Back to news
Cybersecurity Alert
May 27, 2026 by EmailMeNow IT Consulting

Cybersecurity Audit Reveals Wide Gap Among Top Texas Law Firms in 2026

Independent audits of major Texas law firms show significant variation in cybersecurity scores. Norton Rose Fulbright leads at 70%, while several prestigious firms score below 50%.

Law FirmsEmail SecurityCybersecurityTexasSB 2610
Digital audit dashboard showing cybersecurity scores of major Texas law firms

Video explainer

An independent cybersecurity review across many of Texas’s top law firms reveals a wide range of results. While some firms demonstrate relatively strong controls, others — including several highly prestigious names — show significant vulnerabilities.

Using data from audit.emailmenow.com, we evaluated the email and domain security posture of leading Texas firms across categories such as SPF, DKIM, DMARC, transport security, and website security headers.

Cybersecurity Scores of Major Texas Law Firms

RankLaw FirmOverall ScoreWebsite ScorePerformance
1Norton Rose Fulbright70%45%Good
2Latham & Watkins64%45%Above Average
3Locke Lord64%45%Above Average
4Winstead64%45%Above Average
5Susman Godfrey61%45%Above Average
6Haynes and Boone60%45%Above Average
7Porter Hedges58%45%Average
8Sidley Austin54%45%Average
9Skadden54%45%Average
10Jones Walker54%45%Average
11Baker Botts50%45%Average
12Bracewell50%45%Average
13Jackson Walker48%45%Below Average
14Gibson, Dunn & Crutcher44%45%Below Average
15Vinson & Elkins39%45%Weak

Website Security Scores

Scores ranged from 45% to 45%; 0 of 15 reached the 100% ideal and 15 scored below 60%.

RankLaw FirmDomainWebsite ScoreRating
1Norton Rose Fulbrightnortonrosefulbright.com45%Below Average
1Latham & Watkinslw.com45%Below Average
1Locke Lordlockelord.com45%Below Average
1Winsteadwinstead.com45%Below Average
1Susman Godfreysusmangodfrey.com45%Below Average
1Haynes and Boonehaynesboone.com45%Below Average
1Porter Hedgesporterhedges.com45%Below Average
1Sidley Austinsidley.com45%Below Average
1Skaddenskadden.com45%Below Average
1Jones Walkerjoneswalker.com45%Below Average
1Baker Bottsbakerbotts.com45%Below Average
1Bracewellbracewell.com45%Below Average
1Jackson Walkerjw.com45%Below Average
1Gibson, Dunn & Crutchergibsondunn.com45%Below Average
1Vinson & Elkinsvelaw.com45%Below Average

Key Findings

  • Best Performer: Norton Rose Fulbright leads with a solid 70% score.
  • Lowest Performer: Vinson & Elkins scored the lowest at 39%, indicating significant gaps in email authentication and security controls.
  • Many nationally prestigious firms (including several Vault-ranked elite firms) are scoring in the low-to-mid 50s, which is concerning given the sensitive nature of their work.
  • Common weaknesses across lower-scoring firms include weak DMARC policies, missing or misconfigured MTA-STS, and insufficient website security headers.

Attack exposure in this audit

Domains scoring near 45% combine weak identity enforcement, missing inbound transport protections, and sub-60% website hardening. Without naming specific organizations, entities in that tier are disproportionately exposed to:

  • Trust-account fraud — spoofed firm mail used to redirect IOLTA wires, settlement disbursements, and retainer payments.
  • Business email compromise (BEC) — spoofed messages appearing to come from executives or accounts payable, used to redirect wires and ACH payments.
  • Brand impersonation phishing — fake billing, HR, and vendor notices that pass visual inspection because DMARC and SPF are not fully enforced.
  • Credential harvesting — login pages linked from forged @company.com mail aimed at employees, contractors, and customers.
  • Invoice and procurement fraud — altered payment instructions sent to finance teams and partners who trust the corporate domain.
  • Account-recovery abuse — password-reset and MFA prompts triggered from impersonated sender addresses.
  • Inbound mail downgrade attacks — absence of enforced MTA-STS allows opportunistic TLS stripping on messages destined for the organization.
  • Clickjacking and session risks — missing HSTS, CSP, and frame protections on the public site increase browser-side attack surface for visitors and logged-in users.
  • Supply-chain targeting — partners who whitelist the domain for deliverability become secondary victims when spoofed mail originates unchecked.

These are not theoretical edge cases. State breach portals and FBI IC3 reporting consistently tie weak email authentication and header gaps to measurable financial loss at large enterprises.

Real attacks, told as stories

The stories below are made up, but they are based on real crimes that police and cybersecurity teams see every year. No Texas law firm is named. Each story shows how weak domain settings can hurt real people — customers, partners, and staff who work with Texas law firms.


Story 1: Maria and the payment that was not real

Illustration: law firm bookkeeper reviewing a spoofed trust-account change

Maria works in a bookkeeper at Cole & Hart LLP, a mid-size firm that wires client trust funds weekly.

On a Tuesday morning, she gets an email that looks normal:

From: accounts-payable@bigbrand.com
Subject: Updated trust account for settlement disbursement

The logo looks right. The tone sounds like past trust-account notices. A PDF lists a new routing number.

