Common Indicators of Phishing Attempts

Phishing is one of the commonest ways that cybercriminals gain access to the networks of healthcare organizations, and while some sophisticated phishing attacks – spear phishing for example – can be difficult for employees to identify, there are common indicators of phishing attempts that employees can be trained to look for. These red flags are present in most phishing emails and can allow phishing emails to be easily identified by employees.

The aim should be to train the workforce to look for the common indicators of phishing attempts and report potential phishing emails to their security team if one or more of these red flags is found in an email. The security team will be able to confirm if the email is malicious and if so, can search for and remove any other copies in the email system.

The HIPAA Security Rule Requires Security Awareness Training for the Workforce

The common indicators of phishing attempts are easy to identify, provided employees know what to look for. These should be covered in security awareness HIPAA training sessions. The administrative safeguards of the HIPAA Security Rule – § 164.308(a)(5) – call for HIPAA-regulated entities to “implement a security awareness and training program for all members of its workforce.” While the HIPAA text does not specifically state that employees must be trained on how to spot a phishing email, given the extent to which phishing attacks are conducted on healthcare organizations and business associates, phishing is a reasonably anticipated threat to ePHI, so safeguards must be implemented to protect against phishing.

The HHS’ Office for Civil Rights has explained in its cybersecurity newsletters the importance of training employees on how to recognize and avoid phishing threats. The frequency that training should be provided should be dictated by a risk assessment. The best practice is to provide training at least annually, although more regular training sessions are recommended due to the increase in phishing attacks targeting healthcare employees. Most vendors have training content that can be delivered in small chunks that can be easily fit into busy workflows. A little training provided often will help to keep security fresh in the mind.

Training should teach the workforce about the common indicators of phishing attempts, security best practices to follow, how to practice good cyber hygiene, and what to do if a threat is encountered. To encourage employees to report threats, consider providing a mail client add-on that allows suspicious emails to be reported to the security team with a single click. Also, consider conducting phishing simulations to assess whether training is being applied by the workforce on a day-to-day basis. Phishing simulations can help the IT security team to gauge how effective training has been, how security awareness is improving over time, and identify types of phishing emails that are fooling employees. Training can then be adapted to cover those specific threats. If phishing simulations are failed individuals can be provided with additional training.

What are the Common Indicators of Phishing Attempts?

A wide variety of lures are used by cybercriminals and nation-state threat actors to trick healthcare employees into disclosing their credentials or installing malware, and the tactics, techniques, and procedures are constantly changing; however, there are common indicators of phishing attempts, and these red flags are present to some degree in most phishing emails.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

  1. Urgent calls to action and threats
    Phishing emails try to trick people into acting quickly without thinking. There is often a pressing reason provided why rapid action is required and that there will be negative consequences if action is not taken. Stop and think and check for the common signs of phishing and do not be pressured into responding quickly.
  2. The message asks for personal information
    Personal information is often requested in the emails. Legitimate emails will never ask for personal information to be disclosed via email, as emails are not a secure method of communication. The request may be made on a website linked in the email, such as a request to log in using your Microsoft 365 credentials. Such requests are common in phishing attacks.
  3. The message contains poor spelling and grammar
    Emails from companies are written by professional copywriters and subject to spelling and grammar checks before sending. If an email contains mistakes, it is a sign of a phishing email. These errors are often included deliberately in phishing emails.
  4. The email contains a generic greeting
    If the contact is known to you or is a business you have engaged with in the past, they will know your name and will address the email to you personally. If the email starts with hello, greetings, salutations, dear customer, or another such generic greeting, the sender most likely doesn’t know your name, only your email address.
  5. You are sent an attachment that you were not expecting
    Information is often included in attachments in phishing attacks to hide content from email security solutions. Attachments are used to hide malicious code that downloads malware. Avoid opening attachments you are not expecting, even if the email appears to come from a well-known company, and do not enable content in Office documents unless you have verified the attachment is genuine.
  6. The email address does not use the name of the company in the domain
    If the email claims to be from a company and a public email domain has been used, it is likely to be spam or a phishing email. Legitimate companies buy a domain name and use it for their email accounts.
  7. Links in the email direct you to unfamiliar websites
    If the email claims it has been sent by Microsoft, any links in the email should direct you to a Microsoft-owned domain. Hover the mouse arrow over any button or a text link to find the destination URL. If the domain does not match the company, do not click. Also check for misspellings, hyphenated domain names, and subdomains, as these are often used to fool users into thinking they are being directed to the correct website.


For HIPAA Security Rule compliance, provide regular security awareness training to the workforce, issue regular reminders about security threats and the risk of phishing, and teach employees to be constantly on the lookout for the common indicators of phishing attempts. Through regular training, it is possible to develop a security culture and create a human firewall to complement your technical anti-phishing measures.