Crowe report finds UK’s leading law firms are leaving the door open for cyber attacks

Findings of Crowe’s new report, Fraud and cybercrime vulnerabilities in the legal sector, reveal the extent to which law firms are at risk of cybercrime

  • 91% of firms exposed to having their website addresses spoofed.
  • 80.5% of firms were running at least one service, such as web server, with a well-known vulnerability which could be exploited.
  • 23% of firms had at least one expired, revoked or distrusted security certificate.
  • 21% of firms had at least one service using software which was out of date or no longer supported by the developer.

The majority of law firms are likely to be at serious risk of cyber-attack, according to a new report from national audit, tax, advisory and risk firm Crowe.

New research produced by Crowe, in conjunction with KYND and the University of Portsmouth’s Centre for Counter Fraud Studies, has uncovered the extent to which the top 200 UK law firms across the country have significant unaddressed cyber risks.

The research follows Crowe’s 2019 Law Firm Benchmarking report, in which nearly half (43%) of all participants rated fraud and cybercrime as a business risk critical to their firm.

Given that the firms analysed are likely to have substantial budgets to build cyber resilience, the findings will also make worrying reading for the other 10,000 (approx.) UK law firms which may not have the same resources.

The report found that 182 of the 200 firms analysed are exposed to having their email addresses spoofed and used to send spam, phishing or otherwise fraudulent emails, resulting in exposure to malware and ransomware, as well as the phishing of clients and employees.

Also uncovered were vulnerabilities including expired, distrusted or revoked certificates, software with publicly disclosed weaknesses and domain registration risks – all of which could be avoided with the correct processes in place, causing a reduction in financial and reputational losses.

21% of firms analysed in this research were found to have at least one service using software which was out of date or no longer supported by the developer. The report draws on the lessons of the May 2017 WannaCry ransomware attack, which cost the NHS £92 million in total. Had the NHS kept their software updated, it could have been protected against the exploitative malware, and the losses could have been avoided.

Sue Daye, Professional Services Partner in Crowe’s South West office, said: “Our report shows that 91% of the UK’s top 200 law firms are at risk, so it is reasonable to assume this risk is likely to be far greater among small to medium sized firms.

“Many South West law firms may lack the scale and resources of bigger firms and are encouraged to seek specialist help to evaluate and reduce their vulnerabilities.

“While many have invested significant resources into countering threats of money laundering and scamming, they may, at the same time, have left the door open to cyber-attacks”.

Jim Gee, Partner and Head of Forensics and Counter Fraud Services at Crowe, said: “It is clear is that there is an epidemic of fraud and cybercrime in the UK, and this research proves that law firms are, perhaps surprisingly, still seriously exposed.

“For an industry that is so closely associated with diligence and detail, the results are likely to come as a shock. Firms would do well to review their resilience. Cyber criminals need only a sliver of vulnerability to fraudulently gain access to valuable and sensitive data; are the UK’s law firms leaving the door open?

“The cyber landscape is becoming increasingly complex and keeping pace with the evolution of cyber threats is becoming ever-more challenging. Therefore, independent verifications can prove invaluable to expose vulnerabilities that could be exploited by hackers and implement processes to prevent such activity and reduce cyber risks.”

Louis Baker, Partner and Head of Professional Practices at Crowe, said: “In this report, we have identified and measured the risks to the top 200 law firms, which are likely to have substantial budgets to build cyber resilience.

“Therefore, the likelihood of smaller firms not included in this study being vulnerable to unaddressed threats is significant and should be seriously considered by their management.

“Irrespective of size or location, law firms attract cybercriminals due to the large amounts of client money, data and sensitive information they hold.

“Given that our 2019 Law Firm Benchmarking report found that fraud and cybercrime was ranked by participating firms as a critical business risk, it is vital that law firms address the reality of the threat, evaluate their vulnerabilities and put adequate protections in place.” 

Ends (731 words)


Miriam Sherwood, Senior Marketing Manager (Regions), Crowe. Tel: 0121 543 1900

Notes to Editors:

About us
Crowe is a national audit, tax, advisory and risk firm offering global reach and local expertise. We are an independent member of Crowe Global, the eighth largest accounting network in the world. With exceptional knowledge of the business environment, our professionals share one commitment, to deliver excellence.

We are trusted by thousands of clients for our specialist advice, our ability to make smart decisions and our readiness to provide lasting value. Our broad technical expertise and deep market knowledge means we are well placed to offer insight and pragmatic advice to all the organisations and individuals with whom we work. Close working relationships are at the heart of our effective service delivery.

For more information, visit:

  • Follow Crowe UK on LinkedIn
  • Follow Crowe UK on Twitter @CroweUK

Crowe industry recognition

    • 11th largest firm in the UK by fee income (International Accounting Bulletin UK Survey, December 2018).
    • Top charity auditor (Charity Financials Audit Spotlight report and Charity Financials Audit Survey, 2009 – 2019)
  • Leading advisors to the UK mid-market, ranked 9th AIM and Main Market auditor (Corporate Adviser Rankings Guide, 2019)
  • 9th largest audit firm in the UK (FRC Key Facts and Trends in the Accountancy Profession, July 2018)


  • Employment Tax Specialist of the Year (Global Payroll Awards 2019)