Maria does not know that bigbrand.com has weak email security. A stranger sent the message from their own server and pretended to be the big brand. That is called brand impersonation.

She approves a $284,000 wire. The money goes to the attacker, not the real company.

The next day, the same fake sender emails two more partners Maria knows from bar association events. One ignores it. One also changes bank details. That is supply-chain targeting — hurting partners by faking the main organization’s name.

Attack vectors in this story: brand impersonation · invoice and procurement fraud · supply-chain targeting · business email compromise (BEC)

Simple fix: Strict DMARC (p=reject), SPF (-all), and a rule that every bank change needs a phone call to a known contact — not just email.


Story 2: Jordan clicks “reset password”

Illustration: paralegal facing a fake firm intranet reset email

Jordan is a paralegal at an AmLaw 100 firm. On Wednesday at 2 p.m., his phone buzzes:

From: it-security@bigbrand.com
Subject: Reset your password in 2 hours or lose access

Jordan is busy. The email looks like IT mail he has seen before. He clicks the link.

The page looks like his company login. It is not. It is a copy on a similar-looking website (bigbrand-secure.com). He types his username and password. The attacker saves them.

This is account-recovery abuse and credential harvesting. The criminal used a fake “reset your account” message because people trust mail from @company.com.

That night, the attacker signs into Jordan’s mailbox and reads old threads about a settlement wire to a client. On Thursday, they email the CFO’s assistant:

From: cfo@bigbrand.com
Subject: Urgent — confidential wire for escrow

That is BEC — business email compromise. The assistant almost approves it. A bookkeeper asks, “Did you talk to the CFO on the phone?” The wire stops. Jordan still has to change every password he reused.

Attack vectors in this story: account-recovery abuse · credential harvesting · business email compromise (BEC)

Simple fix: DMARC p=reject, train staff that IT will never rush a reset by email alone, and require a callback before any wire.


Story 3: The contract email no one knew could be copied

Illustration: settlement term sheet exposed on an unencrypted mail path

Priya is a partner emailing privileged acquisition terms. She emails a settlement term sheet to an inbox at @bigbrand.com. The send button works. Her screen says Delivered.

What Priya cannot see: on part of the internet path, the mail server connection was downgraded from locked (TLS) to unlocked. Without MTA-STS set to mode=enforce, the recipient’s mail system still accepts the message. An attacker on that path can copy attachment text in plain form.

This is an inbound mail downgrade attack. Most people worry about fake outgoing email. MTA-STS protects incoming mail — mail sent to your organization.

Priya’s managing partner’s office sees green checkmarks in their dashboard. Nothing looks wrong. Weeks later, opposing counsel seems to know the settlement floor early. The leak might have started on the wire, not in someone’s inbox.

Attack vector in this story: inbound mail downgrade (no MTA-STS)

Simple fix: Publish MTA-STS in enforce mode and turn on TLS-RPT reports so IT gets alerted when encryption fails.


Story 4: Alex applies for a job online

Illustration: client caught on a fake law firm extranet login

Alex is a college senior. He is already logged into his school portal in one browser tab. In another tab, he opens a job post: “Client extranet — upload discovery documents.

The site asks him to “confirm your profile” on what looks like the real company careers page. He clicks.

He does not know the page is a trap. The real login screen is hidden inside an invisible frame on a scam site. That trick is called clickjacking. The company’s website scored 45% on security headers, missing strong HSTS, CSP, and frame blocking.

Alex thinks he is on the real site. He is really interacting with a layer the attacker controls. If he had been logged into the company’s vendor portal in another tab, the same trick could hijack that session.

No phishing email was needed. The attack lived on the website, not in the inbox.

Attack vectors in this story: clickjacking · session risks (missing HSTS/CSP)

Simple fix: Add HSTS, Content-Security-Policy, and frame-ancestors / X-Frame-Options so login pages cannot be embedded on random sites.


How the stories connect

All four stories can hit one organization with a weak audit score (near 45%):

StoryWho got hurtMain gap
Maria (partner)Outside partnersFake mail from your domain
Jordan (employee)Inside staffFake password-reset mail
Priya (professional)Confidential data in transitIncoming mail not forced to stay encrypted
Alex (visitor)Website visitorsLogin page can be framed by attackers

Together, that is not one bug — it is a pattern. Fixing it means better DNS (DMARC, MTA-STS), better website headers, and better office rules (call back before you wire).

Why This Matters

Even top-tier law firms with excellent legal reputations can be vulnerable to Business Email Compromise, domain spoofing, and phishing attacks if their email infrastructure is not properly secured. These weaknesses can expose client data and create professional liability risks under TDRPC 1.05 and SB 2610.

See also — national audit

Recommendations

Law firms should prioritize:

  • Implementing a strict DMARC policy (p=reject)
  • Enabling MTA-STS and proper TLS reporting
  • Regularly auditing email security configurations
  • Conducting ongoing security awareness training for staff

Protect your firm.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com to see your firm’s current score and get specific recommendations.

Contact EmailMeNow IT Consulting for help improving your email security and overall compliance posture.


Prestige does not equal strong cybersecurity. Many of Texas’s most respected law firms still have meaningful work to do to protect client information.