The Problem With “Check the Box” Phishing Training

A paralegal at a mid-size firm gets an email that looks like it’s from opposing counsel on an active matter. The sender’s name is right, the case reference is right, and the ask is urgent. She clicks. Your phishing simulation vendor never sent anything like that—and your annual click-rate report won’t tell you why she was unprepared.

Most small law firms run phishing simulations once or twice a year. The IT vendor or managed security provider sends a fake phishing email, tallies up who clicked, fires off a remedial training module to the offenders, and delivers a report showing improvement. Done. Compliance box checked.

The problem is that none of that actually changes behavior in a lasting way.

Research consistently shows that click rates drop immediately after a simulated phishing campaign—then quietly creep back up within weeks. The training moment and the real-world moment never overlap. Staff who “passed” the simulation in March have no reliable framework for evaluating a suspicious email in October, especially one they weren’t expecting to look like a phishing attempt.

There’s also a deeper issue specific to how law firms communicate. Your staff handles sensitive, time-pressured correspondence every day. They’re trained to respond quickly and professionally to clients, opposing counsel, and court notices. That instinct—respond fast, don’t delay—is exactly what a sophisticated attacker exploits. The urgency isn’t a weakness in the attack. It’s the entire strategy.

When phishing training doesn’t account for that psychological context, it doesn’t prepare your staff for real threats. It prepares them for a test.

Why This Matters for Law Firms Specifically

Law firms aren’t generic targets. They’re high-value targets—and attackers know it.

Your firm holds privileged communications, settlement terms, merger details, client financial information, and the kind of matter-specific intelligence that makes spear-phishing incredibly effective. Spear-phishing isn’t the mass-blast “Nigerian prince” email. It’s a carefully crafted message that references a real client name, a real opposing counsel, a real case number—and asks for something plausible in that context.

From a regulatory standpoint, the American Bar Association’s Model Rules of Professional Conduct Rule 1.6 requires attorneys to make reasonable efforts to prevent unauthorized disclosure of client information. State bars across California and the country have issued formal ethics opinions making clear that “reasonable efforts” includes maintaining basic cybersecurity safeguards—and that a data breach caused by employee negligence can constitute an ethics violation.

California firms also operate under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), which impose breach notification obligations and potential financial penalties when personal information is exposed. If a phishing attack leads to unauthorized access to client records, your firm isn’t just dealing with a technology problem. You’re managing an ethics investigation, a regulatory notification, and a potential malpractice claim all at once.

Annual simulations don’t reduce that exposure meaningfully. A real security awareness culture does.

How to Build Phishing Training That Actually Works

Reframe the goal. You’re not trying to catch people clicking. You’re trying to build a firm where people pause, evaluate, and report—automatically and without hesitation.

Run simulations more frequently, but vary them intelligently. Monthly simulations beat annual ones because repetition builds the pause reflex. More importantly, vary the scenarios. Include simulations that mimic legal-context attacks: fake opposing counsel emails, spoofed court notices, fraudulent wire transfer requests that reference active matters.

Replace failure notifications with just-in-time training. When someone clicks a simulated phishing link, what they see next matters enormously. A generic “You failed. Complete this training module” message creates shame and disengagement. Instead, immediately show them—in that exact moment—what the red flags were in the email they just fell for. Specific. Visual. Tied to that exact scenario. Research on just-in-time training shows it’s substantially more effective than delayed remediation modules.

Build a firm-specific “when in doubt” playbook. Your staff shouldn’t have to think through a decision tree when staring at a suspicious email. They should have one clear, simple answer: forward it to [name/address], don’t click anything, and you’ll hear back within [timeframe]. That’s it. Post it. Repeat it. Make it easy to do the right thing.

Track reporting rates, not just click rates. Click rate is a lagging indicator of failure. Reporting rate—how often staff flag suspicious emails before acting on them—is a leading indicator of a healthy security culture. If your program doesn’t measure and reward that behavior, it’s measuring the wrong thing.

Leadership has to model it visibly. When the managing partner forwards a suspicious email to the IT team and mentions it at the next firm meeting, that action is worth more than any training module. Security culture flows from the top. If leadership treats it as an IT problem instead of a firm-wide responsibility, staff will follow that lead.

What to Look for in an IT Partner

If you’re evaluating a managed IT provider or security awareness vendor, ask these specific questions:

  • Do your phishing simulations include legal-context scenarios, or are they generic templates?
  • What does a staff member see immediately after clicking a simulated link?
  • How do you measure reporting rates alongside click rates?
  • Can you help us build a firm-specific incident response playbook for staff—not just a technical one for IT?
  • How do you involve firm leadership in the program, not just staff?

A provider who answers with specifics—not generalities—understands that phishing training for law firms is a behavioral and cultural problem, not just a technology one. Be cautious of any vendor who leads with click-rate reduction as the primary metric of success.

The Bottom Line

Phishing simulations are a useful tool. They’re not a program. Law firms face targeted, context-aware attacks that generic annual tests don’t prepare staff for. Effective security awareness combines frequent, realistic simulations with just-in-time training, a clear reporting playbook, and visible leadership behavior. That combination builds the pause reflex that actually keeps your firm—and your clients—protected.

Frequently Asked Questions

How often should a law firm run phishing simulations?

Most security frameworks recommend monthly phishing simulations rather than the annual or semi-annual cadence many small firms follow. More frequent exposure builds the habit of pausing to evaluate suspicious emails, which is the real behavioral outcome that matters. The scenarios should rotate to reflect realistic threats, including legal-context attacks, not just generic credential-harvesting templates.

What is just-in-time phishing training and does it actually work?

Just-in-time training is immediate, in-the-moment feedback delivered the instant a user clicks a simulated phishing link—before they’re redirected away from the scenario. Rather than assigning a separate training module days later, it shows the user exactly which red flags they missed in real time. Studies published in peer-reviewed security journals have found just-in-time interventions more effective at reducing future click rates than delayed remediation training.

Can a phishing attack create an ethics violation for a law firm?

Yes. State bar associations, including California’s, have issued guidance making clear that attorneys have an ethical duty under Rule 1.6 of the Model Rules of Professional Conduct to protect client confidences using reasonable security measures. If a phishing attack leads to unauthorized disclosure of client information and the firm had inadequate training or safeguards in place, that failure can be the basis for a disciplinary complaint, in addition to regulatory and civil liability.

What’s the difference between phishing and spear-phishing, and why does it matter for law firms?

Phishing refers to mass, untargeted email attacks designed to trick a broad audience. Spear-phishing is targeted—attackers research a specific individual or organization and craft messages that reference real names, matters, or relationships to appear credible. Law firms are particularly vulnerable to spear-phishing because their matter information, client names, and opposing counsel relationships are often discoverable through court filings, bar directories, and professional profiles. That’s why generic phishing simulations frequently fail to prepare legal staff for the actual attacks they’ll receive.

If you’re working through phishing training challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area—we know your world.