Phishing attacks represent an ever-increasing threat to law firms. A law firms can find itself staring down massive ransom payments to protect client data, just because someone clicked on a bogus file from an address that looked familiar.
But robust firm cybersecurity leans on two pillars: education to nurture careful and conscientious employees, and employees who wouldn’t crack a smile if the firm burned to the ground. Sometimes these pfishing tests put those goals in conflict.
According to RollOnFriday, one firm decided to use the holiday season in a pfishing test/disgruntled employee accelerator. Browne Jacobson, a UK-based law firm with over 800 lawyers, had the bright idea, the week before Christmas, to email employees promising a £100 Christmas voucher to anyone who filled out their employee feedback survey. Clicking the link revealed — surprise! — a cybersecurity training exercise. Merry Christmas! Your reward is humiliation!
In the immortal words of Otter:
While getting hacked by teenagers sitting in a Russian government warehouse presents an exotic threat, disgruntled employees are still a more likely threat. Good job pissing everyone off! Oh, and HR must be super excited to learn that no one will ever fill out an employee survey again because IT has conditioned them to auto-delete internal communications. Discretion is the better part of valor, folks. Not every potential threat should be the basis of a test.
If the firm’s position is “we will never offer you money via email,” then say that! Blast that message every quarter. “All compensation and bonus announcements will be delivered in person or through [specific verified channel]. If you receive an email promising money, it’s a scam.” That’s actually useful guidance and builds institutional trust.
There should be no guessing. Running “gotcha” tests just poisons the well.
A spokesperson for Browne Jacobson told ROF, “We recognise that our recent cybersecurity training exercise caused concern among some colleagues, and we understand why people drew a link with our prize draw initiative from earlier in the year”.
Drew a link? This fake offer was styled to echo a real one that the firm used before? That’s not a pfishing test then! The only people who would know enough about the legitimate program to use it as a ploy would be people inside the firm anyway.
This isn’t even the first time that a firm got dragged for using false compensation promises as a pfishing test. In another story that RollOnFriday broke last summer, Knights sent around an email purporting to inform them of a salary increase and scolding anyone who opened it for falling for the test. LOL, why would you think we’d pay your ass more money?!? And Baker McKenzie actually ran almost this exact same scam before. Last Christmas, they gave staff a voucher promise, but the very same day, they took it away. But in that case, it just promised a bonus, tying it to a feedback survey is the new twist.
You’d think firms would learn from these stories. Or at least follow the advice of their own national cybersecurity experts. The National Cyber Security Centre explicitly warns companies not to run simulated pfishing attacks like these. According to the NCSC, pfishing simulations both don’t work and erode institutional trust.
A source told ROF it “left staff absolutely livid”.
Well, yeah.
If you want staff to be vigilant about phishing, you need them to be on your team. You need them invested in the firm’s security because they feel like valued members of the organization. Pfishing tests will always involve a little humiliation, but if a firm insists on running them, those tests have to be tempered by the need to keep folks happy. You especially cannot build a cooperative security environment while also playing Three-Card Monte with people’s livelihoods. Because money around the holidays matters a lot. Yes, that’s what makes these promises a more dangerous pfishing risk.
But it’s also what makes punking people a more damning morale blow.
EXCLUSIVE Lawyers livid over Browne Jacobson’s Xmas phishing trap [Roll on Friday]
Joe Patrice is a senior editor at Above the Law and co-host of Thinking Like A Lawyer. Feel free to email any tips, questions, or comments. Follow him on Twitter or Bluesky if you’re interested in law, politics, and a healthy dose of college sports news. Joe also serves as a Managing Director at RPN Executive Search.
The post Law Firm Sent Out Fake Christmas Vouchers. Staff Want To Ram Coal Up Leadership’s Chimneys. appeared first on Above the Law.