By Julie Bays

Earlier this year, I wrote about changes to Oklahoma’s security breach notification statutes and what those updates mean for lawyers after a breach has already occurred. In my Jan. 7 Courts & More tip, I focused on the new post-breach obligations these changes create. Now, I want to turn to the part we often overlook: What measures can prevent a breach from occurring in the first place?

What happens before a breach is just as important as what happens after one. Honestly, it tends to get overlooked because it usually shows up in very ordinary ways. I am talking about everyday moments and routine emails that quietly set the stage for a much bigger problem.

In January 2026, I received an email from a lawyer I know well, someone who regularly sends documents to a group I am a part of. At first glance, the message looked normal. It was simply a shared file, but there was no explanation or context. That struck me as odd. The lack of detail in the message immediately raised a red flag for me. Instead of opening it, I sent the lawyer a separate email from my contacts list. I made sure not to reply directly to the suspicious message and asked whether he had actually sent the file.

The response came quickly from his Outlook account, and it simply said, “A file for your review.” That was when my concern grew. The reply was unusually brief and impersonal, which was out of character for him. Given how well I know this lawyer, I expected a more detailed answer or at least a bit of context. The vague response only confirmed my suspicion that something was wrong.

Rather than clicking on the attachment, I did what I always encourage lawyers to do when something feels even slightly off. I paused and picked up the phone. When I called him, I learned that his email account had been hacked. He had not sent me anything at all. Someone else was using his name and signature block. What made this situation especially troublesome was that the scammer had full control of his Outlook account. Not only could the attacker send convincing emails, but they could also reply to new messages sent directly to his account. That meant the scammer could intercept and respond to legitimate inquiries, making the fraud even harder to detect.

That brief pause – just a few seconds – stopped what could have turned into a much bigger problem. It highlights the importance of trusting your instincts and verifying anything that seems even a little bit off, especially when it comes from someone you know. Recognizing those small cues, like a change in writing style or a lack of context, can be the difference between stopping a breach and becoming a victim.

This is how breaches usually start at law firms. It is almost never dramatic at the beginning. 

WHY THESE EMAILS ARE SO EFFECTIVE

Phishing emails aren’t the clumsy, typo-filled spam they used to be. Nowadays, they:

• Come from real email accounts that hackers have already hijacked
• Use familiar names, signatures and writing styles
• Contain messages that sound vague but legit (“Please review,” “See attached,” “Did you request this?”)

• Include attachments or links designed to steal credentials or install malware

Once a hacker gains access to one lawyer’s account, they don’t just target fellow attorneys. Instead, they exploit the trust and credibility of that compromised account to reach out to everyone listed in the victim’s contacts, including colleagues, clients, vendors, family members and anyone else associated with the account. This broad approach dramatically increases the chances that someone will open a malicious attachment or click on a dangerous link, allowing the attackers to spread their reach even further.

This isn’t just a tech issue. It’s a training and protocol problem. The most effective way to prevent these attacks from succeeding is to ensure everyone understands the risks and follows strict email procedures. Regular training helps people recognize suspicious messages and understand what steps to take when something feels off, whether the message comes from a stranger or from someone familiar.

CYBERSECURITY IS A COMPETENCE ISSUE

We’re used to thinking of competence as knowing the law. But these days, being competent means understanding and managing the risks that come with our everyday tech.

Most firms have some security basics covered: spam filters, antivirus software, firewalls and maybe multifactor authentication. But tools alone aren’t enough. Human behavior is still the easiest way in for attackers.

If your firm hasn’t recently taken a hard look at its cybersecurity protocols and training, now’s the time.

Steps Every Firm Should Take

Email handling policies. These policies are a critical line of defense against cyber threats. It’s not enough to simply avoid opening attachments from unfamiliar senders; staff should be cautious even with messages from trusted contacts, as compromised accounts can be used to distribute malicious content. Every team member should be trained to recognize warning signs, such as vague or out-of-character requests, and know exactly how to escalate or report suspicious emails. Having well-documented policies in place ensures everyone understands the steps to take when something seems off, reducing the risk of accidental exposure to phishing or malware.

Verification procedures. They should become second nature in your firm’s workflow. Before acting on any request involving sensitive information, financial transactions or the sharing of confidential documents, team members must adopt a habit of double-checking the authenticity of the communication. This could mean confirming instructions with a quick phone call, using an alternate communication channel or following up directly with the sender. Making verification standard practice not only protects your firm but also reassures clients that their information is handled with the utmost care.

Training and refreshers. Training and refreshers keep everyone alert to evolving threats. Regular, ongoing education helps staff stay up to date on the latest phishing tactics and cybersecurity best practices. Interactive workshops, simulated phishing exercises and periodic reminders reinforce awareness and empower employees to respond appropriately when faced with suspicious messages. By prioritizing continuous training, the firm creates a culture of vigilance where everyone actively contributes to maintaining a secure environment.

Incident response plans. Having incident response plans in place is essential for minimizing damage when a security event occurs. Even with robust policies and training, no system is foolproof. Having a clear, actionable plan ensures that the team knows exactly what to do if they suspect a breach, including whom to notify, how to contain the threat and the steps for recovery. Practicing these response protocols through regular drills helps the firm react swiftly and effectively, reducing downtime and protecting sensitive data.

THE CONNECTION TO OKLAHOMA’S NEW SECURITY BREACH LAW

The new Oklahoma Security Breach Notification Act gives us more to do when it comes to protecting personal information. Yes, it’s about notification and response, but the real message is this: Take reasonable steps to keep sensitive data safe. Stopping a breach before it happens is always easier and cheaper than dealing with the fallout.

The scenario I laid out at the beginning of the article is a classic example of how client information, trust account data or confidential messages could all be exposed with one click.

A FINAL THOUGHT

Cybersecurity failures at law firms rarely kick off with dramatic, TV-style hacking scenes. Nine times out of 10, they start with a regular email on a regular morning.

The real question isn’t if your firm will receive one of these messages; it’s whether your team’s habits, training and systems will catch it before it does any harm.

If you missed my Courts & More tip about Oklahoma’s new Security Breach Notification Act, now’s a good time to check it out alongside your firm’s protocols. Together, they cover both sides of the story: what the law requires after a breach and what smart practices demand before one ever gets started.

Ms. Bays is the OBA Management Assistance Program director. Need a quick answer to a tech problem or help solving a management dilemma? Contact her at 405-416-7031, 800-522-8060 or julieb@okbar.org. It’s a free member benefit.

Originally published in the Oklahoma Bar Journal — February, 2026 — Vol. 97, No. 2