(Photo: wk1003mike/Shutterstock.com)

A new report released on Tuesday by the email analytics platform 250ok found that more global law firms are adopting domain-based message authentication, reporting and conformance, or DMARC, solutions designed to help authenticate emails and protect against spoofing. The report analyzed 100 parent domains belonging to the top 100 accredited law firms internationally.

The rising popularity of DMARC tools could be attributable to the evolution of spear-phishing attacks, which more often places a heavier emphasis on strategically selecting targets with lucrative relationships to exploit rather than relying on widespread and haphazard email campaigns.

Law firms, which possess an extensive web of contacts and sensitive information appear to be taking the lead on preventive measures compared to other industries like finance or even the Fortune 500 sphere.

“If you were to impersonate a lawyer that would carry a lot of weight. If you were to send [an email] to a lawyer impersonating a client, that would carry a lot of weight,” said Matthew Vernhout, director of privacy at 250ok.

According to the report, 39% of firms surveyed have invested in a “none policy,” a sort of entry-level and passive DMARC solution that allows an organization to gain insights into how many emails have passed or failed the authentication process.

It's a 6% bump up from last year's report and puts legal ahead of other industries such as financial services (19%), nonprofit organizations (7%) or even Fortune 500 companies (15%) who have invested in a none policy.

“Moving into even a none policy, just to be able to see where the problem is, is significant enough. You'll see the problems coming. You won't be able to stop them but you'll see them,” Vernhout said.

One reason law firms might be more willing to dip their toe into those waters than other industries comes down to attorney/client privilege. It's not uncommon for a hacker to spoof an email from a company's CEO requesting that an employee buy hundreds of dollars in gift cards. But the kind of information that might be obtained by someone posing as a lawyer could be much more valuable.

For instance, if an opposing counsel winds up on the wrong end of a phishing email, it could cause a kind of domino effect that cascades from firm to firm and client to client.

“It becomes sort of a kind of a chain of contacts, and you build some trust and say, 'I'm the new lawyer at Firm X and I'm working on this case. I need you to send me some files,'” Vernhout said.

Despite the risks, law firms don't  appear to have ventured too far into the domain of more aggressive measures such as quarantine or reject policies, but those numbers could be on the rise. Only 7% of law firms surveyed have implemented quarantine policies, which essentially alerts the receiver that an email failed a security check and, depending on individual settings, places it into a spam folder. Still, that 7% represents a 5% increase over last year.

The same goes for reject policies, which block the delivery of suspect emails outright and are being utilized by 11% of law firms surveyed, but only around 5% of Fortune 500 companies and just under 6% of financial services organizations. Legal's 11% up 8% from last year.

Vernhout expects to see adoption continue to grow alongside ongoing media coverage of phishing scams and other assorted data breaches. Still, the cost associated with establishing quarantine or reject policies may keep law firms primarily focused on establishing a working none policy for now.

“It's not zero cost. There are man hours that need to be put forward. There may be systems that need to upgraded or systems that need to be implemented,” Vernhout said.