Reducing Phishing Risk in the Legal Sector 

The Challenge 

A leading UK law firm requested support from Avella after experiencing a targeted Business Email Compromise (BEC) attempt. While their technical infrastructure was strong, the incident made it clear that their most pressing vulnerability was human - there were clear improvements to be made in staff awareness of the phishing threat. Senior leadership acknowledged that behavioural change was necessary, and that a proactive, long-term strategy was needed to reduce risk. 

Our Approach 

To address this challenge, Avella delivered a 12-month managed phishing and awareness programme, tailored specifically to the firm’s workforce and most prevalent threats. The programme followed our proven six-stage methodology: 

Stage 1 – Identify users across the organisation most likely to be targeted 

Stage 2 – Design campaigns aligned to relevant phishing themes and threat types 

Stage 3 – Deliver simulations through realistic and evolving phishing emails 

Stage 4 – Analyse results to track progress and identify behaviour gaps 

Stage 5 – Deliver learning via interactive, engaging content in multiple formats 

Stage 6 – Improve continuously, adjusting based on results and user feedback 

We developed a targeted awareness strategy, blending simulated phishing emails with engaging educational content. Our specialists ran ongoing simulations, analysed the results, and used these insights to adapt the programme in real time. Learning was delivered in multiple formats to cater to different roles and learning preferences, while regular cyber briefings reinforced key messages throughout the year. 

The Solution  

The programme began with a baseline phishing assessment, which revealed that 54% of users failed to recognise a phishing attempt. Over the following months, the firm participated in a series of simulated campaigns, including six general phishing scenarios and six spear-phishing tests crafted to reflect more personalised attacks. 

To complement the simulations, we rolled out a variety of learning resources including just-in-time training, short videos, animations, and interactive games - all designed to make security awareness accessible and memorable. Live cyber briefings saw participation from more than 90% of staff, and on-demand content was made available for onboarding new joiners and reinforcing learning when needed. 

The Results 

By the end of the 12-month programme, the firm had reduced its phishing susceptibility from 54% to just 3%. Engagement was high across all levels of the organisation, from legal support staff to senior partners. The programme not only raised awareness but also contributed to a meaningful shift in culture, where security became a shared responsibility. Based on the results and positive internal feedback, the firm extended the programme for a second year. 

Why It Worked 

Success was driven by a combination of realistic simulations, relevant and engaging content, and consistent reinforcement. Tailored materials ensured the learning was not only understood but retained, while visible support from leadership helped normalise security-conscious behaviour across the business. This approach proved highly effective in building a human firewall - an essential line of defence in today’s threat landscape. 

Looking to reduce phishing risk in your own firm?  Talk to us about how we can help build lasting cyber resilience through people-first strategies. 

📩 contact@avella-security.com  🔍 avella-security.com/services