By Lance Reid, CEO, Telcion Communications Group
LinkedIn: Lance Reid
LinkedIn: Telcion Communications Group
Phishing attempts can happen at any time and to anyone within an organization. As threat vectors continue to multiply and AI becomes more powerful, attempts to extract information in order to instigate a hack or ransomware attack will only increase.
While you will see widely variable percentages of breaches that are attributed to human actions, I think the Data Breach Investigations Report provides an accurate number, which has hovered just under 70% for the past two years. This number does not include insider misuse of privileges.
One of our clients related this recent story about a (fortunately) unsuccessful vishing (voice phishing) attempt.
Dr. X was told by a medical assistant that the DEA had called to speak with him. Dr. X returned the phone call, and a gentleman answered the phone. The individual told the physician that he needed to verify his email address. When the doctor replied that they should have it, the individual hung up.
After the client provided the phone number, I called it. The greeting stated that I had reached the Drug Enforcement Agency and to find out more information, to please visit www.dea.go — not gov. After waiting on hold, a gentleman answered the phone with a hello, not a name or a department. I did not provide my name or title, just stated that I was returning a phone call for Dr. X and how I could be of assistance. The individual shared that the doctor had called him that morning, said that everything was taken care of, and hung up on me quickly. I reported the incident to the FBI via www.ic3.gov.
A quick news search shows DEA scams targeting physicians and the general public dating back to 2021, including the horrifying tale of a pathologist who was scammed out of $180,000. The point is not to blame or shame anyone. Rather, the point is that bogus calls can sound legitimate — especially at a busy medical practice where everyone is rushing around and trying to take the best care of patients that they can.
I don’t know about your email in-box, but mine has been filling recently with payment requests or supposed gift cards from PayPal, Costco, Starbucks, McAfee, and many others — more than I’ve seen in years.
Be aware of these types of phishing
Phishing comes in many forms, each designed to deceive users into revealing sensitive information. Here are the main types with brief examples:
Email phishing: Attackers send fake emails pretending to be from trusted organizations. One example is a fake email from “Amazon” claiming your account is locked and asking you to click a malicious link.
Spear phishing: Targeted attacks use personalized details to trick specific individuals. For example, a hacker posing as your boss, requesting wire transfers or login credentials.
Whaling: This form of phishing is aimed at executives or decision-makers. A CEO receiving a fraudulent email from a “legal department” about a fake lawsuit would be a whaling attempt.
Smishing (SMS phishing): Fraudulent text messages contain malicious links the hackers want unsuspecting people to click on. One example is a text from your “bank,” warning of unauthorized transactions and urging you to log in via a fake link.
Vishing (voice phishing): Attackers impersonate trusted entities over the phone. One example is a scammer pretending to be tech support, tricking you into giving remote access to your computer. Or a phone call from a DEA “agent” to a busy medical practice.
Angler phishing: Even fake social media messages are being used to steal information. An X user receiving a DM from “customer support” asking for login credentials to resolve a fake issue would be an example.
Quishing (QR code phishing): Hackers are even using QR codes to trick users into visiting fraudulent websites or downloading malware. An email or text from your “bank” or a shopping website you use asking you to scan the code and provide information may be fake.
4 ways companies can fortify their defenses against phishing
As you can see, the number and sophistication of phishing attempts continues to increase. Training humans to resist hacking attacks requires a combination of education, practice, and reinforcement. Here are four effective ways to improve cybersecurity awareness and resilience:
Phishing simulation: Employees won’t learn unless you test them. We have clients that we phish every other month, everyone from the front desk staff to the CEO. Fail rates vary widely, depending on how real the emails or texts look. Anyone who fails should be referred for remedial training.
Deploy MFA: Multi-factor authentication is becoming ubiquitous on websites and should be a goal for your organization. MFA combines methods like keycards with PINs, biometrics with mobile credentials, or biometrics with one-time passcodes.
Enforce password management: Yes, it can be a pain to change a password every 60 days. But it’s more of a pain having to pay millions to remediate a data breach.
Conduct incident response drills: Hands-on security drills where employees practice recognizing and reporting cyber threats can reinforce quick decision-making and reduce the average response time to attacks.
Phishing attacks are not going away—they’re evolving. As cybercriminals refine their tactics, organizations must stay vigilant and proactive. No one is immune, and even the most cautious professionals can be targeted. The key is to foster a security-conscious culture where everyone remains wary of unexpected requests and reports suspicious activity. A well-trained team is the best defense against cyber threats.