Too many good ideas & fresh thinking in this article by Sharon Nelson, John Simek and Michael C. Maschke to comment on them all here, but I’ll highlight one. This “social engineering” technique has been around for at least 30 years or so:

[A] current ploy is simply to pretend that they are someone else (usually another law firm employee) and indicate the need for the ID/password for any number of reasons – a network threat they are working on or involvement in a compilation of IDs/passwords to be stored securely in the cloud to enhance (they say) security.

They may even pretend to be your IT provider and they need your credentials to counter an imminent threat that has just been discovered. A remarkable number of law firm employees will give up their credentials in their desire to be helpful to someone they presume to be legitimate.

Are we saps? Pretty much, based on the evidence.