CEO Impersonation, Court Filing Phishing, and Why Spring Hiring Season Opens a Window for Attackers
Spring is hiring season at law firms across Salt Lake City. New associates are joining practices fresh from law school, legal assistants are onboarding alongside firm administrators, and paralegals are learning which partner to contact for which matter. This period of transition is exciting for your legal team — and deeply attractive to cybercriminals. New attorneys and staff do not yet know what normal looks like inside your firm. They do not know which emails to question, which requests to verify, or who would realistically ask them to wire funds or share a password. That uncertainty is exactly what phishing attacks are designed to exploit.
Why New Legal Employees Are 44% More Susceptible to Phishing
Research from Keepnet (2025) found that new employees are 44% more susceptible to phishing attacks than their experienced colleagues — and that CEO impersonation attacks are 45% more effective on new hires than on tenured staff. For a law firm, those statistics translate directly into risk: a new associate who receives a message appearing to come from the managing partner asking for urgent access credentials or a wire transfer is far less equipped to recognize the fraud than someone who has worked with that partner for years.
The chaotic reality of a new employee's first weeks in a legal environment compounds the risk. Your new paralegal is absorbing new case management software, learning the firm's document naming conventions in NetDocuments, getting set up in Clio, and trying to make a good impression — all at the same time. A phishing email that arrives during that window does not look like an obvious threat. It looks like one more unfamiliar request from a person they have not yet learned to verify.
For law firms, the consequences of a successful phishing attack on a new employee go beyond financial loss. If a new associate's credentials are compromised, attackers may gain access to confidential case documents, privileged client communications, and the firm's document management systems. That is a malpractice and bar ethics exposure, not just an IT cleanup.
How Attackers Impersonate Managing Partners and Opposing Counsel
Law firms face a particularly sophisticated variant of CEO impersonation phishing: emails that appear to come from the managing partner, a senior partner, or — increasingly — opposing counsel or a court filing system. These emails are carefully crafted to match the urgency and formality of legitimate legal communications.
A new associate receiving an email that appears to come from the firm's managing partner asking them to urgently update their Clio credentials, download a court filing attachment, or process a wire transfer for a settlement is unlikely to question it. They are new. They want to be responsive. They do not yet know that the managing partner would never make that kind of request by email.
Attackers also disguise phishing as court notifications and opposing counsel communications — two categories of email that new legal staff are conditioned to treat as urgent and legitimate. A fake e-filing notification or a spoofed email from what appears to be the opposing counsel's firm can deliver malware or credential-harvesting links directly into your firm's network.
Fix #1: Configure Access Before Day One
New employees should arrive on their first day with their access already properly configured — not as a courtesy, but as a security control. When new attorneys and staff receive their credentials before their onboarding is complete, they are left to navigate system access on their own, which creates opportunities for social engineering. Attackers monitor LinkedIn and firm websites for new hire announcements and time their phishing attempts accordingly.
Qualit helps Salt Lake City law firms set up role-based access controls so new employees only have access to the systems and files relevant to their role. A new paralegal does not need access to the firm's billing system in TimeSolv on day one. A new associate does not need administrative rights in Clio. Limiting access at the start limits the blast radius of any credential compromise.
Fix #2: Teach New Employees What Normal Looks Like
The most effective defense against phishing is knowing what legitimate requests look like — and that knowledge only comes with time and explicit training. For new employees who do not yet have that reference point, you need to give it to them directly during onboarding.
Make it explicit: the managing partner will not email asking for credentials. The firm will not request a wire transfer by email without a phone verification step. A court e-filing system will not ask for your Clio password. Phishing emails impersonating opposing counsel will not arrive from a Gmail address. These are simple, memorable rules that dramatically reduce susceptibility — but new employees will only know them if someone tells them.
Supplement this with a brief simulated phishing test during the first 30 days. Sending a controlled, benign phishing simulation to a new employee in their first month — and providing immediate coaching when they click — is one of the most effective ways to build lasting security awareness before a real attack arrives.
Fix #3: Give New Employees a Point of Contact for Security Questions
One of the most powerful things a law firm can do to reduce phishing risk is designate a clear, accessible contact for security questions — and make sure every new employee knows about that person on day one. When a new associate receives a suspicious email and knows exactly who to call to verify it, they are far less likely to click.
Without a designated contact, new employees default to their best judgment — and their best judgment is compromised by the anxiety of being new. They do not want to bother the managing partner with what might be a silly question. They do not want to seem incompetent. So they click, and they do not tell anyone. A trusted point of contact removes that barrier.
The Wire Fraud Risk for Law Firms
Law firms are among the most targeted organizations for wire fraud and business email compromise (BEC) attacks. Attackers know that law firms handle large transactions — settlements, real estate closings, trust fund distributions — and they specifically target new or junior staff who may not have established verification protocols for wire transfer requests.
A new staff member who receives an email appearing to come from a senior partner or a client requesting an urgent wire transfer change is exactly the target these attackers are looking for. Firms that handle real estate transactions, litigation settlements, or trust accounts are especially exposed. The financial losses from law firm BEC attacks regularly reach six and seven figures.
What Your Law Firm Should Do This Spring
- Add a phishing awareness module to every new employee's onboarding — specific to legal industry threats
- Define and document what legitimate requests look like (no credential requests by email, no wire changes without phone verification)
- Configure role-based access in Clio, NetDocuments, and other platforms before new hires' first day
- Designate a security point of contact and introduce that person to every new hire
- Run a simulated phishing test for new employees in their first 30 days
- Brief your attorneys and staff on court-filing-disguised and opposing-counsel-disguised phishing
Qualit works with Salt Lake City law firms to protect client confidentiality and meet bar association IT requirements. Schedule a free discovery call to learn how we can help protect your new hires and your firm.
Frequently Asked Questions
Q: Are law firms specifically targeted for phishing, or are we just general targets?
Law firms are specifically targeted — and at a higher rate than many other industries. The combination of large financial transactions, privileged confidential information, and the trust clients place in legal communications makes law firms an attractive and profitable target. Wire fraud attacks on law firms handling real estate closings and settlements are well-documented. Attackers also know that legal communications carry urgency and authority, making impersonation attacks more effective.
Q: Does our bar malpractice insurance cover losses from a phishing attack?
Standard legal malpractice insurance may or may not cover cyber incidents — it depends heavily on your specific policy. Many firms carry separate cyber liability insurance that covers costs associated with data breaches, ransomware payments, and business email compromise losses. If you are unsure what your current coverage includes, reviewing your policy with your insurer and adding dedicated cyber coverage is strongly recommended. Having robust security practices in place — including phishing training and MFA — also affects your insurability and premium rates.
Q: How should we handle it if a new employee clicks a phishing link?
Act immediately but without blame. Disconnect the affected device from the network, change the compromised credentials, and engage your IT provider to assess whether malware was installed or data was accessed. If client data may have been exposed, consult your bar association about notification obligations and notify your malpractice and cyber insurers. Then conduct a post-incident review focused on improving your processes — not on punishing the employee. New hire phishing susceptibility is a systemic risk, not an individual failure.
