In an era where cybersecurity threats continue to evolve, UK law firms face a particularly insidious danger: vishing. Short for “voice phishing,” vishing uses phone calls to manipulate staff into revealing sensitive information, authorising fraudulent transactions, or compromising firm security. Unlike email phishing, which many professionals have learned to spot, vishing exploits our natural inclination to be helpful on the phone—a trait deeply embedded in client-focused legal practice.
Why UK Law Firms Are Prime Targets
Law firms occupy a unique position in the criminal crosshairs. They routinely handle substantial client funds, often held in escrow or client accounts. They possess confidential information that can be leveraged for insider trading, corporate espionage, or extortion. And critically, they operate under intense time pressure, where a partner demanding urgent action or a client needing immediate attention is simply business as usual.
The Solicitors Regulation Authority (SRA) has repeatedly warned of fraudsters targeting conveyancing transactions, where funds exceeding hundreds of thousands of pounds move at the direction of a single phone call. But the threat extends well beyond property work. Corporate transactions, litigation settlements, and probate matters all present lucrative opportunities for attackers willing to invest time in social engineering.
Anatomy of a Law Firm Vishing Attack
Understanding how these attacks unfold is the first step toward defending against them.
The Client Impersonation Gambit
An attacker calls a conveyancing solicitor, claiming to be a client nearing completion on a property purchase. The caller knows the client’s name, the property address, and the approximate completion date—all gleaned from public records, social media, or previous reconnaissance calls. They explain that their bank details have changed and provide new account information for the completion funds. The matter seems urgent; completion is tomorrow. Without proper verification, the solicitor transfers the funds to what turns out to be a criminal account.
The IT Support Deception
A staff member receives a call from someone claiming to be from the firm’s IT support provider or Microsoft. There’s been suspicious activity on the network, they explain, or an urgent security patch needs installing. The caller sounds professional and technically competent. They ask the staff member to install remote access software, visit a particular website, or share login credentials. Within minutes, the attackers have a foothold in the firm’s systems.
The Partner Pressure Play
A junior solicitor receives a call from someone claiming to be a senior partner, calling from a conference abroad. The partner urgently needs funds transferred to a client or needs login credentials to access a document remotely. The caller is authoritative, impatient, and knows enough about firm matters to sound legitimate. The culture of deference to seniority does the rest.
The Opposing Counsel Ruse
Someone calls claiming to be from the other side in ongoing litigation, or from court administration. They need documents emailed urgently, or they need to verify certain details about the case. The caller uses legal terminology fluently and references real case details. By the time anyone realises something is wrong, sensitive case information has been disclosed.
The Role of Artificial Intelligence
The threat landscape has shifted dramatically with advances in AI voice technology. Attackers can now clone voices from brief audio samples—a podcast appearance, a conference recording, even a voicemail greeting. When combined with publicly available information about firm hierarchy and current matters, these synthetic voices make impersonation attacks substantially more convincing.
A vishing call that would once have required the attacker to attempt an accent or maintain a persona throughout the call can now be conducted with a synthetic voice indistinguishable from the genuine article. The barriers to sophisticated impersonation have fallen considerably.
Building Robust Defences
Protecting against vishing requires a combination of procedural safeguards, staff training, and cultural change.
Verification Callbacks
No request for sensitive action—fund transfers, credential sharing, confidential information disclosure—should proceed without verification via a callback to a known number. This means the number already on file for the client, not a number provided during the suspicious call. If a partner calls requesting urgent action, call them back on their known mobile. If IT support calls, hang up and call the IT helpdesk directly.
Dual Authorisation for Transactions
No single individual should have the authority to transfer significant funds based solely on a phone instruction. Dual authorisation requirements, with both parties independently verifying the instruction, dramatically reduce the risk of successful fraud. Many firms have implemented this for transfers above certain thresholds, but the threshold matters—criminals will probe for the limits.
Code Words and Challenge Questions
For high-value clients and critical transactions, establish verification code words or challenge questions in advance. A client who has agreed a code word at the outset of the matter can verify their identity quickly during subsequent calls. Some firms have adopted this approach for internal communications as well, particularly for instruction from partners to junior staff.
Staff Training and Awareness
Regular training sessions should cover current vishing techniques, with practical examples and role-playing exercises. Staff at all levels need to understand that healthy scepticism is not disrespectful—it’s professional. Receptionists and assistants, who often handle initial calls, deserve particular attention; they can serve as an early warning system if properly trained.
Reporting Mechanisms
Create clear channels for reporting suspicious calls without fear of embarrassment. Every suspicious call reported, even if it turns out to be legitimate, strengthens the firm’s understanding of current threats. Celebrate caution rather than punishing false positives.
The SRA’s Expectations
The SRA has made clear that firms are expected to take reasonable steps to protect client money and confidential information. Falling victim to a vishing attack may raise questions about whether appropriate safeguards were in place. The SRA’s warning notices on conveyancing fraud, cyber security, and client due diligence collectively establish expectations around verification procedures.
Firms should also be aware of their obligations under the Data Protection Act 2018 and UK GDPR. A vishing attack that results in disclosure of personal data may constitute a data breach requiring notification to the Information Commissioner’s Office within 72 hours.
Incident Response
Despite best efforts, attacks may succeed. Having an incident response plan in place ensures that the firm can act quickly to limit damage. This should include immediate steps to contact the receiving bank and request fund recovery, notification procedures for affected clients, and escalation paths to the SRA and Action Fraud as appropriate.
Time is critical in fund recovery. The faster the firm acts after discovering a fraudulent transfer, the greater the chance of recovering some or all of the funds before they’re moved onward.
A Cultural Shift
Ultimately, defending against vishing requires a cultural shift toward verification as standard practice. The instinct to be immediately helpful on the phone—while admirable in client service terms—must be tempered by systematic verification procedures. Clients and colleagues alike should understand that being asked to verify their identity is not a sign of distrust but a sign of professionalism.
The firms that embed this culture of verification most deeply will be best positioned to resist not only current vishing techniques but whatever social engineering methods emerge next. In a profession built on trust, protecting that trust requires perpetual vigilance.
For further guidance, see the SRA’s cybercrime resources and the National Cyber Security Centre’s advice for legal professionals.
Like what you read?
