New Zealand’s law firms are increasingly under attack from cybercriminals, with experts warning that many remain unprepared for the scale of the threat. Holding large client trust accounts and sensitive information, law practices are seen as prime targets.
“Cybercrime is an industry now, it’s not just one solo actor,” said Michael Wallmansberger, co-founder of advisory firm Trust Hound and former security lead at ASB and Air New Zealand.
“Ten years ago, a business might have faced the odd cyber threat. Today, the chance of being exposed to a cyber threat to compromise your organisation is increasingly high.”
Wallmansberger said invoice redirection scams — where attackers compromise email accounts to alter payment details — remain among the most costly. “Many still get hit by invoice scams where a cyber attacker has compromised an email conversation … causing them to make a payment to the wrong place,” he said.
Geordie Stewart, chief information security officer at consultancy NSP, said many firms act only after being hit. “Action is often triggered only by an incident, or the fear of being the last to act,” he said. “I see businesses carry high levels of risk until something goes wrong, then they overcorrect and spend far more than they needed to.”
“You can insure your systems and restore operations, but you can’t insure against the loss of client trust,” Stewart said.
Experts said simple measures could prevent many incidents: multi-factor authentication, regular updates, unique passwords, and staff training to recognise urgency or authority in suspicious requests.
“The most effective defences are still the basics,” Wallmansberger said. “If you feel that sense of urgency in a request, stop and think twice.”