Phishing Protection for Your Law Firm
6 min read

Phishing, Spear Phishing, and Whaling: Protect Yourself and Your Law Firm

Free on-demand webinar

How to Get Clients to Pay On Time: 15 Tips in 15 Minutes!

Watch Now

Recommended by

ForbesAdvisor - The Best Legal Billing Software Of 2022

Learn How You Can Get More Reviews For Your Law Firm

Download free guide
6 min read

Law firms are major targets for cyber hackers. They recognize that law firm servers can contain extremely valuable data, from bank and medical records to business trade secrets and even classified government documents. Hackers want access to this information, so they take great strides to get it.

Some small and solo legal practitioners mistakenly believe that they are small enough to stay below the radar of cyber attackers. This simply is not true though. According to one ABA article, small and midsize firms are even more desirable targets for hackers. They know that these smaller practices have budget limitations that may preclude them from implementing adequate infrastructure and staff training for the prevention of cyber attacks.

While cyber attacks can come in various forms, there are some strategies that tend to get used more often than others. Phishing, spear phishing, and whaling are three types of social engineering attacks used to steal secure data. Let’s look at how these tactics work and what you can do to protect yourself and your legal practice.



Phishing refers to cyber attack attempts that target a broad audience by tricking people into sharing personal data. Attackers disguise themselves as trusted sources and send emails asking for specific information. For example, the attacker may send an email disguised as the victim’s internet provider, requesting bank account information for a billing problem. The recipient, believing that the email is legitimate, provides their bank account number to the attacker who then uses that information for personal and financial gain. Phishing can take the form of emails, text messages, and even social media with the purpose of stealing information from as many victims as possible.


Spear phishing

Spear phishing takes a more specific approach, targeting a particular individual or organization. In these scenarios, an attacker may pretend to be a family member or other person known to the victim. These types of attacks may take longer to implement because attackers work to appear as legitimate as possible, creating false letterhead, signatures, and addresses in their communications. Some common spear phishing examples include:

  • An email from a business partner asking for payment of an attached invoice, which is actually just malware.
  • An emergency situation requiring an immediate transfer of funds.
  • A security alert appearing to come from within the organization, calling for the victim to change his or her password.
  • A message from the company’s HR department, requesting personal information for payroll or W-2 purposes.

Spear phishing is often used as the first step in a more elaborate cyberattack. Attackers use the information gained through spear phishing to launch a more sophisticated and widespread attack.



Whaling takes phishing to another level by targeting high-profile victims. A play on words, “whaling” refers to targeting “the big fish” within a company or organization. Some examples may include politicians, CEOs, or celebrities. It uses spear phishing strategies to collect large amounts of data at one time.


Protecting your law firm

When working to protect your law firm from phishing attacks, there are a number of steps you can take to lessen your vulnerability. But your law firm members and staff are always your first line of defense. Human error is a major contributor to the vast number of cyber attacks that occur each year. If your employees cannot recognize suspicious emails or messages, they may unknowingly hand over confidential data to hackers.

According to a 2017 report, 82% of employees open email attachments that appear to be from a familiar contact. This is why it is extremely important to properly and consistently train your staff on identifying potential threats and handling them correctly. Give them the tools to recognize subtle warning signs, and what steps to take in response to data requests.

For example, firm members can make it a routine habit to check and recheck email addresses of suspicious emails. Maybe the sender’s name is accurate in the message but spelled wrong in the email. Another possibility could be a few letters switched around or left out an email address or domain name. These may seem like small discrepancies. But taking a few minutes to double check can prevent a big data breach.

Another tactic your employees can use is the “hover and review” method. Unbeknownst to most email users, if you hover your mouse over the sender’s email address before opening the email, the sender’s full email address will appear. That way, instead of blindly opening a potentially dangerous email, you can first check to make sure that it is from a legitimate source.

These are just a few examples that demonstrate how proper training can go a long way to protecting your practice against phishing tactics.


