Email Spear Phishing: A New Level of Scary

Jan 16, 2024

It is important to be aware of one of the most successful ways cybercriminals target and attack: Your email. There are a couple of primary ways you can be targeted. You may be familiar with the term ‘phishing’. This is the general term for a broad-stroke email approach. Typically, these emails arrive in your inbox looking somewhat generic and usually without personal information about you. These emails often contain poor grammar, misspelled words and other nuances that, upon a closer look, reveal a possible threat.

Spear phishing, on the other hand, takes email targeting to an entirely new level of scary. Hackers are hyper-targeting you by personalizing the content specifically to you, a group or an organization you might have a connection with. Cyber Attackers are now collecting information from across the internet and social sites about industries, professional relationships and even personal details. This level of personalization and familiar tone blur the lines of what’s real and what’s a sophisticated fake. Sometimes you may be asked to click a link or attachment or to respond to the email. If it’s spear phishing, you’ve opened the door for malware to get into your practice management system, accounting and other important applications.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently released its Q1 2022 Cybersecurity Newsletter. The OCR explains, “If an attack is successful, the attacker often will encrypt a regulated entity’s ePHI to hold it for ransom, or exfiltrate the data for future purposes including identity theft or blackmail.” [1] Let’s dive into what you need to know to protect your practice and patients.


Learn to Spot the Trick

The goal is to get you to share things you shouldn’t, like passwords, credit cards or bank information. Be cautious when you receive an email from the bank, your IT department or a stating that you need to reset your password or go to a website to update information. There will likely be an urgent tone, indicating you must act quickly or there will be a negative consequence. Reach out to the sender separately to verify it really came from them.

Do Not Click the Link
A quick way to see if the link is suspicious is to just hover your cursor over it. The URL should point to the site where the email claims it will be going. If it doesn’t, or you have any doubts, alert your IT team that you think it might be a malicious email.

Limit Cybercrime Access Points
Protected Health Information should not travel in or out of your general email inbox (Gmail, Yahoo!, etc.). Those services exchange email across the public internet, which makes them more vulnerable to phishing attempts. The safest HIPAA-compliant email is transmitted across a private encrypted network in addition to each message being encrypted. If a cybercriminal can find you, they can try to scam you.

One of the best steps you can take is to use a HIPAA-compliant email with a pre-verified network of providers and associates. If you need to communicate with someone outside the verified network, you initiate the first email communication, and they have to verify their identity before accessing the message.

There are five required HIPAA safeguards for email. Among them are ID authentications for message accountability and transmission security, aka encryption. There are big differences between an encryption-only email for general security and a truly HIPAA-compliant email fulfilling every HIPAA security requirement.

No one is inherently immune from cyberattacks. Provide ongoing staff education to prevent these types of criminals from getting in the door. Assess the security of your HIPAA-compliant email. And implement a plan to send the bulk of your emails through a truly secure HIPAA-compliant email. Recovering from an attack is much more difficult and costly than preventing it in the first place.

iCoreConnect, an LDA/LDS endorsed company, specializes in a comprehensive software that speeds up workflow, increases revenue and provides greater security for dentists. iCoreExchange is an encrypted, fully HIPAA-compliant email. Not one iCoreExchange email has been hacked. Ever. LDA members receive a substantial discount on iCoreExchange. Book a demo at or call 888.810.7706.