top of page

77% of Legal firms lost £4m of clients’ money to Cyber Attacks

Picture the scene: you’re working with a client to complete their new home and the last step is for the mortgage provider to release the funds. You’re informed that the money is on its way, but nothing arrives. The funds have instead been intercepted by a cybercriminal, and the funds are now in their bank account.

Legal firms handle large financial transactions, send and receive bundles of sensitive client information every day. To control this volume of data, legal firms rely on digital technology and systems to carry out daily tasks including online bank transfers, automated identity checks or simple emails from the firm to their clients.

A 2021 report by the Solicitors Regulation Authority showed that 75% of the firms included in the report had been the target of a cyber attack. Alarmingly, in the remaining cases, the firms reported that cybercriminals had directly targeted their clients during a legal transaction.

The report also went on to reveal that 23 of the 30 cases in which firms were directly targeted saw a total of more than £4m of client money stolen. Whilst £3.6m of this was ultimately claimed against insurance policies, a further £400,000 had to be repaid directly by the firms’ own money. These figures do not take account of the wider cost of such incidents to firms, in damage to client relationships, lost time and higher insurance premiums.

The financial impact of a loss of data is more difficult to calculate, but these often result in further indirect financial costs. For example, one firm lost around £150,000 worth of billable hours following an attack that crippled its system.

Firms also report that attacks are not isolated incidents. Two large firms reported that they had been targeted hundreds of times a year, although the vast majority of these attacks were not successful.

Twenty-three firms had informed law enforcement following their last cybercrime incident.

These included incidents where:

  • A client transferred £70,000 to a cybercriminal

  • A £70,000 bank transfer was made to a fraudster in an unrelated incident by a separate client

  • A solicitor transferred £340,000 to a fraudster

Cyber security is an issue for any process which is wholly or partially reliant on technology, including those facilitated online, via email or through the use of any computer or device.

How can the EMCRC help legal and financial sector businesses?

To help legal and financial sector businesses outsmart cybercriminals and toughen up their cyber security, the East Midlands Cyber Resilience Centre has been established to provide businesses from all sectors and of all sizes with an affordable way to access cyber security services designed to help improve cyber resilience.

We offer a Premium Membership to medium-sized businesses, and becoming a member will enable you to receive a welcome pack full of practical resources and tools, designed to help you identify your risks and vulnerabilities and the steps you can take to increase your levels of protection, whilst also giving your staff security awareness training and testing their knowledge through a phishing exercise.

This membership also has the advantage of our cyber risk exposure assessment. This service helps to identify any known vulnerabilities, misconfigurations and outdated/obsolete service issues present across any internet-facing services. Through your membership, you will also get regular updates on new threats, designed to help you stay safer.

Do you have Cyber Essentials Certification?

We work with a network of official Cyber Essentials providers (known as our Trusted Partners). These Trusted Partners can help you achieve the Cyber Essentials and Cyber Essentials Plus Certification.

Cyber Essentials provides that first step in demonstrating cyber security without having to comb through complicated paperwork and jargon.

A Cyber Essentials certification covers the basic technical controls that will help prevent the most common, commodity attacks.

The certification is broken down into 5 control areas:

  • Access Control looks at how businesses can ensure that employees have the correct access levels for their roles and how access permissions should be monitored and checked regularly.

  • Secure Configuration looks at how businesses implement security measures when setting up or installing new computers and network devices, to reduce unnecessary cyber vulnerabilities.

  • Software Updates are essential for effective cyber security. This control area looks at how cybercriminals can exploit vulnerabilities that are exposed by out-of-date software. When a new update is released, attackers will quickly identify the underlying vulnerability in the application and release malware to exploit it.

  • Malware Protection looks at how businesses can help spot the signs of malicious activity and keep themselves out of the paths of cybercriminals.

  • Firewall and Routers look at how a firewall provides a defence barrier between your network and the internet and how this is key in protecting your devices.

Learn more about the Cyber Essentials Scheme. Note: the NCSC and IASME will implement an updated set of requirements for Cyber Essentials on January 24. More information about the scheme can be found at



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page