An increasing number of law firms have been publicly warning about the misuse of their names in phishing and cyberattacks. PRK Partners Partner Michal Matejka, Musat & Asociatii Partner Stefan Diaconescu, Gugushev & Partners Partner and Head of Data Protection Yoanna Ivanova, and DLA Piper Hungary Partner and Head of Intellectual Property and Technology Zoltan Kozma discuss the growing trend.
Clickbait to Cloning
“Recent years have seen an increase in phishing and cyberattacks that target law firms specifically, ranging from common clickbait e-mails to more elaborate forms of criminality such as e-mail cloning, invoice forgeries, and apparent client redirected e-mail,” Diaconescu explains. “In general, the larger the law firm, the more common and elaborate the cyberattacks it is subject to.”
Ivanova points to a broader trend, highlighting “a noticeable increase in phishing attempts and other types of cyber threats since the pandemic accelerated digital transformation.” These attacks, she says, “often involve fraudulent emails that appear to come from potential clients or colleagues, aiming to extract sensitive data or gain access to systems. In recent months, there have been numerous reports of attacks that are not directed at lawyers but are disguised as emails from leading law firms alleging violations and asking for some action to be taken by the target.”
Touching on his firm’s own experiences, Kozma highlights DLA Piper’s global cybersecurity risk-management measures, saying that “there has not been any significant rise when it comes to everyday work.” Yet, “we have observed an increase in phishing attempts involving misuse of our firm’s name,” he adds. “These attackers are falsely using DLA Piper’s name in order to obtain personal or financial information from companies and individuals.”
Further illustrating the tactics used by cybercriminals, Matejka adds that “perpetrators, for example, send fake correspondence purporting to have originated from a law firm or are trying to infiltrate computer systems and networks operated by law firms.”
Why Law Firms Are a Prime Catch
Law firms seem to have become prime targets for cybercriminals due to the nature and value of the information they handle. “Law firms may be attractive targets because of the valuable data they manage, encompassing client information, matters, and transactions,” Kozma highlights.
“Law firms represent attractive targets for persons who perpetrate cybercrimes as they are usually well-reputed, with notable high-profile clients and with high income,” Diaconescu agrees. “As such, obtaining the database of a high-profile law firm or redirecting forged invoices from fake e-mail addresses to the clients of that respective law firm can bring immediate financial benefits to such persons.”
Ivanova draws attention to “the sensitive, high-value information” law firms handle, ranging from “corporate transactions and intellectual property to personal client data and litigation strategies.” As an example, “in Bulgaria, many firms also work on real estate transactions or business acquisitions, making them targets for cybercriminals looking to intercept or redirect sensitive information, including trade secrets,” she points out.
Regulators on Standby
While law firms increasingly find themselves at the center of cybersecurity concerns, regulatory and institutional responses across CEE vary.
“The National Union of the Romanian Bars has reacted to the recent trend in cybersecurity threats that targeted law firms and individual practices and has issued guidelines in order to prevent such vulnerabilities, also organizing certain events in this respect, the latest being organized on March 20, 2025, in Bucharest,” Diaconescu says. “Also, in the past, the Bucharest Bar has offered attorneys practicing law in the capital the possibility to attend cybersecurity courses specially tailored for legal professionals and has also implemented a two-factor authentication process for any online services provided.”
By contrast, in other jurisdictions, cybersecurity guidance remains more general in nature. “There are no mandatory, detailed cybersecurity standards, specifically for law firms under Bulgarian law, yet,” Ivanova notes. “Most of the responsibility falls under the broader GDPR framework and the obligations it imposes for protecting personal data. The Data Protection Commission actively carries out awareness-raising campaigns, including through recommendations and advice on specific measures to be taken.”
Hungary presents a similar picture. “We are not aware of any specific new guidance or regulatory framework tailored exclusively to law firms or the legal profession in Hungary,” Kozma notes. “There are detailed rules in respect of client-attorney privileges, however, these rules do not deal with the cybersecurity aspects of keeping the confidentiality, integrity, and availability of data and information held by law firms. At the same time, general data protection requirements also apply to law firms, which include the implementation of strong data security measures.”
The broader EU regulatory landscape also leaves certain gaps. “Law firms have not traditionally been subject to any specific cybersecurity rules going further than those applicable to standard businesses,” Matejka adds. “It is also not the case under the new EU cybersecurity framework NIS 2, where law firms typically are not among the entities regulated by such legislation unless they fall within the scope of this legislation as suppliers of a regulated entity. On the other hand, if law firms handle sensitive data of their clients, they should take cybersecurity risks seriously as any incidents may significantly harm their relationships with clients and reputation.”
Bigger Firms, Bigger Firewalls
Efforts to strengthen cybersecurity in the legal sector are growing, but implementation remains uneven, particularly between large and small firms. To address emerging risks, “most of the top-tier law firms have started their own IT security department to prevent such threats, began digitalizing all their data and storing it in multiple means (hardcopy and cloud), and also implemented strict IT security policies.” Moreover, Diaconescu notes, “law firms that have fallen victim to such cyberattacks have reported the situation to the national Cybernetic Security Directorate or to the Directorate for Investigating Organized Crime and Terrorism.” Still, many law firms struggle to implement effective cybersecurity measures. “The shortcomings usually involve their implementation in practice. In order to have sufficient cybersecurity measures in place, you need a knowledgeable and dedicated IT team, which not all lawyers or law firms have (or can afford),” Matejka notes.
The size and resources of a firm play a significant role in its level of protection. “Larger firms typically have advanced cybersecurity measures in place to protect this data, making them less vulnerable to certain attacks,” Kozma explains. “However, smaller firms may face more challenges in maintaining the same level of security due to limited resources and technical expertise.”
“Most small and mid-sized firms are not adequately protected, either due to budget constraints or lack of expertise,” Ivanova agrees. “While larger firms may have robust protocols in place, the average Bulgarian law firm often lacks formal cybersecurity policies or even basic tools like two-factor authentication or secure file-sharing systems.”
Beyond the resource gap, there are also concerns about the adequacy of the standards being applied. “The standards currently in place are often based on general IT security practices rather than industry-specific requirements, which may not always take into account the specific risks and sensitivities of legal work,” Kozma notes. “Continuous updates and improvements are necessary to keep pace with the sophistication of cyberattacks.”
Looking ahead, there might be a need for a tailored and inclusive approach. “While higher cybersecurity standards are crucial for protecting sensitive information and maintaining client trust, it is also essential to consider the unique challenges faced by smaller law firms,” Kozma emphasizes. “A balanced approach that provides scalable and affordable cybersecurity solutions can help ensure that all law firms, regardless of size, can protect their data effectively.”
This article was originally published in Issue 12.3 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
