Cybercriminals are waging a relentless assault on the legal sector and many law firms are dangerously unprepared, according to a new report from cybersecurity awareness training and human risk management company NINJIO. Titled “Law and Disorder: How Cybercriminals Are Attacking the Legal Sector and What Can Be Done to Stop Them,” the report reveals how cybercriminals are exploiting legal professionals, associations, and third parties; and how they often using AI-powered social engineering and phishing tactics.
The legal industry’s access to sensitive data — including intellectual property, M&A details, and client communications — makes it a prime target. The report details recent breaches at top-tier firms like Orrick and Gunster and exposes how hackers infiltrate the legal ecosystem through third-party vulnerabilities, malware disguised as legal documents, and business email compromise (BEC) schemes.
“Law firms aren’t isolated fortresses, they’re connected hubs of valuable information,” says Matt Lindley, Chief Innovation and Information Security Officer at NINJIO. “That makes the legal supply chain an attractive target. As AI-powered phishing becomes more sophisticated, security strategies must evolve fast.”
Joshua Ray, founder of cybersecurity firm Blackwire Labs and a former Department of Defense cybersecurity expert, adds: “Law firms are now high-value nodes in broader threat campaigns. Attackers are no longer opportunistic — they’re launching targeted, multimillion-dollar operations that exploit specific legal industry vulnerabilities.”
Among the key findings:
- 29% of law firms experienced a breach in 2023, and 60% of large firms didn’t know if they had.
- AI is revolutionizing social engineering, allowing attackers to impersonate clients, courts, and regulators with near-perfect legal language.
- Third-party breaches — such as the State Bar of California’s vendor leak — are surging, with supply chain attacks up 68% from 2023 to 2024.
- Cybercriminals are using malware platforms to trick lawyers into downloading fake legal documents.
Lindley asserts: “Traditional defenses are no longer enough. Law firms must take the human element seriously. In the AI era, training that mirrors real-world attack scenarios isn’t just helpful — it’s essential.”
Call to Action:
To defend against this rapidly evolving threat landscape, the company urges legal organizations to:
- Conduct continuous cybersecurity risk assessments and third-party audits.
- Build a robust incident response plan (only one-third of law firms have one).
- Deploy relevant, personalized, and engaging cybersecurity awareness training across all roles, from senior partners to support staff.
Download the Full Report by visiting NINJIO’s website.
NINJIO is a human risk management solution that reduces cybersecurity risk through personalized and engaging awareness training and phishing simulations. The NINJIO platform uses data on individuals' emotional vulnerabilities, learning styles, and security behavior to develop personalized learning plans that help organizations improve cybersecurity behavior. Our multi-pronged approach to training focuses on the latest attack vectors to build employee knowledge and the behavioral science behind social engineering to coach users' cybersecurity behavior.