Security measures

Now that you have your staff fully trained, it’s time to make sure your internal security measures are up to the task of keeping you and your firm protected. Whether you are starting from scratch or working to improve the measures you already have in place, here are some strategies that experts recommend for keeping the hackers away.

  • Email filters – Law firms receive tons of emails every single day. With an email filter in place, each of these messages will be scanned and approved (or denied) before entering your network. This tactic lessens the likelihood of phishing emails ever reaching your staff members.
  • Up-to-date malware and anti-virus programs – These programs can be extremely useful in the prevention of cyber attacks, but only if they are kept updated. Cyber attacks are constantly changing, and an old malware protection program is probably not equipped to handle the most recent threats.
  • Password policies – Require all firm members to use strong passwords and change them regularly. A weak password is like an open door to a hacker.
  • Multi-factor authorization – Using a smartphone or another device, this authentication works to ensure that anyone trying to access your systems or email is properly authorized to do so.

Keeping your law firm safe from cyber attacks is your duty. Stay up-to-date on the latest threats and security trends, or at least contract with a vendor who can do it for you. For instance, TimeSolv legal billing and time tracking offers state of the art security measures to minimize the risk from even the most sophisticated threats. Their professionals consistently work to stay up-to-date on these ever-changing risks for you. To learn more about their services, click here for a free 30-day trial.

Whether you are concerned about phishing, spear phishing, or whaling, make sure you have measures in place to protect you and your firm.

About Erika Winston:

Erika Winston is a freelance writer with a passion for law. Through her business, The Legal Writing Studio, she helps legal professionals deliver effective written messages. Erika is a regular contributor to TimeSolv and a variety of other publications. 

Stay up to date with the latest articles, educational resources, and news

Subscribe to our newsletter

You might also like

Increase Your Billable Hours Seven Tactics for Optimizing Your Time

Increase Your Billable Hours: Seven Tactics for Optimizing Your Time

As the writer Annie Dillard says, “How we spend our days is, of course, how we spend our...
How Fixed-Fee Billing Can Enhance Law Firm Profitability

How Fixed-Fee Billing Can Enhance Law Firm Profitability

The traditional hourly billing method has been the default in legal practice for the...
Tip of the Week Streamline Time Tracking with Read-Only Task Code Narratives

Tip of the Week: Streamline Time Tracking with Read-Only Task Code Narratives

This week, we're excited to introduce an enhancement that enables users to make task...
How to Leverage Automation for Faster Billing and Payment Cycles

How to Leverage Automation for Faster Billing and Payment Cycles

Any legal professional or administrator can attest to the fact that creating and sending...
Tip of the Week Introducing the Ability to Mark Expenses as Vendor Paid

Tip of the Week: Introducing the Ability to Mark Expenses as Vendor Paid

In the fast-paced world of legal and professional services, staying ahead requires more...
Embrace Data-Driven Decision-Making with Dashboards

Embrace Data-Driven Decision-Making with Dashboards

Competition is rising in the legal world, alongside mounting client demands. As law...
Tip of the Week Create Consolidated Invoice Groups with Ease!

Tip of the Week: Create Consolidated Invoice Groups with Ease!

In the dynamic world of legal and professional services, staying ahead often means...
Tip of the Week Introducing Unique ID for Time Entries

Tip of the Week: Introducing Unique ID for Time Entries

In the fast-paced world of professional services, managing time efficiently is paramount...
Take Your Law Firm’s Expense Tracking to the Next Level

Take Your Law Firm’s Expense Tracking to the Next Level

When it comes to your legal firm’s success, every minute counts—and so does every...
Five Mid-Year Mistakes Every Law Firm Makes and How to Fix Them

Five Mid-Year Mistakes Every Law Firm Makes and How to Fix Them

It’s official: we’ve made it halfway through 2023. And while there’s not a big mid-year...