Domain Security for UK Law Firms: Protecting Your Domain from Phishing and Fraud
UK law firms are prime targets for email fraud. This guide covers the domain security controls every solicitor should have in place to protect clients from phishing attacks that impersonate the firm.
Why law firms are targeted
UK law firms hold two things attackers want: money (in client account) and trust. The combination makes conveyancing fraud and invoice redirect fraud extremely lucrative. Action Fraud reports tens of millions of pounds lost annually by UK law firms and their clients through email-based attacks.
The SRA's Warning Notice on cybersecurity notes that most of these attacks begin with email impersonation — the attacker spoofs the law firm's domain to redirect completion funds or redirect invoices to a mule account. Proper email authentication prevents this.
The SRA's expectations
The SRA Code of Conduct requires solicitors to protect client money and assets (Principle 8) and maintain the trust the public places in the profession (Principle 2). While the SRA does not prescribe specific technical controls, a firm that has not implemented basic email authentication — and whose clients subsequently lose money to domain spoofing fraud — faces questions about whether it took appropriate steps to manage foreseeable risk.
The SRA's Cybersecurity guidance for law firms specifically highlights DMARC as a control firms should implement.
The three most important controls
DMARC at enforcement level
A DMARC policy of p=reject prevents your domain from being used to send phishing email. Every conveyancing firm, every firm handling client funds, and every firm with a public-facing brand should have p=reject as the goal. The path is: implement SPF and DKIM, publish a DMARC p=none policy and review reports, then escalate to p=quarantine then p=reject.
Registered domain variants
Even with perfect DMARC on your primary domain, attackers can register typosquats — smithsolicltors.co.uk, smith-solicitors.com — and use those for phishing. You cannot authenticate their domains; you can only make your firm's legitimate domain widely recognised. Consider registering common typosquats and closely related domains to prevent their registration by third parties.
Client communication protocols
Technical controls protect the email channel but clients also need guidance. Firms should publish and repeat their bank account change policy (we will never change our bank details by email alone) and encourage clients to verify any payment instructions by phone on a number independently verified, not the one in the email.
Additional domain security measures
- HSTS — prevent SSL stripping on your website, especially the client portal
- Certificate transparency monitoring — receive alerts when a certificate is issued for your domain or any subdomain (useful for detecting attackers obtaining certificates for lookalike domains)
- CAA records — restrict which CAs can issue certificates for your domain
- Subdomain audit — check for dangling CNAME records pointing to decommissioned services
Check your firm's domain security
VP Shield runs a passive security scan on any domain in under two minutes — free, no signup required. It will tell you immediately whether your firm's domain can currently be spoofed for phishing email, what your TLS grade is, and whether there are any DNS misconfigurations that a threat actor could exploit.