Proofpoint
Proofpoint is an enterprise email security platform that protects against phishing, malware, and email fraud. Its presence signals a firm takes email security seriously — critical …
What is Proofpoint?
Proofpoint is an enterprise email security platform that protects against phishing, malware, and email fraud. Its presence signals a firm takes email security seriously — critical for protecting client confidentiality.
Common Use Cases for Law Firms
- Protect attorneys and staff from phishing attacks targeting client data
- Filter malware and ransomware from inbound email
- Prevent email impersonation attacks (spoofing firm attorney identities)
- Comply with bar association requirements for protecting client confidentiality
How We Detect It
Market Overview
Proofpoint is a email security tool used by 304 personal injury law firms, representing 0.9% of all tracked firms. Adopters score 43.2 SI on average, +14.6 points higher than firms without it, suggesting Proofpoint correlates with broader technology investment. The heaviest adoption comes from the Minimalist Tech Users segment (1.1%), followed by Awareness Leaders (2.8%). The most common co-occurring tools are Google Workspace (found on 58.6% of Proofpoint adopters) and Google Analytics (48.7%).
Get connected
Request an introduction from Top Dog Law — we'll make the connection on your behalf.
Adoption by State
ME
—
VT
—
NH
—
WA
—
MT
—
ND
—
MN
—
WI
—
MI
—
NY
—
MA
—
RI
—
OR
—
ID
—
WY
—
SD
—
IA
—
IL
—
IN
—
OH
—
PA
—
NJ
—
CT
—
CA
—
NV
—
CO
—
NE
—
MO
—
KY
—
WV
—
VA
—
MD
—
DE
—
DC
—
AZ
—
UT
—
KS
—
AR
—
TN
—
NC
—
SC
—
NM
—
OK
—
LA
—
MS
—
AL
—
GA
—
AK
—
HI
—
TX
—
FL
—
0
—
Adoption by Segment
which segments use Proofpoint most
Commonly Paired With
co-occurrence
Proofpoint Best Practices
1
Deploy Proofpoint's Email Fraud Defense with DMARC enforcement — not just monitoring — or you're only doing half the job. Proofpoint's DMARC implementation has three stages: monitor (observe, don't block), quarantine (flag suspicious mail), and enforce (reject unauthorized senders). Most firms that configure DMARC via Proofpoint stop at the monitor stage because they're afraid of breaking legitimate email. The monitor phase is indefinite research, not protection. Set a calendar reminder for 60 days post-deployment to review the DMARC aggregate reports, confirm all your legitimate sending domains are authenticated, and advance to quarantine. Advance to enforce after another 30 days. Only full enforcement stops attackers from spoofing your domain to attack clients.
2
Use Proofpoint's Very Attacked People (VAP) report to identify which staff are disproportionately targeted — and give them extra protection. Proofpoint's Threat Intelligence identifies your firm's most heavily targeted email addresses based on actual attack volume. Typically this is the managing partner (for BEC attacks), the bookkeeper (for wire transfer fraud), and the receptionist (for credential harvesting via fake delivery notifications). Proofpoint lets you apply stricter filtering policies to VAP accounts — including mandatory sandbox analysis for all attachments and more aggressive URL rewriting. The receptionist who opens every emailed fax notification is your highest-risk user; treat their inbox differently.
3
Configure Proofpoint's Security Awareness Training immediately after every real phishing attempt against your firm, not on a quarterly schedule. Proofpoint's simulation engine lets you send realistic phishing tests to your staff. The most effective use is not quarterly compliance training — it's immediate follow-up to real events. When Proofpoint blocks a phishing campaign targeting your domain, clone the technique (without the malicious payload) and send a simulation to your staff within a week. People who nearly clicked a real attack are infinitely more receptive to training than people clicking through an annual security course. The behavioral change from near-miss training lasts months; the behavioral change from scheduled training lasts days.
4
Enable Proofpoint's targeted attack protection on your firm's most sensitive email aliases — not just individual accounts. Many PI firms have email aliases that are publicly listed on their websites: intake@firmname.com, info@firmname.com, cases@firmname.com. These are high-volume attack targets because they're known to be monitored by real humans. Apply Proofpoint's full advanced threat protection stack (URL Defense, Attachment Defense, and Impersonation Protection) to every public-facing alias, not just partner accounts. Attackers specifically target intake aliases because the people monitoring them are often less security-trained than partners.
5
Review Proofpoint's blocked mail digest with your IT person weekly for the first 90 days after deployment. Proofpoint's filtering can produce false positives — legitimate email from insurance companies, court systems, and medical providers quarantined due to sender reputation issues. Review the daily or weekly digest of quarantined mail for the first three months to build your approved sender list before attorneys start missing critical case communications. After 90 days, the false positive rate drops dramatically as you tune the system to your firm's sending patterns. The first 90 days of active monitoring separates deployments that work well from deployments that create support tickets forever.
Alternatives to Proofpoint
1
Mimecast — Proofpoint's most direct enterprise competitor, with comparable threat detection and stronger email continuity and archiving features. Where Proofpoint leads on advanced targeted attack protection and threat intelligence depth, Mimecast leads on business continuity (maintaining email availability during Microsoft 365 outages) and large-file secure sending. For PI firms where email uptime is a client service issue (you can't miss an adjuster's settlement offer), Mimecast's continuity features are a meaningful differentiator. For firms primarily concerned with inbound threat protection, Proofpoint's detection engine is generally rated more highly by independent security researchers.
