Email Security for Law Firms: Stopping Phishing, BEC and Conveyancing Fraud
Law firms run on email. Client instructions, court documents, completion statements, counsel instructions — almost every important communication travels by email. Attackers know this. The legal sector has the highest rate of business email compromise of any professional services category precisely because the email channel carries so much financial and legal weight, and because the time pressure of litigation and transactions discourages the verification steps that would stop attacks cold.
The legal sector has the highest BEC victimisation rate of any UK professional services category, according to Action Fraud data.
The Email Threat Landscape for Law Firms
Law firm email faces four distinct threat types, each requiring different controls:
- Phishing: emails designed to steal fee earner credentials — increasingly targeted and convincing, referencing real matters and real counterparties
- Malware delivery: email attachments or links that install malware on fee earner devices — PDFs, Word documents, fake DocuSign links
- Business Email Compromise: either spoofed emails appearing to come from legitimate senders, or genuine account compromise used to intercept and redirect transactions
- Conveyancing fraud: a specific BEC variant where completion funds are redirected — exploiting the solicitor-client email relationship at the highest-stakes moment
The Technical Controls That Work
Effective law firm email security requires layering controls that address each threat type:
- DMARC, DKIM, SPF: email authentication standards that prevent criminals from spoofing your firm's domain — a fundamental control many firms still do not have correctly configured
- Advanced email gateway: AI-driven analysis that detects phishing, BEC indicators, and malicious attachments — beyond the basic filtering in Microsoft 365 and Google Workspace
- MFA on all email accounts: the single most important control — a compromised password should not mean a compromised account
- Lookalike domain detection: alerts when domains similar to your firm's are registered — a common BEC precursor
- Account compromise detection: alerts on unusual login locations, new forwarding rules, or mass-download activity indicating account takeover
- Link sandboxing: checking email links against threat intelligence and sandboxing unknown destinations before they reach the fee earner
BlackFog: The Last Line of Defence When Email Security Fails
No email gateway catches everything. When a phishing email delivers malware that reaches a fee earner device, BlackFog prevents the malware from executing its primary objective: exfiltrating data or communicating with attacker-controlled servers. BlackFog blocks outbound connections to malicious infrastructure, preventing credential theft, ransomware C2 communications, and data exfiltration — even when the initial phishing email got through.
Frequently Asked Questions
Is Microsoft 365 Defender sufficient email security for a law firm?
Microsoft 365's built-in security is a reasonable starting point but has well-documented gaps against advanced phishing, BEC, and targeted attacks. The NCSC recommends that organisations in high-risk sectors (which includes legal) supplement Microsoft's native security with additional email security controls. For law firms handling client funds and sensitive data, additional controls are strongly advised.
What is DMARC and does my firm need it?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that prevents criminals from sending emails that appear to come from your firm's domain. Every law firm needs it. A surprising proportion of UK law firms do not have it correctly configured — which means attackers can impersonate your firm to your clients with no technical barrier. NCSC guidance recommends all UK organisations implement DMARC at enforcement (reject) policy.
How do we verify that our email security is actually working?
Periodic phishing simulation exercises — sending fake phishing emails to your own staff — measure what proportion click links or submit credentials. This data is more useful than any vendor claim. Hadrian can also scan your external email infrastructure to identify configuration gaps including missing DMARC, SPF misconfiguration, and exposed email services.
Secure your firm's email from phishing and BEC
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.