Why 95% of phishing attacks go unreported in healthcare
Even with regular training and increased awareness, 95% of phishing attacks still go unreported by healthcare staff. Some hesitate out of fear—worried they’ll be blamed if they clicked something they shouldn’t have. Others assume IT teams are too overloaded to respond. Many simply miss the signs of a phishing email amid a flood of daily messages, especially when working with outdated systems that make reporting feel like guesswork.
The result? Most phishing attempts are never reported to the security team. That’s not just an operational gap—it’s a full-blown blind spot in cybersecurity strategy.
COO and Chief Compliance Officer for Paubox.
Trust and privacy
In healthcare, where trust and privacy go hand-in-hand, this level of inaction should raise serious concern. According to industry data, 60% of healthcare organizations experienced email-related breaches last year, and three-quarters expect breaches to continue this year. Phishing remains the most commonly used entry point for attackers, and it’s only getting harder to detect. With AI-generated content making phishing emails more personalized and convincing, traditional training cues are quickly becoming outdated.
This disconnect, between training and real-world reporting, reveals a systemic problem: organizations are putting too much faith in awareness alone. Despite regular training and compliance requirements, only 5% of known phishing attacks are ever reported. So the question isn’t whether people are being trained. It’s why that training isn’t translating into behavior.
It’s easy to assume the solution is more training, more drills, more simulations. But that misses the core issue.
Security leaders need to acknowledge that fear and friction are the two biggest barriers to phishing reporting. Staff are afraid of repercussions if they report too late or incorrectly. They’re confused by convoluted reporting steps. They’re also under pressure to move fast, triage inboxes, and get on with their work.
The importance of leadership
The fix starts with leadership. Effective email security requires more than policies and toolkits. It requires buy-in at the top, a deliberate shift in organizational culture, and modern infrastructure that makes secure behavior easier.
That means creating simple reporting options in daily systems. It means telling staff, frequently and clearly, that reporting suspicious emails is always better than staying silent, even if they’re wrong. It means creating feedback loops so people know their reports matter. Silence should never feel like the safest option.
At the same time, healthcare organizations need to take a hard look at the technology stack supporting their email infrastructure. Many healthcare organizations still rely on legacy systems built for internal communication, not today’s threats. These tools often lack proactive features like real-time threat detection, blanket encryption, or contextual tagging of suspicious content.
Training is only one part of the equation. Organizations must pair it with safeguards that reduce reliance on perfect human behavior. This includes technologies that act before staff ever interact with a threat—automatically filtering malicious messages, flagging anomalies, and identifying spoofed domains in real time. When email security works silently in the background, the burden on staff drops and the overall security posture strengthens.
What can healthcare leaders do?
Modern security tools can now flag anomalies before a human ever sees them, detect spoofed sender domains in real time, and reduce the noise that overwhelms IT teams. They enable the kind of visibility security leaders need to detect patterns, measure risk, and act faster when incidents occur.
So what can healthcare leaders do right now? Start by rethinking the reporting experience from the staff’s point of view. Is it fast? Is it obvious? If not, fix it. Talk to frontline staff. Can someone report a phishing email in one click? Do they know what happens after they report it? Are they ever told the outcome? These seemingly small details determine whether or not a report happens. Understand the friction points. Streamline the process until there’s no excuse not to report.
Re-evaluate your existing systems. Is it giving you the insights and automation you need to reduce human error? If not, modernize. Don’t just bolt on to an outdated system—transform your security posture by choosing a solution that anticipates threats rather than reacting to them.
Finally, reframe phishing not as a one-off training problem, but as an ongoing organizational vulnerability. Normalize the conversation. Make reporting part of the everyday vocabulary. Celebrate catches, debrief near misses, and remind everyone that security is a team sport. The goal is progress. Every report gives your security team a fighting chance to stop the next breach before it spreads.
Phishing attacks are serious, but they’re also manageable with the right people, processes, and platforms. A proactive approach grounded in smarter tech and a stronger security culture can shift this dynamic. Reporting must be rewarded. Silence must be addressed. And above all, email security needs to be the foundation of every healthcare cybersecurity strategy.
The future of email security in healthcare depends on a simple but powerful shift: treat your inbox not as a liability to be managed, but as a frontline defense to be fortified. When staff are empowered to report threats and systems are built to support them, healthcare organizations can finally close the loop on phishing.
We’ve featured the best secure email provider.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Even with regular training and increased awareness, 95% of phishing attacks still go unreported by healthcare staff. Some hesitate out of fear—worried they’ll be blamed if they clicked something they shouldn’t have. Others assume IT teams are too overloaded to respond. Many simply miss the signs of a phishing email…
