“Social engineering” refers to the tricks and techniques that data thieves use to persuade targets into compromising their own cybersecurity.

Nobel Prize winning social psychologist Daniel Kahneman sorts all human decision making into two categories: System 1 and System 2. System 1 is fast, automatic, and acts without much thought. When you perform mundane tasks, or find yourself in a stressful situation that demands immediate action, System 1 controls your decision making. System 2 is slow, deliberate, and calculating. Your brain flips to System 2 when facing a complex challenge.

Social engineering’s goal is to tap into the emotions that drive System 1 decision making. Namely, boredom or anxiety. Most people know that it’s unwise to click on an unfamiliar link, so phishing messages often seek to bypass, or at least delay, System 2 by evoking a strong emotion, or conversely, by tapping into the mundane.

There is no better way to override someone’s good judgment than to make them feel threatened. If a phishing email can evoke fear or anger, the rush of defensive panic that follows is likely to incite the target to act. For lawyers, this often takes the form of financial threats (e.g., “Your account is overdrawn. Click here to learn more.”) professional threats (e.g., “Your license is being revoked. Click this PDF to learn more”) or, ironically, fake cyber threats (e.g., “Your CLIO password has been changed. Click here to learn more”). Be wary of emails that make you feel attacked or outraged. Feeling a rush of negative emotion in response to an electronic communication is a sign that you should gather yourself before acting.

Lawyers are also likely to click on emails that seem too mundane to raise any red flags. For instance, a boring phishing email will be titled something along the lines of “Google: Password Expiration Notice” or “DocuSign: Please review and sign your document.” Dull phishing is why it’s vital to incorporate an awareness of an email’s sender into your routine.

Social engineering training teaches your team how to recognize phishing and switch out of System 1 before it’s too late. We ground our training techniques in the principals of Crew Resource Management, which focuses on communication and risk abatement in high-stress situations. By empowering individuals to recognize threats and respond deliberately, and facilitating open discussion about risks and problems among team members, our training gives your firm multiple layers of defense against social engineering tactics. Research shows that a single training session can reduce your risk of a data breach by 51%.