{"id":142001,"date":"2026-01-16T15:47:52","date_gmt":"2026-01-16T23:47:52","guid":{"rendered":"https:\/\/xira.com\/p\/2026\/01\/16\/law-firm-sent-out-fake-christmas-vouchers-staff-want-to-ram-coal-up-leaderships-chimneys\/"},"modified":"2026-01-16T15:47:52","modified_gmt":"2026-01-16T23:47:52","slug":"law-firm-sent-out-fake-christmas-vouchers-staff-want-to-ram-coal-up-leaderships-chimneys","status":"publish","type":"post","link":"https:\/\/xira.com\/p\/2026\/01\/16\/law-firm-sent-out-fake-christmas-vouchers-staff-want-to-ram-coal-up-leaderships-chimneys\/","title":{"rendered":"Law Firm Sent Out Fake Christmas Vouchers. Staff Want To Ram Coal Up Leadership\u2019s Chimneys."},"content":{"rendered":"

Phishing attacks represent an ever-increasing threat to law firms. A law firms can find itself staring down massive ransom payments<\/a> to protect client data, just because someone clicked on a bogus file from an address that looked familiar.<\/p>\n

But robust firm cybersecurity leans on two pillars: education to nurture careful and conscientious employees, and employees who wouldn\u2019t crack a smile if the firm burned to the ground. Sometimes these pfishing tests put those goals in conflict.<\/p>\n

According to RollOnFriday<\/a>, one firm decided to use the holiday season in a pfishing test\/disgruntled employee accelerator. Browne Jacobson<\/a>, a UK-based law firm with over 800 lawyers, had the bright idea, the week before Christmas, to email employees promising a \u00a3100 Christmas voucher to anyone who filled out their employee feedback survey. Clicking the link revealed \u2014 surprise! \u2014 a cybersecurity training exercise. Merry Christmas! Your reward is humiliation!<\/p>\n

In the immortal words of Otter:<\/p>\n

\"\"
<\/figcaption><\/figure>\n

While getting hacked by teenagers sitting in a Russian government warehouse presents an exotic threat, disgruntled employees are still a more likely threat. Good job pissing everyone off! Oh, and HR must be super<\/em> excited to learn that no one will ever fill out an employee survey again because IT has conditioned them to auto-delete internal communications. Discretion is the better part of valor, folks. Not every potential threat should be the basis of a test. <\/p>\n

If the firm\u2019s position is \u201cwe will never offer you money via email,\u201d then say that! Blast that message every quarter. \u201cAll compensation and bonus announcements will be delivered in person or through [specific verified channel]. If you receive an email promising money, it\u2019s a scam.\u201d That\u2019s actually useful guidance and builds institutional trust.<\/p>\n

There should be no guessing. Running \u201cgotcha\u201d tests just poisons the well.<\/p>\n

\n

A spokesperson for Browne Jacobson told ROF, \u201cWe recognise that our recent cybersecurity training exercise caused concern among some colleagues, and we understand why people drew a link with our prize draw initiative from earlier in the year\u201d.<\/p>\n<\/blockquote>\n

Drew a link? This fake offer was styled to echo a real one<\/em> that the firm used before? That\u2019s not a pfishing test then! The only people who would know enough about the legitimate<\/em> program to use it as a ploy would be people inside the firm anyway. <\/p>\n

This isn\u2019t even the first time that a firm got dragged for using false compensation promises as a pfishing test<\/a>. In another story that RollOnFriday broke last summer<\/a>, Knights sent around an email purporting to inform them of a salary increase and scolding anyone who opened it for falling for the test. LOL, why would you think we\u2019d pay your ass more money?!?<\/em> And Baker McKenzie actually ran almost this exact<\/em> same scam before<\/a>. Last Christmas, they gave staff a voucher promise, but the very same day, they took it away. But in that case, it just promised a bonus, tying it to a feedback survey is the new twist.<\/p>\n

You\u2019d think firms would learn from these stories. Or at least follow the advice of their own national cybersecurity experts. The National Cyber Security Centre explicitly warns companies not to run simulated pfishing attacks like these<\/a>. According to the NCSC, pfishing simulations both don\u2019t work and erode institutional trust.<\/p>\n

\n

A source told ROF it \u201cleft staff absolutely livid\u201d.<\/p>\n<\/blockquote>\n

Well, yeah.<\/p>\n

If you want staff to be vigilant about phishing, you need them to be on your team<\/em>. You need them invested in the firm\u2019s security because they feel like valued members of the organization. Pfishing tests will always involve a little humiliation, but if a firm insists on running them, those tests have to be tempered by the need to keep folks happy. You especially cannot build a cooperative security environment while also playing Three-Card Monte with people\u2019s livelihoods. Because money around the holidays matters a lot. Yes, that\u2019s what makes these promises a more dangerous pfishing risk.<\/p>\n

But it\u2019s also what makes punking people a more damning morale blow.<\/p>\n

EXCLUSIVE Lawyers livid over Browne Jacobson\u2019s Xmas phishing trap<\/a> [Roll on Friday]<\/p>\n

\n

\"Headshot\"Joe Patrice<\/a>\u00a0is a senior editor at Above the Law and co-host of Thinking Like A Lawyer<\/a>. Feel free to\u00a0email<\/a> any tips, questions, or comments. Follow him on\u00a0Twitter<\/a>\u00a0or Bluesky<\/a> if you\u2019re interested in law, politics, and a healthy dose of college sports news. Joe also serves as a Managing Director at RPN Executive Search<\/a>.<\/em><\/strong><\/p>\n

