Amid the acceleration of digitalization in the professional services sector, Romania is facing a new form of cybercrime, previously little known: legal phishing. This fraudulent method involves the impersonation of attorneys or law firms for the purpose of sending false, but seemingly legitimate communications, designed to extract sensitive information or install malware on recipients' devices.

Hațegan Attorneys raises an alarm regarding this phenomenon, which not only affects digital security but undermines trust in professional communication within the legal field.

Although Romania already has a regulated framework for cybersecurity of networks and information systems in the national civilian cyberspace, consolidated through the NIS2 Directive and Emergency Ordinance 155/2024, we have recently observed a significant increase in cyberattacks targeting both critical infrastructure and strictly regulated sectors such as banking, and more recently the legal sector, where as yet unresolved vulnerabilities in the digitalization process are being exploited. A recent case, reported by our colleagues at Blaj Law, illustrates this trend: an attorney's identity was fraudulently used to transmit false notifications related to alleged intellectual property rights infringements. This type of sophisticated attack exploits both professional authority and the specificity of legal language—difficult to decode for the general public.

Recommendations for protecting legal communication and information in the client-attorney relationship

To protect clients' rights and interests, Hațegan Attorneys recommends adhering to the following best practices:

1. Protect confidential information — Do not disclose details regarding legal cases, procedural strategies, or other sensitive elements except through official and secure channels.

2. Avoid providing authentication data — No law firm will request passwords or credentials via telephone or email. Any such request should be treated with suspicion and terminated immediately.

3. Do not grant access to third parties — Access data to electronic case files must be kept confidential, regardless of who requests them.

4. Use only official bank accounts — Payments should only be made to accounts communicated through signed contracts, not in response to unsolicited messages.

5. Avoid online exposure of sensitive data — Do not share codes or passwords in unsolicited conversations, whether by telephone or online platforms.

6. Verify the authenticity of applications and platforms — Do not install applications or software at the request of unknown persons without verification through the firm's official channels.

7. Report fraud attempts — If you have been the victim of such an attempt, immediately contact the firm and notify the competent authorities (Romanian Police, DNSC).

8. Know the legal framework — The Romanian Criminal Code clearly sanctions such offenses through articles such as: fraud (art. 244), illegal access to a computer system (art. 360), computer fraud (art. 249), and computer forgery (art. 325), providing for penalties of up to 7 years imprisonment.

In addition, attorneys must implement both personal data protection measures provided by the GDPR Regulation and cybersecurity measures, which significantly reduce the risk of such situations that create damages for clients, but especially for the prestige of the legal profession