A couple buying a house received an email from what appeared to be their law firm. The email contained bank account details and a request to deposit $270,000 into a trust account ahead of settlement.
A bank teller became suspicious. The transaction was stopped. But the same account number had already been used in two other scams - netting attackers $250,000 before anyone noticed.
The law firm's email had been compromised. The firm had no idea.
This isn't an overseas case study lifted from a security textbook. It happened in New Zealand, was confirmed by police, and was reported to Law News in 2025 - during a period when the NCSC was logging attacks against NZ law firms on an almost daily basis.
The NCSC's threat and incident response team lead put it directly: there were concerns some firms may not have realised their systems had already been hacked.
If you're running a law firm in New Zealand - or you're thinking about working with one - this post explains exactly why the legal sector has become one of the highest-value targets for cybercriminals, what the attacks actually look like, and what protection genuinely requires.
Attackers are rational. They go where the combination of value and access is highest.
Law firms tick both boxes in a way very few other businesses do.
Property transactions routinely involve hundreds of thousands of dollars passing through trust accounts. Commercial settlements involve more. Litigation recoveries, estate distributions, business acquisitions - the financial transactions that move through a law firm's systems in a single month dwarf what passes through most other SMEs in a year.
The NCSC is explicit about this: law firms handle accounts containing large sums of money, and that makes them attractive targets. So are real estate agencies, for the same reason - the Q1 2025 NCSC Cyber Security Insights report specifically called out both sectors as frequently targeted because of their exposure to large financial transactions.
When a business email compromise attack is successful against a law firm, the payoff isn't a few thousand dollars. It's a settlement payment. A deposit. A trust account disbursement. The scale of what's at stake is why attackers invest time and sophistication in targeting the legal sector specifically.
Beyond the money, law firms hold data that doesn't exist anywhere else.
Confidential client communications. Litigation strategy. Evidence. Personal information about clients that carries significant legal privilege. Commercial agreements. Wills and estates. In the New Zealand Law Society's own words: "the storage of personal and sensitive information on clients is an integral part of the work of a lawyer."
This creates two distinct attack motivations. Some attackers want the money - they'll target trust accounts and financial transactions. Others want the data - for blackmail, for competitive intelligence, for sale on dark web markets, or as a stepping stone to larger targets through the firm's client network.
A single successful breach of a law firm's systems can yield both.
Trust is the core of what a law firm sells. Clients act on instructions from their lawyers. They transfer money when asked. They provide sensitive information when requested. They sign documents on their lawyer's advice.
That trust relationship is exactly what attackers exploit.
When a criminal gains access to a lawyer's legitimate email account, they're not just getting email. They're getting a trusted identity - one that clients will respond to, follow instructions from, and transfer money to without questioning. The impersonation value of a compromised law firm account is significantly higher than the equivalent access to most other businesses.
The NCSC specifically noted this in their Q1 2025 insight on law firms: many practices, particularly smaller ones, use external IT providers for their systems. This isn't inherently a problem but it does mean that the security of the firm's environment depends on the quality, engagement, and security focus of whoever that provider is.
A generalist IT provider who handles everything from printers to servers may not have the specific cybersecurity capability that a firm handling large financial transactions requires. The gap between "IT support that keeps things running" and "security that actively protects against targeted attacks" is significant and law firms that haven't explicitly addressed that gap are more exposed than they realise.
Understanding the attack methods matters because the defences follow from the method. The two dominant threats facing NZ law firms right now are business email compromise and ransomware.
BEC is the attack the NCSC flagged as the most common and most damaging type targeting NZ law firms. It's worth understanding it in detail because it's more sophisticated than most people expect and because the traditional advice about "spotting suspicious emails" is increasingly inadequate.
How it works:
The attacker gains access to a legitimate email account - either by compromising a lawyer's credentials through phishing, or by creating a lookalike address that closely resembles the real thing. Once inside, or convincingly impersonating the account, they monitor communications to understand what transactions are in progress.
When a large payment is approaching - a property settlement, a trust disbursement, a commercial transaction - they make their move. A fake invoice. A revised payment instruction. An urgent request to change bank account details ahead of settlement. The email comes from what looks like the lawyer's real address, references the real transaction, and uses language consistent with previous correspondence.
The client, or the firm's accounts team, transfers the money. It goes to the attacker's account. By the time anyone realises, the funds are gone - typically offshore, typically unrecoverable.
Why it's getting harder to spot:
The NCSC specifically called out AI-assisted writing tools as a factor making BEC attacks more difficult to detect. The badly-written, oddly-phrased phishing emails of five years ago are increasingly rare. Modern BEC attacks are grammatically correct, tonally consistent with the sender's known communication style, and contextually accurate - referencing real transactions, real client names, real matter details gathered from monitoring the compromised account.
AI has also enabled voice cloning, with attackers now capable of making phone calls that sound like the lawyer or a trusted colleague, applying additional pressure to transfer funds or provide information.
