According to research published in IEEE's International Conference on Smart Computing, 24 million U.S. households (22% of adults) have experienced account takeovers, with average financial losses reaching $12,000 per incident. In healthcare, those stakes multiply. As researchers note in Cluster Computing, "The healthcare sector is the preferred target of attackers, because of the data's high commercial value."
A study in the Journal of Scientific and Engineering Research reveals that healthcare organizations handle vast amounts of sensitive patient data, including personal information, medical records, and financial details, and email is a primary mode of communication for sharing this information among providers. A single stolen login can open access to electronic health records, billing systems, insurance claims, and internal communications with colleagues who trust that sender. As the Cluster Computing research explains, phishing attacks "gain attackers access to the system, from where they can escalate their attack."
Research published in Computers in Human Behavior found that over 20% of university faculty and staff clicked on at least one of three simulated phishing emails. Among students, more than a quarter opened phishing emails, and half of those who opened them clicked the included links. Healthcare professionals face the same vulnerabilities, often with less security training and higher consequences.
According to the Paubox 2025 Healthcare Email Security Report, only 5% of known phishing attacks are reported by employees to their security teams. The attacks that succeed don't require sophisticated exploits. They require a convincing fake login page, a moment of distraction, and credentials that unlock everything.
Phishing isn't new, but its sophistication has changed. Research published in Computers in Human Behavior analyzed over 2,300 phishing emails targeting Cornell University from 2010 to 2023 and found that attackers have shifted tactics. Security-focused phishing emails, the classic "your password has expired" messages, dominated most of the 2010s. By 2023, they made up only 5% of attacks.
What replaced them were job offer scams, requests for help from supposed colleagues, and business logistics emails designed to blend into everyday communication. The study also found that "scams that are relevant to university or student life are often more successful than those that are not." The same principle applies to healthcare; phishing emails that mimic routine workflows, a shared lab result, an invoice from a vendor, or a request from a department head are far more likely to succeed than obvious security warnings.
Spelling errors in phishing emails have decreased substantially over time. From 2010 to 2016, 82% of phishing emails contained at least one misspelling. Between 2017 and 2023, that rate dropped to 59%. The conventional advice to look for grammatical errors is becoming less reliable as attackers leverage spell-checkers and AI tools to craft polished, professional-looking messages.
Traditional phishing emails contain malicious links that security tools can scan and block. Attackers have adapted to the newest method that bypasses link scanners entirely: QR code phishing, commonly called "quishing."
The target receives an email, often disguised as a message from IT, HR, or a trusted vendor, containing a PDF attachment or embedded image. The email instructs the recipient to scan a QR code to verify their identity, review a document, or complete a required security update.
The QR code directs to a credential harvesting page designed to look exactly like a Microsoft 365, Google Workspace, or EHR login screen, but because the malicious URL is encoded within the QR code rather than appearing as a clickable link, many email security tools don't detect it.
According to the HC3 threat briefing on QR code phishing, "Attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content." The attack is particularly effective in healthcare settings because:
Victims often don't realize they've been compromised until their account is already being used against their colleagues.
Read more: The rise of QR code phishing in healthcare
For years, multi-factor authentication (MFA) was considered the definitive defense against credential theft. Even if an attacker obtained a password, they couldn't access the account without the second factor, a code from an authenticator app, a text message, or a hardware token. Adversary-in-the-Middle (AitM) attacks now bypass MFA entirely.
In an AitM attack, the phishing page doesn't just collect credentials, but acts as a representative between the victim and the legitimate login server. When the victim enters their username and password on the fake page, the attacker's system immediately forwards those credentials to the real Microsoft 365 or Google login. When the real server requests MFA verification, that prompt passes through to the victim, who completes it thinking they're logging into the genuine site.
The attacker captures the password, the MFA response, and the authenticated session token that gets generated after successful login. With that session token, the attacker can access the account without needing to re-authenticate, often for hours or days until the token expires.
Research on BEC detection challenges confirms that attackers "in 2022 changed from trivial mail hacking and bypassing multi-factor authentication to impersonating a law firm and social engineering attacks." The sophistication of these techniques means that MFA, while still valuable, is no longer sufficient on its own.
