Phishing – It’s Only a Matter of Time. Are Your Staff Aware?

Creating awareness among employees about the damage a successful phishing attack can cause is the key to a Law Firm’s cyber resilience.

Phishing emails remain a primary weapon of the cyber-attacker, whose techniques are constantly evolving to prey on human fallibility and circumvent technical controls in an attempt to compromise a law firms network, or make financial gain. And, as Verizon’s Data Breach Report 2018 found, 90% of all successful cyber-attacks succeed because of human error.

All employees need to know the tell-tale signs of a phishing attack and law firms should undertake continual awareness training to equip employees with the right knowledge, skills and understanding they need. Essentially, the once-a-year refresher training for compliance is not nearly enough to ensure cyber resilience in the long term.

The fact is that phishing attacks don’t discriminate among employees. Whether a trainee or Managing Partner, you are susceptible to the latest attack by succumbing to an email which entices you to click on a malicious link or the disguised invitation to give away crucial information.

However, with regular cyber security awareness training, it’s easier to identify the rogue emails which can have such damaging personal and organisational consequences. This helps employees identify the different phishing attack techniques, which can range from a generic email, targeting mass distribution with malicious links, to the more sophisticated socially engineered email that personally targets group or individuals and persuades them to take a specific action or to divulge sensitive information.

Careful targeting, known as ‘Business Email Compromise (BEC)’, is a becoming a more prevalent phishing attack where, for example, the attacker masquerades as a senior partner in the firm asking a fellow partner to transfer money or pay a fictitious invoice.

This actually happened to a US-based law firm in late 2017[1]. A partner at O’Neill, Bragg & Staffin authorised a payment of $580,000 to a fraudulent account as a result of a Spear Phishing attack. He received an email purporting to be a fellow partner requesting the transfer and therefore authorised the transaction. It was later discovered that the request was not sent by a legitimate partner, rather it was an attacker who was targeting the firm. At the time it filed its complaint, the firm had only recovered 10% of the money it had wired.

This illustrates just how easy it is become a victim of these attacks, particularly as cyber criminals can give such an air of legitimacy to their requests, as well as the implications for the firm. This means that ensuring employees remain vigilant at all times is a vital business need, and an approach that should be led by the partnership.

Your employees need to receive continuous help and advice and this can be more effective if the cyber security awareness training programme is relevant to their personal as well as professional life.  By showing them how they can be an unwitting victim of phishing through their own Facebook or Instagram accounts, it will undoubtedly give them the confidence to transfer that knowledge, understanding and confidence to their work environment.

This is not the only way to engage with them and maintain interest however. Other techniques, such as gamification with leader boards, competitions and “lunch and learns” also help to reinforce cyber resilient behaviours. Equally, the BLOCKPHSIH programme provides an excellent guide to understanding how employees can be empowered in keeping networks and information safe.

The important thing is to use a combination of approaches which, over time, will maintain awareness and vigilance culture and help to thwart a potential phishing attack and protect your most critical information.

Daryl Flack

CIO and co-founder of BLOCKPHISH


BLOCKPHISH provides law firms with the ability to improve their resilience against phishing attacks. We deliver simulated phishing emails and awareness learning to your staff, specifically tailored to emulate real-world cyber threats. BLOCKPHISH aims to improve recognition and understanding of these threats, and reduce the possibility that a phishing email will compromise your security or lead to a sophisticated cyber-attack.


We provide a vast and broad cyber consulting capability to ensure your firm receives the guidance and expertise it requires to strengthen its defences against cyber-attacks.

  • Support the creation and realisation of an appropriate cyber strategy from managed Security Operations Centres (SOCs) to the delivery of manged ethical phishing campaigns.
  • We will help you to understand the cyber risks your firm faces and identify, establish and operate a robust and pragmatic governance and management system to address those risks
  • Assess your people, process and technology solutions and deliver a remediation and improvement plan to mitigate any vulnerabilities
  • Provide first responder capability in the event of a cyber incident to the stem the impact of an attack, restore services or data quickly and prevent repeat occurrences.
  • Embed cyber aware behaviours within your firms culture to reduce your vulnerability to cyber-attacks.
  • Deliver cyber simulations and incident and crisis simulations for key staff to ensure your firm is best prepared to respond effectively in the event of a cyber breach
  • Provide training and professional development for your security professionals
  • Assess and support you in your journey to comply with the EU’s General Data Protection Regulation (GDPR) and ensure you avoid the high penalties (4% of global revenues) for non-compliance
  • Our Certified consultants deliver assessment services including Cyber Security Risk Assessment, Cyber Security Strategy & Architecture, Cyber Essentials, PCI DSS, ISO27001, UK DPA and other internationally recognised standards

Join up to 300 delegates at Europe’s elite cyber security event