Artificial intelligence is amplifying the efficiency of cyber-attacks on law firm emails, with security specialists warning that attackers are now using the same AI tools as legitimate organisations to target the profession.
Brendan Felstead, Director of Sales and Partner at Essential Tech, and Shaun Capps, Check Point Software MSP Partner Manager, addressed the AI issue at ALPMA’s Incident Response, Cyber Security – New threats & Proactive Measures event at Law Society House, Brisbane, on Thursday.
Mr Felstead said the profession’s focus on AI innovation had partially overshadowed a more uncomfortable truth that the hackers were evolving just as fast, with the number of AI-generated phishing attacks increasing 14 times in December 2025.
“Everyone’s talking about AI, but cybersecurity is still there,” he said. “And you’re actually finding that the AI criminals, the hackers behind this, are using AI to get better.
“But it’s really important to note, they’re not just sitting there making one for one email, they are going and getting their AI agents to do thousands and thousands of attempts at this.
“So then it’s really upping the effectiveness of them and the volume. So they’re not just doing 10 a day now, they’re doing hundreds if not thousands a day to try every business.
“No matter what size, if it’s got an account, they’re going try it. So it’s not a mentality of, ‘I’m not a target’. You are absolutely a target because a law firm carries all their clients’ data.”
Mr Felstead warned that the days of spotting phishing emails by poor grammar or suspicious formatting were over, and that collaborative suites and platforms were also being used or replicated.
“As Shaun will say, the emails don’t even look like fake … you’re not looking for spelling anymore. They actually are something that you might fall for. I almost did last week so they are getting really good at this stuff.
“AI’s not just about the tools, but the criminals are using it the same ways. They’re working out what worked, then taking that and trying it again at the next place.”
He told attendees that cyber risk had become a board‑level responsibility, with regulators expecting rapid and transparent responses to breaches.
“This is really about board level, the partners, you guys, you’re the leadership, you’re going to be held responsible if there’s a breach, the government is watching, the regulators are watching,” Mr Felstead said.
“The OAIC (Office of the Australian Information Commissioner) now have timelines on how you respond.
“So the important thing that hopefully we can take away from here today is that what happens with a breach, it’s how you respond. It’s how you respond is going to be super important going forward. And that’s what the regulator’s looking for. It’s having that plan, being able to deliver it, and communicating.”
Another emerging risk he highlighted was Shadow AI – employees using unapproved AI tools on personal devices.
“People in your organisation … they’ve got tools they leave on their phone. If they’re not allowed to use them on their computer, they’re doing it on their phone. So you’ve got to protect and stop that data getting leaked.”
He then handed over to Mr Capps, who opened with a candid admission about the state of the threat landscape.
“The purpose of why I’m here today isn’t to scare you inherently with what is happening in the cybersecurity world, but inherently the way that I have to describe it is a little bit scary,” he admitted.
Mr Capps noted that while ransomware once spelled reputational ruin, breaches today were more survivable – provided organisations followed proper protocols.
“As long as you have the right safeguards, the right policies in place … and like Brendan says, go to your clients and say, ‘Hey, this happened, we’re responding,’ it does not mean the end of your business.”
He reiterated that email remained the primary entry point for attackers with 93 per cent of attacks targeting emails but warned that many businesses overlooked other vulnerable systems.
“CCTV, any cameras, is often the easiest one to get into systems because 95 per cent of the world’s cameras are not protected.”
If attackers can’t breach cameras, he said, they move to building management systems. Once inside, attackers can access internal networks, emails, practice management systems, and steal data – all without walking through the front door.
Mr Capps stressed that every breach ultimately hinged on one thing: identity.
“You can’t get access without someone’s identity … your login, your MFA. It’s really important that your identity is not shared.”
He warned that even CCTV access could allow attackers to watch employees writing down passwords.
Mr Capps agreed with Mr Felstead, saying modern phishing was almost impossible to detect, even for experts.
“They will try their absolute best to make it look like this is a business‑as‑usual email. You’re not going to recognise it.”
He admitted that even he, working in cybersecurity, feared falling for one.
“I’m very overly cautious … because I’ve seen instances where emails come from the right sender, the right domains, the right IP addresses – everything looks right – but someone added a rule in the background to change a few bank account numbers,” he said.
“I’ve seen instances where other IT providers have shown me emails that they come from the right sender. They have all of the same writing in it.
“So when the email is delivered, it’s delivered through the security system as safe. But it’ll get delivered.
“And then the person on the other side goes, ‘Great, this is the sender I expected, this is the format I expected, I’m going to go pay this invoice’.
“And if they haven’t done their third-party validations, or they try and get a secondary confirmation on the numbers, that money is lost forever.
“It is very scary, and like I said, you just don’t know.”
The payments, sometimes worth thousands or millions of dollars, are sent straight to criminals and are often unrecoverable.
Mr Capps said security often felt inconvenient, with inconvenience often competing with efficiency in business, but the alternative was far worse.
“The most secure laptop is the one that’s unplugged and powered off and left in the corner. But that’s not very efficient for your company,” he said.
“You guys need to actually be able to work. But when people don’t want to do MFA or they don’t want to follow a document security process, because they just want to get things done, that that’s where the gaps can be introduced to businesses.
“Really important that you remember that security is there for a reason. It’s the same reason people lock their doors, you know, shut the gate, close the garage.
“You have to spend the time to do those things or you could be up for thousands and if not millions of dollars.
“We always talk about email because it’s the easiest way for an external person to get to your business and it’s the most used part of your business.”
Mr Felstead said a new threat, Echo Link, attacked emails by leveraging AI agents on a firm or company’s IT environments.
“What this attack does is leverage that technology,” he said. “So what they’ll do is they’ll send an email to you perfectly fine. It’ll just say, Hey, here’s an email, plain text body. There’s no attachments, there’s no malicious files in it.
“But what they do is they secretly plan a prompt injection for the AI agent to read to overwrite its previous prompt.
“So then someone’s able to send you an email to your inbox that your agent is reading in milliseconds and then taking action based on what that says.
“Now, it’s very, very, very hard to recognise or even stop that if you don’t have the right preventions in place.
“And this one is really scary because it leverages things that people trust inherently as safe. It is quite scary to me because typically in the past, you go back two years, you usually had to open an email for something to happen.
“Whether or not you clicked a link, that this is happening without any human interaction now.”
The good news is that firms can prevent these attacks.
“There is a lot that can be done. It’s just a matter of understanding and education,” Mr Felstead said.
“It’s all about preventative measures and then knowing the policy and the steps to respond if you are breached.
“The mentality that we’re told to adopt is assume breach.
“So assume that you are breached or have been breached or will be breached and learn and protect and treat it that way so that you always are serious about what’s going on.”
Share this article