious threat, but in 2024/25, it has become more sophisticated, more personal and a far greater threat to law firms.
Phishing is the act of tricking individuals into revealing sensitive information such as passwords, payment details, or login credentials by posing as a trustworthy source. It often comes in the form of emails, texts or even phone calls that appear genuine but are designed to deceive.
Today’s cybercriminals aren’t just blasting out generic scam emails they’re using advanced social engineering, AI tools and detailed personal data to create convincing, targeted attacks that are catching even the most vigilant professionals off guard. And the scale is staggering:
- Over 3 billion phishing emails are sent globally every day
- 84% of UK businesses were affected by phishing in 2024
- 74% of data breaches involved human error
- AI-assisted phishing attacks are rising fast, with some boasting success rates over 50%
No industry is immune including the legal sector, where reputational risk, regulatory consequences, and client confidentiality make phishing a particularly high-stakes threat. As phishing grows more targeted and harder to spot, it’s never been more important to raise awareness and equip employees with the knowledge to stay safe.
Case study: Marks & Spencer Cyber Attack
Earlier this year, Marks & Spencer suffered a major cyber-attack, traced back to phishing. Attackers gained access through a third-party supplier by tricking staff into handing over login credentials. Once inside, the damage was swift and severe:
- Personal customer data, including names, addresses, phone numbers, dates of birth and online order histories, was compromised.
- Online orders, Click & Collect, and contactless payments were brought to a standstill.
- Over 350 customers launched legal action.
- The disruption lasted more than six weeks with estimated losses set to exceed £300 million.
This incident highlights how phishing isn’t just about email inboxes, it’s a supply chain vulnerability too.
Today’s phishing attacks take many different forms. Key techniques include:
- Spear-phishing – Highly personalised emails appearing to come from colleagues, clients, or senior staff
- Business Email Compromise (BEC) – Fraudulent payment requests or invoice changes that often look legitimate
- Smishing and Vishing – Scam text messages and phone calls from attackers posing as banks, HMRC, or even IT support
- Quishing – QR codes that lead to fake login portals, seen in emails and even on posters
- AI-generated phishing – Convincing, well-written phishing messages created by AI tools
We’re also seeing an increase in the use of Open Source Intelligence (OSINT) where attackers gather publicly available information to tailor their approach. This might include accessing company websites, LinkedIn profiles, regulatory filings and social media accounts. These details are then used in social engineering reconnaissance to create believable messages that trick specific individuals inside a firm.
What You Can Do
You don’t need to be a tech expert to help protect your firm, simple steps can make a big difference. Always be cautious of unexpected messages, especially those asking for login details, password resets, or payments. Never scan QR codes from unverified emails or unfamiliar sources.
If something doesn’t feel right, don’t act on it – report it. Use your firm’s official reporting procedures for suspicious emails rather than just deleting them, so that potential threats can be properly investigated and the wider team can stay informed.
Regularly review who has access to systems and sensitive information, including any third-party suppliers. Sharing best practices and raising awareness across your team is essential. Cybersecurity is everyone’s responsibility, and vigilance at every level helps protect the entire business.
Next Steps
We recommend all firms review their cyber awareness training, incident reporting procedures, and supplier access controls, particularly in light of recent incidents like the M&S breach.
At X-Press Legal Services, we take our own risk and compliance responsibilities seriously and yours too. To request a copy of our Data, Risk & Compliance Credentials, please email: hello@xpresslegal.uk