How to Spot a Phishing Email: A Visual Guide for FQHC Leaders

A Nigerian prince wants to send you $1,000,000!

Remember those days? Today, phishing emails aren’t always riddled with typos and broken logos. Today’s scams are usually polished, AI-generated, and designed to trick even the most vigilant staff. In 2024 alone, phishing attacks contributed to over $16.6 billion in losses across industries, including healthcare.

For your Federally Qualified Health Center (FQHC), a single click on a malicious link can lead to ransomware infections, compliance violations, and operational downtime. This guide will help you and your team identify the red flags, before it’s too late.

1. Generic Greetings

Legitimate organizations typically address you by name. Phishing emails often use impersonal salutations like:

• “Dear Customer”
• “Dear User”
• “Valued Member”

2. Mismatched or Suspicious Email Addresses

Always verify the sender’s email address. Phishers often use addresses that mimic legitimate domains:

• Legitimate: support@paypal.com
• Phishing: support@paypal-secure.com
• Legitimate: orderstatus@att.com
• Phishing: ATTOrderStatus@ordertrack.wireless.att-mail.com

Subtle, and not-so-subtle, differences can be a red flag.

3. Urgent or Threatening Language

Phishing emails often create a sense of urgency to prompt immediate action:

• “Your account will be suspended unless you act now.”
• “Immediate action required to avoid penalties.”

Such pressure tactics are designed to bypass rational decision-making.

4. Unexpected Attachments or Links

Be cautious with unsolicited attachments or links, especially if:

• The email urges you to download a file to view an invoice or report.
• Links direct you to unfamiliar websites or prompt you to enter credentials.

Hover over links to preview the URL before clicking…and DON’T download anything if you’re not expecting it.

5. Inconsistencies in Branding and Language

Phishing emails may contain:

• Low-resolution logos or incorrect brand colors.
• Poor grammar or unusual phrasing.

These inconsistencies can indicate a fraudulent message.

6. Requests for Sensitive Information or Account Details

Legitimate organizations will not ask for sensitive information via email. Be wary of emails requesting:

• Passwords or PINs.
• Social Security numbers.
• Bank account details.
• Login information or credential verification (you’re not expecting).

Such requests are a hallmark of phishing attempts.

BONUS TIPS:

• Watch out for fake or malicious QR codes. These can be sent via email or even printed. We’ve even seen these posted in subways in large cities. 
• Beware videos. With AI technology, we’ve seen instances where a fake video asking for a large wire transfer from the CEO was sent to the CFO. This is scary.
• If you have ANY doubt, pick up the phone and call the other person or entity.
• Watch out for fake/malicious calendar invitations. This is a growing trend.

Action Steps for FQHC Leaders

1. Educate Your Team: Regularly train staff to recognize phishing attempts.
2. Implement Multi-Factor Authentication (MFA): Adds an extra layer of security.
3. Use Advanced Email Filtering: Deploy solutions that detect and quarantine suspicious emails.
4. Establish Clear Reporting Protocols: Encourage staff to report suspicious emails immediately.
5. Conduct Phishing Simulations: Test your team’s awareness and improve response strategies.

Conclusion

Phishing attacks are evolving, leveraging sophisticated tactics to deceive even the most cautious individuals. By staying informed and proactive, FQHC leaders can safeguard their organizations against these threats.

Need help training your team or building your cybersecurity strategy? Let’s talk. That’s what we do!