emailfacebookinstagrammenutwitterweiboyoutube

Consent phishing is a new danger for law firms

Just as law firms’ cyber security measures become ever more sophisticated, so too do the techniques of attackers, says Nick Hayne at Quiss, who forewarns the rise of a new, insidious type of cyberattack.

Nick Hayne, head of professional services|Quiss|

By now, most people should be familiar with the dangers presented by phishing, with businesses investing significant time and resources into training their employees on how to identify and prevent incoming attacks.

In a bid to improve the security of user accounts, Multi-factor Authentication (MFA) has been widely adopted across organisations of all sizes, as a way of adding another layer of protection against would-be hackers.

Unfortunately, cybercriminals won’t be deterred by security enhancements, as they too have become more sophisticated in their approach, coming up with new ways to successfully dupe employees and access sensitive files.

Consent phishing has recently emerged as one such new technique and – it doesn’t contain the telltale indicators of traditional phishing emails, which makes it harder for employees to detect.

Legitimate appearance

Consent phishing emails are dangerous because they look like authentic communications sent by a colleague. Instead of containing an easily-detected, fraudulent link, the message appears to ask the recipient to press accept and view a shared file.

The email seems legitimate, as it uses a Microsoft domain name and has a green tick in the corner, which usually indicates the communication is secure and trusted.

Feeling reassured and confident the email is not suspicious, the user automatically clicks accept. However, this has unwittingly granted the attackers permanent access to the recipient’s account, which cannot be corrected with a password change or MFA.

In fact, the email was seeking access approval rather than granting the user access to a file. Now, the hackers have the permissions needed to download, view and even delete sensitive data, with the ability to send emails from the victim’s account and forward incoming communications to themselves.

Future protection

Another damaging aspect of consent phishing is that there is no obvious way of immediately knowing you have been a victim. After pressing accept, you are not directed to a bogus website, but receive a simple message stating something like, ‘this page has expired’. Assuming it’s just another file recalled or gone missing, few think any more about it.

One way to find out what has happened is to audit the apps you have approved, which most people are not in the habit of doing. To check which apps you have personally granted access to, you can check on Google Workspace and Microsoft 365.

With this type of attack on the rise, law firms must take steps to ensure consent phishing is policed and, while it’s not really feasible to ban users accessing third-party apps, it might be safer to let employees find and request apps, and then wait for administrators to approve them.

Pre-approval for certain apps may also help streamline the entire process, while keeping the business and its data safe from hackers.

LPM Conference 2025

The LPM annual conference is the market-leading event for management leaders in SME law firms

Merger magic

Increasing competition, regulatory and cost pressures have UK SME firms feeling the squeeze — caught between the magic circle juggernauts and more nimble boutique practices, some firms are finding strength in numbers through strategic mergers