The post Law Firm Sent Out Fake Christmas Vouchers. Staff Want To Ram Coal Up Leadership\u2019s Chimneys.<\/a> appeared first on Above the Law<\/a>.<\/p>\n

\"\"<\/figure>\n

Phishing attacks represent an ever-increasing threat to law firms. A law firms can find itself staring down massive ransom payments<\/a> to protect client data, just because someone clicked on a bogus file from an address that looked familiar.<\/p>\n

But robust firm cybersecurity leans on two pillars: education to nurture careful and conscientious employees, and employees who wouldn\u2019t crack a smile if the firm burned to the ground. Sometimes these pfishing tests put those goals in conflict.<\/p>\n

According to RollOnFriday<\/a>, one firm decided to use the holiday season in a pfishing test\/disgruntled employee accelerator. Browne Jacobson<\/a>, a UK-based law firm with over 800 lawyers, had the bright idea, the week before Christmas, to email employees promising a \u00a3100 Christmas voucher to anyone who filled out their employee feedback survey. Clicking the link revealed \u2014 surprise! \u2014 a cybersecurity training exercise. Merry Christmas! Your reward is humiliation!<\/p>\n

In the immortal words of Otter:<\/p>\n

\"\"
<\/figcaption><\/figure>\n

While getting hacked by teenagers sitting in a Russian government warehouse presents an exotic threat, disgruntled employees are still a more likely threat. Good job pissing everyone off! Oh, and HR must be super<\/em> excited to learn that no one will ever fill out an employee survey again because IT has conditioned them to auto-delete internal communications. Discretion is the better part of valor, folks. Not every potential threat should be the basis of a test. <\/p>\n

If the firm\u2019s position is \u201cwe will never offer you money via email,\u201d then say that! Blast that message every quarter. \u201cAll compensation and bonus announcements will be delivered in person or through [specific verified channel]. If you receive an email promising money, it\u2019s a scam.\u201d That\u2019s actually useful guidance and builds institutional trust.<\/p>\n

There should be no guessing. Running \u201cgotcha\u201d tests just poisons the well.<\/p>\n

\n

A spokesperson for Browne Jacobson told ROF, \u201cWe recognise that our recent cybersecurity training exercise caused concern among some colleagues, and we understand why people drew a link with our prize draw initiative from earlier in the year\u201d.<\/p>\n<\/blockquote>\n

Drew a link? This fake offer was styled to echo a real one<\/em> that the firm used before? That\u2019s not a pfishing test then! The only people who would know enough about the legitimate<\/em> program to use it as a ploy would be people inside the firm anyway. <\/p>\n

This isn\u2019t even the first time that a firm got dragged for using false compensation promises as a pfishing test<\/a>. In another story that RollOnFriday broke last summer<\/a>, Knights sent around an email purporting to inform them of a salary increase and scolding anyone who opened it for falling for the test. LOL, why would you think we\u2019d pay your ass more money?!?<\/em> And Baker McKenzie actually ran almost this exact<\/em> same scam before<\/a>. Last Christmas, they gave staff a voucher promise, but the very same day, they took it away. But in that case, it just promised a bonus, tying it to a feedback survey is the new twist.<\/p>\n

You\u2019d think firms would learn from these stories. Or at least follow the advice of their own national cybersecurity experts. The National Cyber Security Centre explicitly warns companies not to run simulated pfishing attacks like these<\/a>. According to the NCSC, pfishing simulations both don\u2019t work and erode institutional trust.<\/p>\n

\n

A source told ROF it \u201cleft staff absolutely livid\u201d.<\/p>\n<\/blockquote>\n

Well, yeah.<\/p>\n

If you want staff to be vigilant about phishing, you need them to be on your team<\/em>. You need them invested in the firm\u2019s security because they feel like valued members of the organization. Pfishing tests will always involve a little humiliation, but if a firm insists on running them, those tests have to be tempered by the need to keep folks happy. You especially cannot build a cooperative security environment while also playing Three-Card Monte with people\u2019s livelihoods. Because money around the holidays matters a lot. Yes, that\u2019s what makes these promises a more dangerous pfishing risk.<\/p>\n

But it\u2019s also what makes punking people a more damning morale blow.<\/p>\n

EXCLUSIVE Lawyers livid over Browne Jacobson\u2019s Xmas phishing trap<\/a> [Roll on Friday]<\/p>\n

\n

\"Headshot\"Joe Patrice<\/a>\u00a0is a senior editor at Above the Law and co-host of Thinking Like A Lawyer<\/a>. Feel free to\u00a0email<\/a> any tips, questions, or comments. Follow him on\u00a0Twitter<\/a>\u00a0or Bluesky<\/a> if you\u2019re interested in law, politics, and a healthy dose of college sports news. Joe also serves as a Managing Director at RPN Executive Search<\/a>.<\/em><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Phishing attacks represent an ever-increasing threat to law firms. A law firms can find itself staring down massive ransom payments to protect client data, just because someone clicked on a bogus file from an address that looked familiar. But robust firm cybersecurity leans on two pillars: education to nurture careful and conscientious employees, and employees […]<\/p>\n","protected":false},"author":3,"featured_media":141989,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16],"tags":[],"class_list":["post-142001","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-above_the_law"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/xira.com\/p\/wp-content\/uploads\/2026\/01\/Headshot-300x200-TGH2GC.jpg?fit=300%2C200&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/142001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/comments?post=142001"}],"version-history":[{"count":0,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/posts\/142001\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media\/141989"}],"wp:attachment":[{"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/media?parent=142001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/categories?post=142001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xira.com\/p\/wp-json\/wp\/v2\/tags?post=142001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}