Common Indicators of a Phishing Attempt

Cyberattacks on healthcare organizations continue to increase in both number and sophistication, with phishing one of the main ways that threat actors gain a foothold in healthcare networks. By training the workforce on how to identify phishing threats and explaining the common indicators of a phishing attempt to look for, should such a threat be encountered, the workforce will have the necessary skills to identify the threat for what it is.

Phishing Attacks in Healthcare

A single click on an email can be all it takes to give threat actors the foothold they need in a network to conduct a devastating cyberattack and the theft of millions of healthcare records. The mega data breach at Anthem Inc in 2015 that involved the protected health information of 78.8 million health plan members started with a phishing email. The 2015 data breach at Premera Blue Cross, in which 10.4 million healthcare records were compromised, started with a phishing email that installed malware.

Phishing attacks in healthcare more than tripled between 2015 and 2021 and have continued to rise at an alarming rate. Defending against these increasingly sophisticated phishing attacks requires a combination of measures. Those measures should include technical safeguards such as a secure email gateway, which should include anti-spoofing features such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, and Reporting and Conformance (DMARC) for blocking email impersonation attacks.

A web filtering solution should be used that incorporates blacklists of known malicious domains and should be used to block access to risky categories of websites. Antivirus software/endpoint security software should be installed on all endpoints, and multi-factor authentication should be implemented on accounts, especially email accounts and accounts with administrative privileges. If credentials are stolen in a phishing attack, multi-factor authentication can prevent the credentials from being used by threat actors to remotely access accounts.

These technical controls will not block all phishing attacks, but they will reduce risk and prevent many phishing attempts from succeeding. What is also required is security awareness training for the workforce, to ensure that if phishing threats are encountered, they can be identified as such and avoided.

The Common Indicators of a Phishing Attempt

In order to identify and avoid phishing threats, all members of the workforce should be aware of the common indicators of a phishing attempt. Phishing attacks are diverse and can be incredibly sophisticated but start by getting the workforce to be on the lookout for the common indicators of a phishing attempt below. If the workforce is aware of the threat from phishing, more phishing attempts will fail, and the severity of a data breach can be significantly reduced if an attack succeeds.

  1. Carefully check the sender’s address
    Phishing often involves email impersonation to trick people into thinking the message has come from a known or trusted individual. Carefully check the email address, specifically the domain. Is it the correct domain for the company? Have any letters been omitted? Is the domain hyphenated?
  2. Is there a generic greeting?
    Most companies address emails to the recipient by name if they have engaged with that individual in the past. If an email is addressed to Dear Valued Customer, Dear Customer, or uses more familiar greetings such as Hello, Salutations, or Hi, it indicates that the sender does not know the account holder’s name. This is one of the most common indicators of a phishing attempt.
  3. No contact information
    Another common indicator of a phishing attempt is a lack of contact information. Company emails usually have the sender’s name, job title, and company information in the footer. A lack of information about the sender is a red flag that could indicate a phishing attempt.
  4. Do the hyperlinks direct to an incorrect website?
    Phishing emails often include hyperlinks that direct recipients to websites where information is collected, or malware is downloaded. Those websites are created to look exactly the same as the legitimate websites they spoof, but they are hosted on attacker-owned or -controlled domains. Check the destination URL of any link or button in an email by hovering the mouse arrow over the link and ensure it directs you to the correct website for that company.
  5. Does the email contain spelling and grammatical errors or have a poor formatting?
    Poor spelling, grammatical mistakes, and unorthodox formatting are common indicators of phishing attempts. Companies use copywriters for their email communications, and messages are carefully checked by a proofreader before sending to ensure mistakes have not been made and the message being conveyed can be easily understood.
  6. Is there a suspicious attachment?
    Attachments are used for distributing malware and hiding content from email security solutions. Emails that lack information in the message body and just include an attachment or claim to include information in an attachment that could easily have been included in the message body are common indicators of a phishing attempt. The rule of thumb is to never open an unsolicited attachment in an email.
  7. Does urgent action need to be taken and has a threat been issued?
    A common indicator of a phishing attempt is when an email requires urgent action to be taken to avoid something bad happening, such as to prevent a charge from being applied, stop an account closure, or prevent legal action. The aim is to get the recipient to act quickly without stopping to think about whether the email is legitimate.

Employees are Often Overconfident in their Ability to Recognize the Common Indicators of a Phishing Email

It is common for employees to overestimate their ability to recognize and avoid phishing threats. One study conducted by Parsons et al in July 2018 – Understanding the Relationship between Human Behavior and Susceptibility to Cyber Attacks. ACM Trans. Intell. Syst. Technol – found that most of the participants in the study were unable to differentiate between a genuine and phishing URL, yet most participants felt safe using email and the Internet and were confident in their ability to identify cyber threats.

In addition to training the workforce on how to recognize phishing emails, include quizzes in the training to evaluate whether the training has been understood, and follow up with phishing simulations. Simulations are a good way of determining whether training has been effective. They test the ability of employees to recognize phishing threats outside of a training environment.

Phishing simulations should not be conducted to catch employees out, they should be used to gauge the level of security awareness of the workforce and to identify weaknesses to certain types of phishing emails, to allow security gaps to be addressed in future training courses. Be sure to advise the workforce that phishing simulations will be conducted as part of the training process, as blindsiding employees can cause resentment. Also, consider using the NIST Phish Scale to help determine why users click, as this will aid understanding of click data from phishing simulations and can be used to improve your security awareness training.


Training the workforce on how to identify phishing emails as part of security awareness training is important for Security Rule compliance and will help to prevent costly data breaches. Document all training to ensure you can demonstrate to regulators that you have taken steps to protect against cyber threats that target employees.