2
Microsoft Defender for Office 365 Plan 2 — Included in Microsoft 365 E3 and E5 licensing, and available as an add-on for $5/user/month to Microsoft 365 Business Premium subscribers. Defender Plan 2 covers Safe Links, Safe Attachments, anti-phishing, attack simulation training, and threat hunting tools — covering a large portion of what Proofpoint Essentials delivers. The key question is whether you're already paying for Microsoft licensing that includes Defender coverage. If yes, adding Proofpoint creates redundant spend. If no, or if your Microsoft licensing is at a tier that doesn't include advanced threat protection, Proofpoint fills a real gap.
3
Abnormal Security — A newer entrant using behavioral AI to detect attacks that signature-based filters miss, particularly sophisticated BEC attacks and credential phishing that don't use malicious links or attachments. Abnormal sits behind your existing email gateway (including Microsoft or Google) as an additional detection layer and is increasingly used by law firms that have experienced BEC attacks despite having traditional email security. Pricing is per-mailbox and tends to run higher than Proofpoint Essentials, but for firms that have already been hit by a successful BEC attack, the additional layer addresses the attack vector that got through.
4
Cisco Secure Email (formerly IronPort) — Enterprise email security from Cisco, stronger on-premise deployment model than the cloud-first Proofpoint. Cisco's solution appeals to firms with existing Cisco network infrastructure (firewalls, switches) where the Talos threat intelligence network provides integrated protection across email, web, and network layers. Overkill for most PI firms, but for large multi-state practices with dedicated IT staff, the integrated Cisco security fabric has real operational advantages.
Proofpoint Power Moves
1
Use Proofpoint's attack simulation data to negotiate cyber insurance premiums — bring actual phishing click-rate data to your renewal. Proofpoint's Security Awareness Training tracks which staff click simulated phishing emails, which report them, and how click rates change over time. A firm that can show 18 months of simulation data with declining click rates and documented staff training is demonstrably lower risk than a firm that says "we do security training." Bring this data to your cyber insurer at renewal. Several carriers now offer explicit discounts for documented security awareness programs with measurable improvement metrics.
2
Configure a 'Report Suspicious Email' button in Outlook and train your staff to use it before you need it. Proofpoint's PhishAlarm button adds a one-click "Report Phishing" button to Outlook (and Gmail). When a staff member clicks it, the email is immediately quarantined, forwarded to your security team, and added to Proofpoint's threat intelligence database. The value multiplies when you train staff to use it proactively rather than just forwarding suspicious email to IT. An intake coordinator who reports a suspicious email before clicking it is your most valuable security asset. Run a brief monthly reminder in your firm's staff meeting: "When in doubt, click the red phish button."
3
Set up Proofpoint email alerts to notify the managing partner directly any time a wire transfer instruction arrives from outside the firm. BEC attacks targeting PI firms almost always involve wire transfer instructions — fake settlement checks, fraudulent escrow instructions, or impersonated court payment requests. Configure a Proofpoint content rule that flags any inbound email containing wire transfer language ("wire funds," "routing number," "ACH transfer," "escrow instructions") from external domains and sends an alert to both the recipient AND the managing partner. This creates a two-person check on wire instructions without requiring any process change — the alert itself triggers verification.
4
Export Proofpoint's threat dashboard data as evidence of security controls for client due diligence requests. Large institutional clients (hospitals, insurance companies, corporations) increasingly require law firms to demonstrate cybersecurity controls before sharing sensitive case information. Proofpoint's threat dashboard can generate a summary report showing your email security controls, threat categories blocked, and configuration status. Keep a current export as a PDF in your firm's compliance documentation folder. When a corporate client sends a vendor security questionnaire, the Proofpoint report answers the email security section in 30 seconds.
Is your firm using Proofpoint?
Claim your firm profile to verify your tech stack and access premium competitive intelligence. Not listed yet? Apply to get added.
Top Firms Using Proofpoint
by sophistication index
| # | Firm | Segment | Attorneys | SI Score | Grade |
|---|---|---|---|---|---|
| 1 |
|
Retention Innovators | 8 | 93.894 | A+ |
| 2 |
|
Retention Innovators | 1 | 91.091 | A+ |
| 3 |
|
Retention Innovators | 60 | 90.090 | A+ |
| 4 |
|
Retention Innovators | 1 | 82.582 | A+ |
| 5 |
|
Conversion-Focused Firms | 19 | 82.582 | A+ |
| 6 |
|
Conversion-Focused Firms | 1 | 81.582 | A+ |
| 7 |
|
Conversion-Focused Firms | 1 | 81.582 | A+ |
| 8 |
|
Awareness Leaders | 1 | 81.582 | A+ |
| 9 |
|
Retention Innovators | 1 | 80.881 | A+ |
| 10 |
|
Conversion-Focused Firms | 1 | 80.580 | A+ |
| 11 |
|
Conversion-Focused Firms | 1 | 79.580 | A |
| 12 |
|
Retention Innovators | 1 | 79.079 | A |
| 13 |
|
Conversion-Focused Firms | 1 | 78.879 | A |
| 14 |
|
Retention Innovators | 1 | 77.077 | A |
| 15 |
|
Retention Innovators | 1 | 74.875 | A |
| 16 |
|
Retention Innovators | 1 | 73.073 | A |
| 17 |
|
Basic Tech Adopters | 1 | 72.873 | A |
| 18 |
|
Basic Tech Adopters | 1 | 72.072 | A |
| 19 |
|
Retention Innovators | 1 | 72.072 | A |
| 20 |
|
Basic Tech Adopters | 1 | 72.072 | A |
