Impersonation Scams and the Threat to Professional Services Firms – What You Need to Know

The last couple of years have seen a significant increase in digital impersonation scams specifically targeting professional services, accountancy, and law firms, and their clients. These scams exploit human error and IT related vulnerabilities, and their impacts can be devastating, ranging from financial loss to reputational damage.

Why Law and Accountancy Firms Are Prime Targets

Legal and accountancy firms are at high risk of such attacks due to the large amount of personal information held on clients, and the high-value financial transactions they handle, both of which present an attractive opportunity to cyber criminals.

It’s not just you but your clients who are at risk

Many firms have already taken steps to improve their email security by implementing advanced email scanning services, multifactor authentication and training staff (these should be considered the bare minimum).  However, while this protects their internal security, it does little to reduce the risk of their clients being targeted by criminals pretending to be their firm.

Scammers are aware of the trusted relationship that legal and accountancy firms have with their clients and are actively attempting to exploit this by impersonating them to defraud your clients of money and confidential information. Without taking steps to prevent this activity, a successful attack could result in long term reputational damage.

Here is our summary of the most common impersonation scams.

Email Impersonation

Email is still the most common approach used by cyber criminals employed for impersonation scams – principally because it remains the most successful for them as people are still regularly fooled by such emails. With the use of generative AI, these emails have become even harder to identify and remain a very significant risk.

Risks to your firm include:

• Fraudulent transfers of client or firm funds.
• Leaked sensitive client or firm information.
• Compromised systems leading to broader cyberattacks.

Look out for:

• Requests for money or confidential information being sent to your clients from your email address
• Slightly altered email addresses in the ‘from address’ eg. doe@lawfirm.co.uk versus john.doe@lawfrm.co.uk

How to reduce your risk:

• Use secure portals to exchange documents and information with your clients
• Train staff to recognise phishing attempts and verify unusual requests via a secondary method, like a phone call.
• Put in place the email impersonation protection and a DMARC policy (an email impersonation prevention protocol) to prevent impersonation of your email addresses.

Smishing (Text message/WhatsApp impersonation)

Smishing (SMS phishing) involves fraudulent text messages sent to employees or clients, often impersonating a trusted entity like a bank, a senior partner, or even your business. These messages may ask recipients to click on a link, download a file, or share sensitive information.

Risks to your firm include:

• Scammers gaining access to client or firm data
• Compromised usernames and passwords giving unauthorised access
• Employees or clients granting hackers access to their phone

Look out for:

• Texts urging immediate action, such as “Your account will be deactivated unless you click this link now.”
• Links that seem off or do not match the official website.
• Unusual sender numbers or generic greetings.

Prevention tips:

• Awareness training about smishing tactics and encourage caution with unsolicited messages.
• Firm wide policies discouraging employees from sharing sensitive information via text message or WhatsApp.
• Similar communications with your clients about how your firm shares data

Vishing (Voice or telephone impersonation)

Vishing (voice phishing) involves scam calls where criminals pose as trusted entities to extract sensitive information. Common tactics include impersonating IT support, banks, professional advisors or clients. Scammers use social engineering to create a sense of urgency, convincing victims to disclose passwords, account details, or other sensitive data.  Generative AI has made these scams even more convincing by allowing scammers to clone the voices of people with authority, such as a Managing Partner, often using existing video recordings of them on the internet or cloning their voice by making a scam call to them.

Risks to your firm include:

• Financial loss due to scammers authorising payments and transfers
• Breaches of confidential client information.
• Loss of trust with clients due to breaches of confidentiality

Look out for:

• Callers pressuring for immediate action or claiming severe consequences if ignored.
• Requests for sensitive information that would not normally be handled over the phone.
• Calls from people who are supposed to be at a conference or on holiday.

Prevention tips:

• Train staff to verify the identity of callers, especially those requesting sensitive data.
• Encourage employees to end suspicious calls and follow up with the supposed source through verified contact methods.
• Use caller ID verification tools where possible.

Impersonation scams are a growing threat to professional services, legal and accountancy firms, but with the right awareness and safeguards in place, you can significantly reduce your risk.

Technical mitigations can help, and many are essential, but creating a culture of security in your firm, and providing good advice to your clients, represents the best approach to reducing the likelihood of an impersonation attack and maintaining the trust of your clients.

If you wish to know more about protecting your firm from impersonation attacks, get in touch using the form below.