The NZ-specific BEC example from Law News illustrated the evolution precisely: the attack referenced a real transaction, used plausible bank account details, and was good enough to fool the clients. It took a suspicious bank teller - not any security control - to stop it.
The social engineering element:
Beyond the technical access, BEC attacks exploit professional culture. Urgency is a feature of legal work - deadlines matter, settlements are time-sensitive, clients are waiting. Attackers time their interventions precisely for moments of high pressure when verification shortcuts are most likely.
The NCSC's example from their Q1 2025 insight told this story explicitly: a fake message from "Cathy" to "Tim" referencing a real client's name, requesting an urgent payment. Tim didn't call to verify. He paid. The money was gone.
Ransomware attacks on law firms follow the same pattern described in our post on why NZ small businesses are getting hit with ransomware but with amplified consequences.
When a law firm's systems are encrypted by ransomware, it's not just email and files that are affected. It's matter management systems, client records, court documents, time recording, billing - every operational system the firm depends on to function.
The double extortion model is particularly damaging for law firms. Attackers don't just encrypt your data - they steal it first. For a law firm, the threat of publicly releasing confidential client communications, legal advice, or sensitive personal information creates leverage that goes beyond operational disruption. It threatens the legal professional privilege that is fundamental to the lawyer-client relationship.
Clients whose confidential information is at risk of exposure will ask whether the firm can be trusted with their matter. That question, once asked, is difficult to answer reassuringly.
Cybersecurity for law firms isn't just a business risk question. It's a professional and legal obligations question.
Privacy Act 2020 - Law firms store significant volumes of personal information about clients. A breach that exposes that information triggers notifiable privacy breach obligations - the firm may be required to notify affected individuals and the Privacy Commissioner. Handled poorly, this creates additional reputational and legal exposure on top of the original incident.
Lawyers and Conveyancers Act obligations - Lawyers have duties of confidentiality that are fundamental to the professional relationship. A breach of client confidentiality - whether through a cyberattack or inadequate security practices - has professional conduct implications that go beyond the Privacy Act. The New Zealand Law Society has published guidance on cybersecurity precisely because the obligations are real and the consequences of getting it wrong are serious.
Trust account obligations - Trust accounts are subject to specific regulatory requirements under the Lawyers and Conveyancers Act. Funds held in trust belong to clients. A successful attack that redirects trust account funds creates legal obligations that are complex, urgent, and expensive to resolve - including potential personal liability for the lawyers involved.
Client duty of care - Courts have shown willingness to find liability where businesses failed to take reasonable precautions against BEC and similar attacks. For a law firm that handles significant client funds, the standard of "reasonable precautions" in 2026 includes the kinds of security controls that were optional five years ago.
The direct financial cost of a successful attack is the most visible part. The $250,000 stolen in the Waikato property transaction scams is the number that makes headlines. But the full cost of a significant security incident for a law firm extends well beyond the immediate financial loss.
Recovery costs - Forensic investigation to understand what was accessed and when. IT remediation to secure compromised systems. Legal advice on the firm's own obligations. Notification costs. These expenses compound quickly and are often not fully recoverable through cyber insurance if the required security controls weren't in place.
Client notification and relationship damage - Telling a client that their confidential information may have been accessed, or that funds they transferred ended up in a criminal's account, is one of the most difficult conversations a firm can have. Some client relationships don't survive it.
Regulatory scrutiny - A significant breach that affects clients, particularly one involving trust account funds, is likely to attract attention from the Law Society. The professional conduct implications depend on the circumstances but "we didn't have adequate security controls" is not a comfortable position to defend.
Reputational impact - Law firms are trust businesses. The reputational damage from a public security incident - particularly one that affected clients financially - can affect new business generation, referral relationships, and talent attraction for years after the technical incident has been resolved.
The NCSC noted that damage to a firm's reputation and clients' confidence can be long-lasting. That's an understatement in the context of professional services where confidentiality is the core product.
The good news is that the defences against the most common attacks are not exotic or expensive. The bad news is that most law firms haven't implemented them consistently.
Email is the primary attack vector for BEC. If an attacker can access a lawyer's email account with only a username and password - credentials that can be phished, bought on dark web markets, or guessed - the damage from that access can be catastrophic.
MFA means a compromised password alone isn't enough to access the account. A second factor - a code sent to a phone, a hardware token, an authenticator app - is required. This single control stops the vast majority of credential-based email compromises.
The NCSC's specific advice for law firms: ensure staff use strong, unique passwords and that MFA is enabled to protect critical business systems. This should be the first thing any firm addresses if it isn't already in place.
Beyond MFA, email systems need active security management. Auto-forwarding rules - which attackers set up to silently copy all incoming email to an external account - should be audited regularly. Unusual login activity should trigger alerts. Anti-spoofing controls (SPF, DKIM, DMARC) should be configured to reduce the effectiveness of lookalike domain attacks.