This is why phishing prevention matters as much as authentication strength. If the malicious email never reaches the inbox, the AitM attack never begins
Go deeper: Why your MFA might be vulnerable to phishing
Blind spots in security methods
Once an attacker controls a legitimate email account, the HC3 notes, it becomes "a vehicle for financial or data-related crimes" still trusted by the system, but now serving the attacker's purposes.
The compromised account sends phishing emails to colleagues, patients, vendors, and partner organizations. These messages come from a recognized internal address, bypassing external sender warnings and often evading security filters trained to flag unknown domains. One compromised physician account can target an entire practice.
With access to email history, the attacker studies billing processes, identifies pending invoices, learns which vendors the organization pays regularly, and understands communication patterns. This intelligence leads to targeted vendor email compromise (VEC) and BEC attacks.
Attackers frequently create hidden inbox rules that automatically forward copies of incoming messages to external accounts, delete security alerts, or move emails containing keywords like "password reset" or "suspicious activity" to hidden folders. These rules persist even after password changes, maintaining access until explicitly discovered and removed.
Patient records, financial documents, contracts, and internal communications can be quietly extracted over days or weeks. The attacker doesn't need to breach the network, they just download attachments from the compromised mailbox.
According to the Paubox Healthcare Email Security Report, 31.1% of breached organizations were categorized as "High Risk," with multiple security gaps that exposed them to these cascading attack sequences. The initial compromise is just the entry point.
The HC3 briefing notes that attackers "can sit there for weeks, reading and copying, before anyone notices." However, certain behavioral anomalies can indicate compromise:
The challenge is that many healthcare organizations lack the monitoring infrastructure to detect these signals. According to the Paubox report, only 27% of IT leaders feel confident about avoiding breaches in 2025, signaling a gap between the threat landscape and current detection capabilities.
Account takeover is a multi-stage attack, but it almost always begins with a single email. Block that email, and the entire chain never starts.
As research in the Journal of Scientific and Engineering Research notes, "Healthcare organizations are frequent targets of phishing attacks, where malicious actors attempt to obtain sensitive information through deceptive emails. Phishing attacks can lead to significant data breaches and financial losses if employees are tricked into revealing confidential information or clicking on malicious links."
Paubox Email Suite Plus and Premium include inbound security designed to intercept credential phishing before it reaches users:
Every inbound email passes through domain and SPF record validation, combined with reputation checks on the sending server. Emails that fail these checks are rejected before delivery.
Messages are scanned for embedded macros, phishing links, ransomware, and malware. This includes analysis of attachments like the PDFs commonly used in quishing attacks for malicious content.
ExecProtect detects display name spoofing, catching emails that impersonate executives or trusted colleagues. Custom rulesets and content analysis flag suspicious patterns like urgent requests, login verification prompts, and unusual sender behavior. Inbound Data Loss Prevention (DLP) rules identify sensitive content that shouldn't be arriving via email.
The goal isn't just to catch known threats. It's to identify the behavioral and structural anomalies that characterize phishing attempts, even when the specific attack hasn't been seen before.
ExecProtect+ extends protection against sophisticated impersonation, while quarantine functionality holds suspicious messages for administrator review rather than delivering them to inboxes where a single click can compromise the entire organization.
Mailbox rules automate actions like moving or forwarding emails based on specific criteria. Attackers create hidden rules to forward copies of incoming messages to external accounts or delete security alerts. These rules can persist even after password changes, maintaining unauthorized access until discovered and manually removed.
Display name spoofing is when an attacker changes the "From" name that appears in your inbox to impersonate a trusted person like "Dr. Smith" or "IT Support" while using a completely different email address. Many recipients only glance at the display name without checking the actual address, making this a common tactic in phishing attacks.
ExecProtect is Paubox's patented display name spoofing prevention feature. It detects when incoming emails use a display name that matches someone in your organization but originates from an external or unauthorized email address. These emails are flagged or quarantined before reaching the recipient.