Mitigating AI Security Risks: A guide to the risks of AI and preventing a deepfake attack

What is AI and how can it be used in the legal profession?

Artificial Intelligence (AI) is transforming professional services across all sectors, with a surge of new AI tools becoming available in recent years. Widespread professional and public adoption has been driven by the increased accessibility and affordability of AI tools.

There is vast opportunity for these new AI technologies to be used within the legal sector, and it is increasingly being used for purposes such as the following:

1. Risk identification (eg automating routine compliance tasks such as money laundering checks)
2. Drafting contracts and contract review
3. E-discovery purposes
4. Client chat-bots

Implementing AI can improve efficiency and reduces costs by automating labour-intensive tasks that require minimal human oversight. AI can enhance accuracy in document review by eliminating human error. It is believed that AI is expected to broaden access to justice and address unmet legal needs. AI can also show that a firm is forward facing and allow smaller firms to handle larger caseloads, allowing firms to be competitive in the legal market.

What are the risks involved of using AI?

Whilst AI has the ability to positively impact the legal profession, its adoption introduces risks such as:

1. The potential for infringements of copyrights, trademarks, patents and related rights if tools are being trained on protected material without permission.
2. The misuse or disclosure of confidential, personal or sensitive information which can result in breaches of legislation.
3. The risk of hacking, data breaches and malicious cyber activities such as deepfakes.
4. The risk that generative AI produces misleading, inaccurate or false outputs – including “hallucination” outputs where AI produces highly plausible case law or statute law that is fabricated.
5. The risk that AI models reflect social bias in their output, resulting in output that is discriminatory or unfair.

It is important to remember that solicitors using AI remain responsible for the work carried out by them using those tools and must verify that any information or documents submitted to the court are accurate and from genuine and verifiable sources. In order to comply with the SRA code of conduct, practitioners should supervise AI usage for quality control, with improper reliance on technology violating SRA Principles to uphold the rule of law, maintain public trust, and act with integrity.

How can firms manage the risks?

Firms can manage these risks in the following ways:

1. Choose AI systems carefully to ensure that they meet the firm’s needs and familiarise themselves with the terms and conditions of use. Firms should ensure that they are clear as to when errors are the responsibility of the provider or the user.
2. Identify the risks of using AI platforms (to confidentiality, intellectual property, data protection, cyber security and ethics) and establish that insurance policies in place cover the intended use of AI.
3. Implement a clear AI policy. There is no overarching AI legislation in the UK, and the use of AI is governed by existing laws and regulations on data protection, copyright, human rights and equality. Having an AI policy helps ensure that operations are aligned with existing laws and regulators.
4. Train and supervise staff on the use of AI systems and make it clear what use is acceptable under the AI and IT policies in place. Firms should ensure that staff who are using AI understand how it operates, are using the AI tool for its intended purpose, and have established that the data being inputted into AI platforms is appropriate.
5. Have a robust process in place for reviewing AI outputs for accuracy and fact checking.
6. Ensure that staff are aware of and following the SRA code of conduct, SRA standards and regulations, and SRA principles in their use of AI.
7. Be transparent with clients about the use of AI in their cases, the expectations of the AI being used and how it operates.
8. Be aware that AI has the potential to help cyber criminals to carry out illegitimate activities. AI can be used to create highly realistic “deepfake” images and videos, which, combined with AI assisted voice imitation, can make phishing scams difficult to recognise.

Deepfakes

Deepfakes involve the use of AI to create convincing forgeries of images, videos and audio recordings. These can be indistinguishable from genuine content, making it difficult to identify whether the communication / document is real or not.

Cyber criminals may create deepfake voice or video messages or personalised emails from senior staff to deceive employees into divulging sensitive information or authorising fraudulent financial transactions. Deepfakes can transform existing content by swapping one person for another or create entirely original content where a person appears to say or do something that they did not.

Key warning signs of deepfakes include:

• Audio Issues: Odd noise distortion in the background or voice quality.
• Sync Problems: Disconnection or delay between speech and mouth movement.
• Visual Anomalies:
  • Pixelation or lack of visual clarity.
  • No blinking or unusually patterned blinking.

In the LexisNexis Cybersecurity and AI 2025 Report, 24% of legal professionals cited AI-generated threats such as deepfakes and synthetic email scans as their second biggest concern after phishing.

What are the risks / why are solicitors particularly at risk?

Although technical controls may be in place to prevent cyber-attacks, deepfakes bypass the usual technical responses by targeting human trust. Deepfake technology is also evolving at a fast rate, making it essential for businesses to continuously monitor and improve their deep-fake detection capabilities.

Law firms are particularly vulnerable to deep fake attacks as they often manage substantial sums of client money. Advances in deepfake technology are a particular threat in conveyancing and property transactions. Deepfake technology has the capability to convincingly impersonate sellers or agents, resulting in solicitors unwittingly facilitating fraudulent transactions. Additionally, the nature of conveyancing transactions provides cyber criminals with both the method for committing fraud and the means to launder stolen funds effectively.

How can firms manage the risk?

To manage the threat of deepfakes, law firms should implement a robust, multi-faceted security strategy:

• Raise Staff Awareness: Train all staff on potential deepfake threats and their warning signs.
• Strengthen Authentication: Implement measures like multi-factor authentication (MFA) and conditional access to sensitive documents.
• Adopt Defence-in-Depth: Employ multiple layers of protection across IT systems and processes.
• Establish Breach Protocols: Ensure additional safeguards and alerting mechanisms are in place for when a control is bypassed.

Audit Security Regularly: Conduct frequent assessments of security measures to confirm their effectiveness.