Secure email services that go beyond basic Microsoft 365 or Google Workspace defaults are increasingly the standard for professional services firms handling sensitive transactions.
Technical controls stop technical attacks. But BEC attacks that use genuinely compromised accounts, or that are sophisticated enough to bypass technical filters, require human verification as a backstop.
The single most effective non-technical control against payment fraud is a mandatory verbal verification procedure for any change to payment instructions or any large transaction. Not email confirmation - phone verification to a known number, not a number provided in the suspicious communication.
Davenports Law implemented exactly this after the wave of attacks became public: a notice to clients asking them to call reception to verify bank account details before making any payment to the trust account. That's the right approach - low friction, high effectiveness.
The NCSC was direct: staff need training on how to identify and report unusual or suspicious emails. In 2026, that training needs to go beyond "look for spelling mistakes" - because spelling mistakes are no longer reliable indicators of malicious emails.
Security awareness training that includes simulated phishing exercises, social engineering scenarios, and specific guidance on payment verification procedures builds the human layer of defence that technical controls can't fully replace.
Ransomware typically enters through phishing or unpatched vulnerabilities. Endpoint Detection and Response (EDR) across all firm devices - lawyers' laptops, reception desktops, servers - combined with a structured patching schedule addresses the most common entry points.
Most law firms don't know exactly what their security posture looks like. They know they have antivirus. They know IT handles the servers. They assume email is secure. A cybersecurity assessment maps the actual state of the environment - where MFA is and isn't deployed, what email security controls are configured, what patch status looks like, where sensitive data is stored and who has access to it.
The assessment isn't the end point. It's the map that tells you what to address first.
How do attackers get access to a law firm's email in the first place?
Most commonly through phishing - a convincing email that tricks a staff member into entering their credentials on a fake login page. Once the credentials are captured, the attacker logs in to the legitimate account and begins monitoring communications. Credentials are also bought and sold on dark web markets from previous breaches - if a lawyer has reused a password that appeared in a separate data breach, that credential may already be compromised. MFA stops this attack even when credentials are stolen.
If a client transfers money to a fraudulent account based on a fake email from our firm, are we liable?
This is a genuinely complex legal question that depends on the specific circumstances. Courts have shown willingness to find liability where businesses failed to take reasonable precautions against BEC. For a law firm handling client funds, the standard of reasonable precautions is high. Having documented security controls, clear client communication procedures, and verified payment processes significantly strengthens the firm's position. Consult your own legal advisers and professional indemnity insurer on the specifics.
Our IT provider says they handle our security. Is that enough?
It depends entirely on what "handle our security" means in practice. There's a significant difference between an IT provider that keeps systems running and one that actively monitors for threats, manages security configurations, and has specific expertise in protecting high-value targets like law firms. Ask your IT provider specific questions: is MFA deployed on all email accounts? Is email activity monitored for unusual login patterns or auto-forwarding rules? When were security configurations last reviewed? If the answers are vague, that's information.
How do I know if our firm's email has already been compromised?
This is the question the NCSC was asking law firms to answer urgently in 2025 - noting that some firms may not have realised their systems had been hacked. Signs to look for include: emails appearing to have been read before you open them, unexpected auto-forwarding rules, login activity from unfamiliar locations or devices, and client reports of receiving unusual payment requests. The most reliable way to find out is to have someone with appropriate technical expertise audit your email environment specifically for indicators of compromise.
What should we do if we discover our email has been compromised?
Act immediately. Change all affected account passwords. Enable MFA if it isn't already active. Contact your IT provider to conduct a full audit of what was accessed and when. Notify affected clients promptly - both as a matter of professional obligation and to give them the opportunity to stop any pending transactions. Report the incident to the NCSC at ncsc.govt.nz. Contact your professional indemnity insurer. Document everything with timestamps from the moment you discover the compromise.
Is cyber insurance worth it for a law firm?
Yes - but only if the security controls it requires are genuinely in place. As we covered in our post on the security baseline every NZ business needs before buying cyber insurance, insurers are denying an increasing proportion of claims where required controls weren't maintained. For a law firm, the controls underwriters specifically look for - MFA on email, documented patching, tested backups, an incident response plan - are also the controls that prevent the most common attacks. The insurance and the security work reinforce each other.
What's the NCSC guidance specifically for law firms?
The NCSC published a specific insight piece on law firms in their Q1 2025 Cyber Security Insights report titled "Objection! Law firms in the cyber crosshairs." They also issued a specific alert through Own Your Online advising law firms to check email systems for compromise. Both are worth reading. The core guidance is consistent: enable MFA, audit email configurations, train staff, and report incidents to the NCSC regardless of how minor they seem.
Most businesses find out they weren't when it's too late.
A free security consultation with NSP takes 30 minutes. We work with law firms and professional services businesses across New Zealand and we understand the specific threat environment the legal sector is operating in right now.
Or call us directly: 0508 010 101