Audio Coursesby JellypodLesson 12 of 15
Overview
Explore the rising phishing risks targeting law firms and their impact on compliance. Learn practical techniques to spot suspicious emails and discover effective response strategies backed by real-world legal examples.
Paul Crowther: Welcome back to Compliance Pods for Legal Professionals, and just a reminder that the content of this podcast is for general information purposes only and does not constitute legal advice. - So Buckle up. Because Here. We. Go.
Andre Grayson 2: Hi All, ’Andre Grayson here, and as always, I’m joined by Paul Crowther. Today, we’re dodging the digital curveballs—phishing scams. These aren’t just annoying inbox clutter—they’re a real regulatory headache, especially for law firms under the SRA’s watch.
Paul Crowther: Yeah, Andre, it’s wild how much the SRA has ramped up the warnings recently. I mean, —they’re expecting constant vigilance. If you get caught out, you’re risking more than embarrassment—you've potentially breached confidentiality had client data siphoned off - or worse, much worse. hat’s a red line for SRA Principles around integrity and risk management, isn’t it?
Andre Grayson 2: Exactly. It’s this direct link between operational mistakes—like clicking the wrong thing—and your compliance position. It’s not an IT headache; it’s about whether your firm’s meeting the SRA Codes. So, remembering that phishing emails often imitate clients, partners—even your bank or a supplier—it becomes a cultural and training issue too.
Paul Crowther: Absolutely, and it’s not abstract. Only yesterday we were contacted by a solicitor where their email had been cloned and and one of their clients conned out of 43 thousand pounds. An email came in, and one of their fee earners clicked a dodgy link. That link immediately accessed their list of clients and emailed them all asking for money to be sent to complete a house purchase. But, André, and here's the rider, not to the usual account but to an intermediary. Even though they caught it early, within a few hours, and actively contacted clients - one had already paid 46 thousand pounds into the criminals account. Genuine real life consequences: SRA investigations, ICO investigations and increased PI insurance premiums. Ouch ouch ouch ouch.
Andre Grayson 2: That’s the thing. It’s easy to say “just be careful,” but when you’re trying to work quickly, or if you’re covering a colleague’s caseload, those red flags don’t always jump out. As we’ve said in previous episodes—like when we looked at compliance culture—it’s about building habits and supportive environments where staff actually feel okay to pause and double-check.
Andre Grayson 2: So, let’s break it down. What are the telltale signs? First up—unexpected or urgent requests. If something lands in your inbox and it’s “please do this right now, no time to check,” that should always trigger doubts. Same goes for generic greetings. “Dear Customer,” “Dear Colleague”—if you’re supposedly dealing with someone who knows you, why so impersonal?
Paul Crowther: Yeah, and it’s not just the greeting. I’m always, I mean, I’m almost obsessed now with checking sender addresses. Tiny changes, swapping an 'l' for a '1', that sort of thing. It’s the classic: “Looks right at first glance, but it’s definitely not.” Another trick is the reply-to not matching the sender. If you hover over the address—er, or just hit reply—you sometimes see it’s wanting to respond to a totally different email. That’s a big, flashing warning sign.
Andre Grayson 2: Absolutely. And then links. Always, always hover before you click. Just stopping to float your mouse over, seeing if the link matches what you’d expect. If it’s shortened, misspelled, or just… off, do not click. Attachments as well—unless you were genuinely expecting that file from that person, be deeply suspicious. My routine is, like, triple-checking not just the name but the whole context. Would this person really send this. Does the message sound right? Oh, and urgency. Anything that tries to hurry you along, bypass normal procedures—alarm bells. If it seems secretive—“don’t tell anyone, just transfer this now”—that’s textbook phishing.
Paul Crowther: That reminds me of another real case - I was working for a law firm and all of us directors got a phishing email purporting to be from my boss asking us to secretly buy Amazon vouchers and send them to his new personal email address. It all stacked up, he would ask for all those things! But but but but! But. it came in at 7 in the morning - none of us responded because we knew he'd never be awake that early!! True story André!
Andre Grayson 2: You have so many dodgy stories, Paul, but Yeah, it’s that skeptical mindset you ned to cultivate—just because you’re busy doesn’t mean you can’t be careful, right?
Paul Crowther: So if you’re unsure—first rule, don’t touch anything in that dodgy email. Don’t reply, don’t click, don’t open any attachments. Just pause. I know it sounds basic, but sometimes people feel awkward or worry about “holding things up”, and that’s what gets exploited.
Andre Grayson 2: Spot on, Paul. And the next thing: verify. But not using any contact details in the suspicious email. Find a trusted number or email address you already use—check with the person or company directly. If the request’s legit, they won’t mind the call. Then escalate—get your manager or the firm’s COLP involved as soon as you suspect something’s fishy. The sooner you alert them, the better the chance to contain any risk.
Paul Crowther: Yeah, and the reporting bit’s key. At Legal Compliance Support, we spend half our lives helping firms put in proper staff training and clear reporting steps for this stuff. When a team knows precisely what to do after a near-miss, there’s less panic and much less damage. Plus, if you do make a mistake, raising it quickly with the COLP or the compliance lead gives your firm the best chance to handle it with the regulator by showing prompt action and good processes. SRA compliance is about being realistic and responsive, not just perfect.
Andre Grayson 2: And remember—the regulatory support is there to help, not punish honest mistakes. If your firm needs help tightening risk management, or setting up good escalation procedures for these incidents, get in touch. Prevention and early action are everything in this game.
Paul Crowther: Well, that’s it from us on phishing for today—don’t let your guard down, folks. And Andre, as always, a pleasure talking compliance and crisis-aversion with you.
Andre Grayson 2: Likewise, Paul. Thanks for listening, everyone—stay compliant, stay safe, and we’ll catch you next time for more practical tips. Take care!
