I Told Ya So! Phishing Leads to More Law Firm Cyberattacks

I’m not one to gloat. (Ok, scratch that. I am.) But I have got to say, “I told ya so,” and simultaneously beg you to test your employees for their vulnerability to phishing scams! A recent study proclaims, “91% of Cyberattacks Start with a Phishing Email.” You know what that means, right? It means, that all those fancy firewalls you’ve got up to protect yourself from law firm cyberattacks will mean bupkis if you don’t also train your employees to recognize fake emails.

Here are a few excerpts from an article about the study, published in DarkReading.com:

The majority of cyberattacks begin with a user clicking on a phishing email. Ever wonder why users continue to fall for phishing emails?

According to a new report … that found that 91% of cyberattacks start with a phish, the top reasons people are duped by phishing emails are curiosity (13.7%), fear (13.4%), and urgency (13.2%), followed by reward/recognition, social, entertainment, and opportunity.

Among the study’s top findings:

  • Susceptibility to phishing email drops almost 20% after a company runs just one failed simulation. So people do learn.
  • Reporting rates significantly outweigh susceptibility rates when simple reporting is deployed to more than 80% of a company’s population, even in the first year.
  • Active reporting of phishing email threats can reduce the standard time for detection of a breach to 1.2 hours on average – a significant improvement over the current industry average of 146 days.

I encourage you to read the full article and the study. But here is my favorite take-away from the study: PEOPLE DO LEARN.

People are less likely to click on a fake email after experiencing one simulation in which they fail. (ie. If they click on a fake phishing scam and discover that they were suckered, they are 20% less likely to do it again.) And that’s after just one simulation! Imagine if you had an ongoing phishing simulation/training program to help your employees keep their guard up!

As a partner with KnowBe4, the world’s most popular integrated security awareness training and simulated phishing platform, I can help you create compelling, fake emails, push them out to your firm, track the people who are vulnerable, and educate everyone to be more astute when they click!

Here’s how it works:

  • You become a KnowBe4 client
  • Upload your users to the system
  • Launch a baseline phishing test using any number of templates
  • Using the results from that phishing test, launch targeted trainings to help your employees be more discerning clickers
  • Every month, send out another phishing campaign
  • Track improvements down to individual users over time

This system is updated continuously with new phishing templates that you can use to phish your law firm, learning who is vulnerable to scams and who needs training.

The KnowBe4 system is simple and yet incredibly effective in helping you to build your first line of defense against cyberattackers who know that the weakest chink in your law firm security system is your employees!

Increasingly, we’re seeing the unfortunate repercussions that happen to firms that don’t get ahead of this issue on time. Most recently, we saw Chicago’s Johnson & Bell named in a class action lawsuit that claims the firm didn’t do enough to protect its clients’ confidential information.

According to American Lawyer:

The suit against the 100-plus lawyer trial firm was filed in Chicago’s federal court in April but made public on Friday following courtroom fighting over whether or not the firm had patched security holes a former client claimed existed in the firm’s time entry system, email system and virtual private network.

Brought by well-known class-action lawyer Jay Edelson, the case has been moved to arbitration, where Edelson says his firm is seeking class confirmation and will seek damages for allegations that the lax security put client information at risk. Edelson said it is the first class action against a law firm alleging inadequate data security measures.

This law suit seems opportunistic to me but, bottom line, all law firms do need to build and maintain security measures that protect their clients.

If you’re curious about KnowBe4, contact me and we can run a phishing demo! I think you’ll find that the simplicity of the system, combined with the significance of the information it provides, will make it something that you want to add to your law firm security protocols.


Savvy Training & Consulting works with leading companies and technologies to deliver the most up-to-date training solutions and curricula to law firms. Savvy recently unveiled an award-winning Learning Management System (LMS) for law firms, SavvyAcademyTM, which delivers scalable training capabilities, reportable data down to the individual user and 24/7 support, all for a fraction of the cost of traditional LMS services.


Leave a Reply

Contact Us: